After numerous delays, Google finally seems set on its deadline for phasing out third-party cookies on its Chrome browser. At the start of this year, Chrome deprecated third-party cookies for one percent of traffic, kicking off a testing period set to ramp up mid-way through Q3, when the total removal of cookies will begin. And executives have repeatedly confirmed their commitment that cookies will be completely gone by the end of the year.
That’s Google’s take, at least. But the problem is, the deadline isn’t just up to Google. The UK’s Competition and Markets Authority, in an effort to address competition concerns raised within the industry about the impact of Google’s Privacy Sandbox (its set of tools to replace third-party cookies), secured a number of commitments from Google a few years back. One of these commitments is that Google won’t proceed with third-party cookie deprecation until the CMA is happy that any competition concerns have been addressed. And as its recent update makes clear, it’s currently not happy.
In a quarterly update on its engagement with Google and the wider industry on Privacy Sandbox progress, the CMA said that it has a number of concerns which haven’t been addressed. This means that as things stand, the CMA is unwilling to give Google the green light to go ahead with removing third-party cookies. And while some of the CMA’s concerns may be alleviated or addressed entirely through testing, the nature of the concerns suggests there’s still plenty of work for Google if it wants to hit its 2024 deadline.
In its quarterly update, the CMA broke down ‘potential concerns’ it currently holds for various aspects of the Privacy Sandbox – and there are still plenty.
For the parts of the Sandbox specifically relating to advertising (i.e. targeting and measuring ads), the regulator outlined 38 specific concerns. This isn’t a comprehensive list – these flags only cover the potential impact on the digital advertising ecosystem and on publishers and advertisers. Concerns around user experience were listed separately, and separate analysis is being carried out by the UK’s data regulator the ICO, which might raise further issues.
Outside of the advertising-specific parts of the Sandbox, a further 33 specific concerns were raised (which again don’t cover user experience, or anything which falls within the ICO’s remit).
As stated, these are all ‘potential concerns’ raised by industry participants, and on some of them, the CMA says it currently sides with Google. But on many of them, the CMA’s notes make it clear they’re unresolved issues.
Unresolved issues relating to the advertising-specific APIs (Topics API, Protected Audience API, and Attribution Reporting API) include the following:
- Google may be less reliant on Topics API than other market participants, given its wealth of first-party data
- Google may advantage itself by manipulating the Topics API which it currently controls
- Low consent rates for Topics API might affect publisher revenue
- The Protected Audience API potentially hinders traffic shaping by SSPs
- Protected Audience auctions may hinder competitive separation
- Protected Audience auctions offer limited support for negative targeting
- On-device auctions run through the Protected Audience API are slow, creating latency issues
- The Protected Audience API may force publishers to use Google Ad Manager in order to access demand from Google’s AdX exchange
- The Protected Audience API will give Google Ad Manager (and other top-level sellers) more information into bids for publishers’ inventory than publishers themselves get (and will give publishers less information than they currently receive)
- The Attribution Reporting API may make it harder to optimise campaigns in real time
- The Attribution Reporting API will make measurement of inventory on the open web worse than measurement for inventory owned by ad tech sellers (like Google)
- It will be difficult (or perhaps impossible) to audit and verify measurement through the Attribution Reporting API
The CMA also outlined some overall unresolved issues relating to the broader setup of the Privacy Sandbox, rather than one specific API. These include concerns that Privacy Sandbox changes may hinder ad tech companies’ ability to deliver brand safety protections, and that the enrolment and attestation requirements attached to Sandbox APIs might limit the ability of ad tech companies to integrate Sandbox solutions with other identity solutions.
For several of these, the CMA has reached out to Google for clarification. And in some cases, the CMA itself has further work to do to clarify the potential competitive impact of the Sandbox.
Regardless, as things stand, these are unresolved issues. And so long as they remain unresolved the CMA (if it sticks to its word) will prevent Google from forging ahead with its cookie deprecation timeline.