Following Google’s announcement last week that it is pushing back full deprecation of third-party cookies within its Chrome browser to 2025, the UK’s Competition and Markets Authority (CMA) has released its quarterly update on its scrutiny over Google’s Privacy Sandbox.
It was Google’s decision to push back the deadline, not the CMA’s – the CMA won’t make any formal judgements until Google triggers the standstill period (a sixty day notice period which Google must give the CMA before getting rid of third-party cookies). But the CMA has been a big influence. Google said it needed more time to take into account industry feedback, and for the CMA to review evidence.
As the CMA’s latest report shows, there are still many unresolved issues in the regulator’s eyes. While progress has been made on some of the 38 concerns raised in the CMA’s previous update, a whole host of new issues have been flagged by analysis from the ICO, the UK’s data regulator.
Many of the issues raised in the report are quite technical, covering the functioning of specific Sandbox APIs, and whether Google will eke out competitive advantage based on how they operate.
But one fundamental competitive concern is the broad impact that eliminating third-party cookies will have in terms of shifting ad spend into walled gardens. If targeting and measurement becomes more difficult on the open web, where cookies play a major role, marketers may shift more ad investment into big media properties where targeting and measurement is based largely on first-party data. Google, with its massive bank of first-party data and huge pool of owned and operated ad inventory across Google Search, YouTube, and other platforms, could be one of the main beneficiaries.
Google has already committed not to use its first-party personal data to target or measure ads on third-party websites after Chrome ends support for third-party cookies. But this wouldn’t affect the walled garden portion of Google’s business.
The CMA acknowledges this issue, and has said in this latest report that it is talking with Google about limiting Google’s ability to use its own first-party data to target and measure ads on its owned-and-operated platforms. “We are conscious of the risk that ad spend could move away from open display and into O&O inventory (or ‘walled gardens’) – depending on the overall impact of the Privacy Sandbox changes,” says the report.
The CMA gave no details on what this might look like – but limiting Google’s ability to use data from one of its products (i.e search) and use it for ad targeting or measurement on another product (i.e YouTube) might be an obvious route. While this still wouldn’t prevent each of these platforms individually benefitting from cookie deprecation given their individual scale and walled garden models, it may make a dent in Google’s competitive advantage. And the fact that the CMA is aware of the risk means it could choose to push for even harsher restrictions.
ICO surfaces data concerns
A further headache for Google comes from the new list of concerns raised in the CMA’s report sparked by the ICO’s analysis of the Privacy Sandbox.
The CMA asked the ICO to review the Sandbox to inform its analysis of data privacy risks that Sandbox tools might pose. The ICO has now given its opinions, raising over 25 new issues which were highlighted in the report.
All of these are listed as ‘potential concerns’, as is the case with all issues outlined in these reports – the CMA won’t say if any of them are deal breakers or not until the standstill period is triggered. And in many cases, the CMA is awaiting more information from Google, which may clear up those issues.
But several concerns highlighted by the ICO seem more serious. For example, the Protected Audience (PA) API, which aims to enable retargeting and other custom audience use cases, will eventually use other privacy technologies which will be introduced further down the line. But without these technologies, the ICO says bad actors will be able to use PA to track users across sites. Meanwhile Google’s Attribution Reporting API ultimately relies on connecting events to individuals, which the ICO says inherently poses a cross-site tracking risk.
Google will hope that relatively simple changes around transparency, governance and guidance will help alleviate these concerns – but the CMA may ultimately decide that more substantial changes are needed.
