Introduction
On Friday, April 26th, the UK’s Competition and Markets Authority (“CMA”) published its Q1 2024 report on the implementation of the Google Privacy Sandbox (“GPS”). This is the CMA’s eighth report on the GPS and its ability to replace cookie technology while not giving Google an unfair advantage as a key player in the ad industry.
This Q1 CMA report will be of particular interest to Google and the wider industry because it sets out quite clearly that Google still has a lot of work to do to demonstrate that the current design of the GPS isn’t anti-competitive. As if this wasn’t enough, the Q1 report is bolstered by a preliminary assessment by another UK regulator – The Information Commissioner’s Office (“ICO”) which oversees Privacy & Data Protection compliance in the UK. The ICO has leaned heavily on its reports addressing real-time bidding and online advertising from 2019 and 2021 as they set out the expectations they have for a compliant approach for the GPS within the CMA report.
CMA Competition Concerns
The backbone of the CMA report remains familiar, and the CMA are adamant that Google should restrict the use of its first-party data so that it doesn’t swallow up ad spend. However, Google appears to be further away now than they were in January from convincing the CMA that the GPS isn’t anti-competitive for the industry, and meets established Privacy standards. There were 79 concerns outlined in this Q1 report versus 39 in the previous report in January.
The CMA is acutely aware of the fact that ad spend could move away from open display and into O&O inventory or walled gardens. Additionally, there are inherent design aspects of the GPS which self preference the Google ecosystem. Google Ad Manager (“GAM”) for example will not participate in Protected Audiences API (“PAAPI”) component auctions unless it is the top-level PAAPI seller. This means that publishers will have to use GAM in order to access AdX demand. The CMA has rightly described this as a “high priority area” for their assessment and review.
Google has said “We welcome the dialogue with the ICO and are already working to address its feedback on how Chrome can best communicate to users about Privacy Sandbox. We also affirm the ICO’s expressed desire for sites and ad tech companies calling the Privacy Sandbox APIs to communicate clearly with their users and offer appropriate controls.” Some of the key privacy concerns are outlined below.
Privacy Assessment by CMA & ICO
Topics API
- There’s a reluctance from Google to accept the key role which governance and access controls play in maintaining compliance to applicable privacy legislation. The Topics API makes cross-site insights available to API callers with no Google-imposed restrictions limiting the purpose of topics data to interest-based advertising only. Google has said they view the overall risk to be “low” but the inability to police an abuse of the Topics API would make it next to impossible to classify it as privacy compliant. W3C has voiced similar concerns following their testing of GPS but this feedback hasn’t produced any changes from Google as yet. For those familiar with the basic requirements under Article 5 of the GDPR and the concept of purpose limitation, this is a red flag.
Protected Audience API
- Within PAAPI Google proposes to deploy PAAPI without key privacy enhancing technologies (“PETs”). Some PETs will not even be operational until 2026. Google has said they are working on privacy mitigations for known cross site tracking risks, but these may not be finalised at the point of deployment. The ICO is concerned that the absence of key controls which are outlined in the current roadmap will leave significant privacy risks unresolved.
- The CMA has outlined that it is possible to create interest groups (“IGs”) which are bespoke to individuals and this may lead to a situation where cross-site data and profiles from third-party sources can be leveraged in PAAPI. As a result of this the ICO has voiced their concern “that combining first- and third-party data in PAAPI will not address a range of data privacy concerns potentially leading to non-compliance with Applicable Data Protection Legislation.”
- It has been suggested by the CMA that Privacy hasn’t been a key focus for Google as they work on enhancements to the PAAPI within GPS. Google has made a number of updates to the original PAAPI design which are focused on utility and adoption (e.g., removing k-anonymity controls for IGs). This has led the CMA to state that “we are concerned that privacy is not appropriately considered by Google”. As a result, over time, there is a risk that PAAPI will evolve in a direction that leads to non-compliance with Applicable Data Protection Legislation.
Attribution Reporting API
- Even Google themselves have acknowledged that for event level reports and the signals returned for training models, that any measurement product that permits events to be connected to an individual will always present a cross-site tracking risk. Google feels this risk is sufficiently mitigated, however there are limited preventative measures in place, and potential misuse by organizations creates a real risk that lawfulness and transparency requirements within applicable privacy laws are not met.
Conclusion
The back and forth between Google and the CMA feels like a war of attrition, but with Google having given legally binding undertakings to the CMA in 2022, they might have to blink first on their third-party cookie replacement. Some big questions also remain outstanding for the industry; does the GPS function, can it be tested rigorously, and how viable is it as a replacement for third-party cookies when some key components aren’t even built yet?
The CMA is leveraging the support of the ICO for the Privacy analysis, and the ICO in turn has made it fairly clear what they expect from Google. In their view, there must be a privacy-by-design approach that gives users clear choices and there must be accountability within Google for how personal data is processed end-to-end within the online advertising ecosystem. The processing within that ecosystem must then have a clearly defined purpose and should address existing privacy risks. This isn’t an easy balance to strike for Google while also maintaining parity for all participants in the market.