Read our new manifesto

Start 2021 with fresh ideas
and practical tips on...

CUSTOMER EXPERIENCE

BRAND SAFETY

GAMING AND ENTERTAINMENT

SOCIAL MEDIA

CTV AND OTT

CUSTOMER RETENTION

DATA AND IDENTITY

PURPOSEFUL MARKETING

NOW
AVAILABLE

Banner BGBanner BG

Why the CMA is digging into the Privacy Sandbox, Google’s cookie-killer

The CMA is investing Google's cookie replacement, the Privacy Sandbox

Google’s efforts to rewrite how Chrome users are targeted with ads is now being probed by a UK’s Competition and Markets Authority (CMA) keen to ensure it “develops proposals in a way that does not distort competition”. The Drum explores why Google's Privacy Sandbox, the mission to replace third-party cookie, has come under this close regional scrutiny.

Google is reforging the ad-funded internet. Regulators, such as the CMA, are now all-too-aware that Google holds enough power to cause seismic shifts in the functionality of the web with any minor changes it makes – after all, Google Chrome accounts for around 65.3% of web browsing activity.

Regulators wonder how much synergy across its ads, search, YouTube, Gmail and Android business is entrenching its superiority. 10 US states are probing the ad product for anti-competitive activities as of 20 December. French regulatory body CNIL issued a sharp fine for its GDPR practises – and there's more in the pipeline. The break-up Google procession is gaining momentum.

Regarding the third-party cookie specifically. Firefox and Safari have already killed them. Advertisers have had some time to understand the effects although the biggest stakeholder is still putting its cards upon the table.

The Privacy Sandbox

The Privacy Sandbox initiative launched early in 2020 to “develop a set of open standards to fundamentally enhance privacy on the web“ and balance making the web “more private and secure for users, while also supporting publishers”.

These are lofty goals, but there was an undercurrent of fear that any solution driven by Google would benefit it first and foremost. Johnny Ryan, a privacy advocate and former Brave browser thought leader, described it as “Google building a moat“ now it doesn’t need third-party cookies to track people.

Ad-tech intermediaries, who themselves have come under scrutiny for data practices and missing ad spend, hope their products weather the storm. Publishers are talking a big game about their first-party data promises but quake at the thought of taking another financial hit from a tech giant. And as ever, web users will likely remain largely oblivious to the seismic shifts beneath their clicks. They’ll hit agree on any form marketers put in front of them.

In 2020, Google issued a two-year deadline – or was it more of a ’loose target’ – to deploy? Either way, it’s been walked back. Chetna Bindra, who leads Google’s product development on the project, told The Drum in November 2020 it would only deprecate cookies once a clear replacement could handle ad targeting, measurement, frequency-capping and ad fraud protection.

It is experimenting with a few solutions in anonymised segmentation and retargeting. The goal is to do the job using less consumer data.

CMA says

The CMA announced 8 January worries that the sandbox could ”undermine the ability of publishers to generate revenue”, and/or ”undermine competition in digital advertising,” entrenching Google’s market power.

It’s asking some simple questions. How much market power does Facebook and Google really have in their respective ad markets? Do web users have adequate control over the use of their data by online platforms, Is there a lack of transparency? And could conflicts of interests undermine competition in digital advertising?

It’s worth remembering that the CMA said it has “an open mind and has not reached any conclusions at this stage as to whether or not competition law has been infringed”.

Nonetheless, the probe serves as a shot across the bow at Google.

What do the critics say?

Pleasing everyone will be difficult. Google’s services are pivotal to many and in different ways.

One of the loudest complainants, cited by the CMA, is Marketers for an Open Web. The CMA says it is a “group of newspaper publishers and technology companies” – its website does not disclose members but rather claims stakeholders deliver 320 billion advertising impressions each year.

It says that Google is “abusing its dominant position”.

James Rosewell, director of Marketers for an Open Web, alleges: “The Privacy Sandbox would effectively create a Google-owned walled garden that would close down the competitive, vibrant open web. Providing more directly identifiable, personal information to Google does not protect anyone’s privacy. We believe that the CMA’s investigation will confirm this and save the web for future generations.”

The publisher position

Representing publishers, Owen Meredith, chief executive of the PPA, welcomes the CMA investigation. ”Regulators are stepping up in their attitude and approach towards these big platforms which have had a dominant position unchallenged for far too long.”

The PPA pitched into the CMA investigation in 2020, and Meredith says: ”We think there isn’t fair competition in the online ad market as it is and that publishers don't get fair value for their content.”

The PPA seeks a framework that creates a level playing field for all and ”doesn‘t allow Google or Facebook or any new platforms to cherry pick who they want to work with, and which journalism people should be able to see”.

Meanwhile, Meredith notes that PPA members have been forging ahead building first-party data products to minimise any impact from cookie degradation.

Remi Cackel, chief data officer at media platform Teads, says it is right to move from “old and deprecated 90s tech“ and provide greater privacy to users, but there is a caveat. “It should not be the pretext for competitive advantages“.

He expects Google’s Privacy Sandbox initiative to be an open ecosystem that adtech players can develop their own profiling and segmentation algorithms in (instead of Google ‘one-size-fits-all’ approach). Secondly, it has to effectively replace cookies. “Precise targeting should not only be possible on social platforms or within walled gardens as this is the main threat for publishers when it comes to their future inventory monetisation capabilities.“

Google‘s already tabled feedback from business groups like WC3, and Cackel expects more stakeholders to contribute feedback in the coming year.

What of adtech?

Myles Younger, senior director of data practice at digital media MightyHive, admits the depreciation of the cookie is a "big net positive" for web users at the very least.

He talks up the idea of a privacy budget that would make it impossible to identify an individual in a single ad transaction. “Sites or advertisers would get the data they needed to facilitate a simple interaction, but nothing more.” Right now, there are concerns about the sheer volume of identifiable information being broadcast.

For the web user already bombarded with unintelligible cookie consent forms on every website, there’s a big trade-off too. The features of Privacy Sandbox might save them from having to give their email to every site they visit.

“Google wants Chrome users to accept a few privacy-safe advertising features basically in exchange for websites continuing to be free. Without these cookies, the open web gets harder to monetise via ads. Fewer opportunities for ad-driven monetization may mean less free content and more registration and paywalls (which collect user information individually).“

Why now Google?

Alan Chapell, president of adtech law firm Chapell & Associates, wrote in AdExchanger that a break-up of Google is “likely“ and that cookie-based advertising is too risky and costly in the long term. He suggested that cookies also provide an audit path for regulators that will make any apparent cross-benefit between Google services more visible.

But for Zach Edwards, founder of boutique analytics agency Victory Medium, it is merely about liability.

He explains that data controllers like publishers, devices like mobile phones, CTV and IOT boxes, and browsers generate first-party data, and under GDPR, they are responsible for how that data is packaged and transmitted by data processors. By its very nature, cookies broadly transmit user data to intermediaries every time they visit a web page. The privacy sandbox looks to seal off any data exfiltration risks and anoymise web user data. But at what cost?

Browsers like Safari (ITP), Edge and Firefox have already blocked third party cookies. Google, as arguably the largest data controller in the world, is following suit. Edwards suggests they‘ve copied Apple‘s homework.

He‘s highly sceptical of the competition concerns raised by critics of the Privacy Sandbox. He sees action against the initiative as a means of “keeping access to an unsafe form of cross-site user data.“

“They are lobbying in the press and applying weak regional pressure in the UK to affect change“. Edwards points out that the CMA’s power is limited to the UK, unlike the EU’s GDPR regulation that encompassed all members and suggests those in the pro-CMA camp are relying heavily on the power of post-Brexit UK to set global user data privacy standards. Britons might reasonably ask: “Are you having a laugh?“

Change is needed, however. Current loopholes “empower criminal ad tech organizations to exfiltrate user data without consent.” Some of these same firms are publicly lobbying to erode the protections being proposed by Google. And Google is the liable party, he says.

“Google is the biggest collector of non-compliant data flows, and has more partners ingesting data after Google ad auctions than any other company in the world. If Google ignored its data controller requirements in ad auctions and continued to share user data haphazardly before and after auctions with a wide variety of companies in its authorized buyers ecosystem, then it would be facing investigation not just in the EU but also the US."

In short, he backs “any ad sandboxes that break one-to-one user tracking in favour of safe group cohorts where there’s no data exfiltration“. Google‘s FLoC is the core proposal already being implemented in Chromium, "it’s not some totally new half-baked architecture," he concludes.

What do marketers make of all this?

Outside the war for how billions of dollars will be transacted on the open web, marketers are just keen to build brands and sell things as effectively and transparently as possible.

Kate Jervis, head of analytics at marketing technology specialists DQ&A by Incubeta, explains that the sandbox “limits what advertisers and businesses can do moving forwards“. In particular, she says it‘ll hurt SMEs and start-ups that require personalised marketing approaches to find hyper niche audiences.

Next, she predicts there will be less focus on session-based marketing (focusing on the individual customer data, and their activity) and more on anonymised interactions and events.

However, Jervis wonders if the sandbox will help marketers “move away from the obsession of precision [targeting] which infringes on consumers rights and wishes".

Join us, it's free.

Become a member to get access to:

  • Exclusive Content
  • Daily and specialised newsletters
  • Research and analysis