Outdoor street view of Google´s Dublin office showing regulatory oversight of Privacy Sandbox by UK CMA

Google Agrees to Additional Regulatory Oversight of “Privacy Sandbox” Project; UK CMA Will Play Ongoing Role

Google’s “Privacy Sandbox” project, which aims to eliminate personalized tracking cookies from advertising, will proceed with the United Kingdom’s Competition and Markets Authority (CMA) taking a direct hand in the course of its development. The CMA’s insistence on regulatory oversight stems from concerns that whatever Google develops will allow it to take an even greater share of the search advertising market, something that it held about 92% of at the midpoint of 2021.

UK CMA to impose direct regulatory oversight as Google’s “cookie alternative” project develops

Between increasing regulation, consumer distaste for them, and corporate policies that greatly limit their use (such as Apple’s new App Tracking Transparency framework), there is an increasing feeling that tracking cookies will be hounded out of existence.

Nevertheless, the personalized advertising industry is a massive one (and one that some tech giants have built their revenue models on) and will not simply dry up and go away. A number of more privacy-focused alternatives are being looked at, with Google’s Privacy Sandbox project most likely the one closest to maturity and actual deployment.

The Privacy Sandbox proposal would replace the tracking cookies that gather information with a cohort model handled primarily by the end user’s web browser on the local device, something that would (at least according to Google’s theory) allow for individual user interests to be identified for ad selection without exposing their personal information or identity to advertising networks.

Though Google has been developing the Privacy Sandbox concept for well over a year now, full details about its exact planned workings are still not yet available. But some components for the Chrome browser are already in testing, and Google hopes to begin migrating advertisers over to the new system in late 2022.

Enter the CMA. The agency initiated an antitrust investigation into the Privacy Sandbox in early 2021, and the recent conclusion calls for regulatory oversight due to the possibility of Google increasing its advertising market dominance if the new system becomes a widely accepted standard.

The CMA’s regulatory oversight role will shape the Privacy Sandbox outside of the UK, as Google has committed to making its commitments to the agency global. These include required feedback from third parties and the provision of “greater certainty” for those developing alternative technologies, internal limits on the amount of data that Google can use, and reporting and compliance standards. The CMA is appointing a monitoring trustee to ensure that these compliance standards are adhered to, and the relationship is slated to last for at least six years.

The CMA is consulting on these new commitments until December 17, and if they are accepted it would put an end to the investigation.

UK interest in privacy sandbox appears to tilt more toward anti-competitive status than personal privacy

Though the project is still in development, a good deal of criticism has already been lobbed at the Privacy Sandbox. Most notably from the Electronic Frontier Foundation, which theorizes that the categories users are placed in will manage to remain visible to third-party sites and will inevitably be connected to personal identities and previously gathered stashes of information (most likely via browser fingerprinting, which Google’s plan could actually aid). The EFF also sees it as a potential tool of discrimination, using the demographic categories that users are placed in to perhaps target a user by their financial history or to screen them out of job applications based on race or location. And one of Google’s central selling points, the fact that the system is governed by a neutral algorithm rather than human hands that could introduce biases, will not necessarily protect users from profiling based on sensitive demographic categories.

The CMA’s regulatory oversight action does not really address those issues, at least as of yet. The main concern seems to be preserving competition in the online advertising market. UK officials in charge of regulating digital advertising and personal information handling have tended to express interest in expanding the country as a leading market for this sort of thing, as it moves away from the structure of the EU’s General Data Protection Regulation and firms up its own self-established data privacy rules.

These privacy fears are more about third-party abuse than first-party malfeasance by Google; the search giant has already pledged to not give itself backdoor access to Privacy Sandbox information, and to stay out of Chrome browsing histories once the project is up and running. Presumably the CMA trustee will play an active role in policing this. In a blog post Google also pledged to not give preference to its own advertising products or websites.

UK CMA's regulatory oversight role will shape the #Privacy Sandbox outside of the UK, as Google has committed to making its commitments to the agency global. #respectdataClick to Tweet

There is no proposal for regulatory oversight of this project in the US as of yet, but in March a coalition of state attorneys general filed a complaint attached to an ongoing antitrust lawsuit that included the Privacy Sandbox as a point of concern. In the EU, the tech advocacy group Movement for an Open Web recently filed a complaint against Google alleging that the project will stifle open competition on the internet.