Controversy over Google’s Privacy Sandbox shows need for an industry regulator

In a blog post on March 3, Google announced that it would be removing third-party cookies from its Chrome browser—a decision that would effectively end use of third-party cookies. Google also pledged to avoid any other technology for tracking individuals as they browse the web. In its place, Google proposed cohort tracking, whereby companies could use third-party ad services to target ads only to larger groupings instead of individual users. It argued that such a change is needed to respond to increasing privacy concerns about tracking of individuals across websites. In June, Google announced that it would delay this plan to scrap cookies until late 2023.

Naturally, such a dramatic change in internet infrastructure has drawn government scrutiny both here and abroad. U.S. competition authorities seem to be going in the wrong direction by overemphasizing competition concerns to the detriment of user privacy interests, while the United Kingdom’s regulatory approach shows promise of promoting competition while preserving privacy.

Resolving the challenges posed by the Privacy Sandbox will involve going beyond antitrust enforcement. It will require the ongoing supervision of the digital ad infrastructure by a specialist regulator with both privacy and antitrust responsibilities. Given the tensions and synergies between privacy and competition in this vital digital sector, that regulator should also be given the job of finding measures that balance competing policy objectives.

It seems that the first reaction of U.S. state attorneys general to Google’s Privacy Sandbox is to try to stop it. In their amended complaint against Google, these law enforcement agents see the Privacy Sandbox as Google’s attempt to disadvantage its ad competitors by drying up their access to detailed information about consumer web behavior. They want Google to end its cohort program, which Texas Attorney General Ken Paxton dismissed as a “social credit score based on group identity,” and allow ad tech companies to return to the familiar world of cookies tracking.

At a time when public sentiment against online tracking is at a high point, this would be an unfortunate and counterproductive role for antitrust. Antitrust action that seeks to lock the ad industry into yesterday’s privacy-intrusive technology in the name of preserving competition would only discredit the mission of antitrust. As Gilad Edelman said in his insightful Wired article on a collision course between privacy and antitrust, “Just about everyone agrees that third-party cookies are terrible. It would be weird if Google was prevented from killing them in the name of antitrust law.”

Even though seeking to stop the Privacy Sandbox is an antitrust overreaction, the Privacy Sandbox does pose competition challenges. During implementation, Google might allow itself to have access to individual-level user web histories through Chrome while denying that opportunity to other ad service providers. This could be addressed by conditioning the implementation of Privacy Shield on non-discriminatory safeguards and imposing a system of regulatory supervision to enforce them.

The United Kingdom’s Competition and Markets Authority took this approach in its Privacy Sandbox review. Back in January, the CMA’s expressed concerns about the Privacy Sandbox included this concern about discriminatory implementation. But the concerns also included the idea that banning cookies would be unfair to Chrome users because it would deprive them of their choice to receive targeted ads. One commentator noted this danger that the CMA would require Google to continue cookies with appropriate user consent and choice architecture, saying “It would be a bad outcome for consumers if (e.g.) the CMA’s investigation into Google’s Privacy Sandbox ended up with a remedy that was great in competition terms but awful in privacy terms.”

In June, however, the CMS obtained from Google certain commitments on how it will proceed in implementing its Privacy Sandbox. These commitments did not include a choice option for Chrome users to accept tracking, but did include a pledge to work with the regulator to “ensure that whatever emerges from Privacy Sandbox does not leave it with an unfair advantage.” Google apparently accepted the idea that it cannot retain access to individual-level information about a Chrome user’s web browsing history while depriving its advertising rivals of access to this information. It also agreed to share information and consult regularly with CMA before implementation, creating a substantial system of regulatory supervision. With these commitments, CMA seems prepared to allow Google to move forward with the Privacy Sandbox and remove support for cookies in its Chrome browser.

The CMS regulatory scheme is a good step. But it fails to deal with a more fundamental problem with the Privacy Sandbox such as its asymmetry, which allows Google to track users across the multiple services it owns and operates while denying others the same opportunity. Google operates a host of separate services, including Search, Maps, YouTube, the App Store, and Gmail, that have nothing in common except that they all are owned by Google. Google’s plan is to allow these corporate units to share information about their users, even though other ad companies would not have access to personal data about users visiting these sites.

This same asymmetry, between an integrated company offering separate services through its affiliates and independent companies offering the same services, plagued the 1999 Gramm-Leach-Bliley Act that created a privacy regime for the U.S. financial services industry. The bill allowed sharing of consumer information among insurance, banking, and securities affiliates in the same corporate family with no opportunity for consumer choice. In contrast, the law allowed consumers to opt out from data sharing among non-affiliated financial firms.

The commitments CMA obtained from Google do not seem to address this broader asymmetry. They appear to allow Google continued access to individual-level data from its owned and operated properties and the use of this information to target ads. Google has committed to play by its Sandbox rules in connection with its Chrome browser activities, but it will still be able to share data across Google Search, Maps, and YouTube.

It is as though CMA is unaware of the dangers of one set of privacy rules for affiliates and another for independent companies, even though it has already recognized exactly this risk. In its statement on privacy and competition in digital markets (published jointly with the Information Commissioner’s Office, the U.K. privacy regulator) it says that “neither competition nor data protection regulation allows for a ‘rule of thumb’ approach, where intra-group transfers of personal data are permitted while extra-group transfers are not.” The agencies warn that an asymmetry in privacy rules might encourage companies to merge in order to take advantage of data sharing opportunities with reduced privacy restrictions.

It is not hard to come up with a regulatory fix for this broader asymmetry between integrated digital ad companies and independent companies. European competition lawyer Dimitrios Katsifis, for instance, has urged regulators to ensure that “users will be tracked across Google sites only as parts of large cohorts.” This approach would mean that Google’s own rules against individual-level tracking should be applied to its owned and operated properties.

But eliminating individual tracking regardless of affiliation can be accomplished under the antitrust laws only conditionally. Antitrust is generally powerless to mandate or forbid specific business practices unless they harm competition. Cookies tracking, by itself, is not an antitrust offense. The harm to competition is the discrimination, the asymmetry, not the practice of tracking itself

The only way competition authorities can reach cookies tracking is through a non-discrimination measure. It could require Google to implement its Privacy Sandbox in a way that preserved an even playing field in a broader sense. Google would not be able to put Privacy Sandbox into practice and do away with third-party cookies unless it also gave up its ability to share individual data across its own properties.

But the limits to this non-discriminatory approach are obvious. If antitrust regulators give Google a choice between sticking with the current browser tracking system or applying its cohort approach to its own properties, it is highly likely to choose the current system, with its pervasive tracking of individuals across the internet. The antitrust approach by itself seems likely to preserve the unacceptably intrusive system of cross-site tracking that even the industry wants to move away from.

As this case illustrates, it is vital that an industry regulator be able to assess both privacy and competition issues at the same time. It is a legitimate concern that companies can and will “increasingly invoke privacy considerations to justify potentially anticompetitive conduct.” A regulator should not be able to promote data protection while ignoring a company’s substantial market power in the ad industry and how control over user data can entrench that power. But addressing that tension will require substantive regulatory coordination.

The U.K. is aiming to achieve this regulatory coordination through its Digital Regulation Cooperation Forum that links the competition regulator CMA with the privacy regulator ICO.  But CMA has no authority over data protection and ICO has no competition jurisdiction. So, this attempt at cooperation between agencies with different missions and no common authority to decide conflicts might become a bureaucratic tangle with burdensome procedures and no substantive harmonization. It might not be a good model for the U.S.

A better solution in the U.S. would be to bring privacy and antitrust together in the same regulatory structure aimed at providing public supervision of the digital ad industry.

The Federal Trade Commission can do this since it has both competition jurisdiction and privacy authority through its authority to prohibit unfair or deceptive acts or practices. However, as former FTC official Jessica Rich notes, “early and direct input from both privacy and competition staff on all data protection matters…does not naturally occur under the FTC’s current structure.”

More importantly, there is no statutory directive to guide agency action in crafting rules that promote both competition and privacy in the digital ad industry. Only Congress can give the agency the authority it needs to take advantage of the synergies and avoid the tensions in pursuing both policy goals.

In constructing a new regulatory regime for the digital ad industry, Congress would be able to avoid a one-sided approach that would perpetuate the current system of internet tracking in the name of preserving ad competition. It could, for instance, make a statutory policy decision that cross-site tracking regardless of affiliation is too intrusive to permit. Or it might decide that it is so risky that it can be allowed only with affirmative, opt-in consent. Another option is to defer that judgment to the industry regulator with a directive to reach a conclusion after considering several relevant factors, including the need to finance valuable internet information sources as well as the need to protect the privacy interests of users.

In many ways, the digital ad industry calls out for its own regulatory structure. It is the primary funding mechanism for the vast array of vital products and services available on the internet. It plays an infrastructural role in the internet economy akin to the role played by financial services companies in raising and allocating financial resources for the real economy. The proper functioning of this vital financing mechanism for the internet is as important to the country’s overall economic well-being as the safety and soundness of the financial sector.

The industry trade association, the Network Advertising Initiative (NAI), tries valiantly to develop and evangelize self-regulatory best practices for the industry, but in its current form, it is not structured or authorized to play this role of infrastructure regulator. Its efforts would be far more effective if backed by a real government regulator empowered by Congress to oversee and supervise the industry. One model for such a co-regulatory approach might be the Financial Industry Regulatory Authority (FINRA), the self-regulatory authority for broker-dealers that has rulemaking and enforcement power backed by the Securities and Exchange Commission.

It is hard to think that the virtually invisible ad tech world is so important to the country that it deserves its own regulator. But it plays a vital role in today’s economy and has its own unique complexities and contingencies. Congress should consider empowering a regulatory agency to supervise and oversee this essential industry, and in the process find a reasonable balance between the demands of promoting competition and protecting privacy.

Editors note: this blog has been updated to reflect Google’s decision to delay its plan to supporting cookies until late 2023.

Google is a general, unrestricted donor to the Brookings Institution. The findings, interpretations, and conclusions in this piece are solely those of the authors and not influenced by any donation.