The UK's Competition and Markets Authority (CMA) published its latest assessment of Google's Privacy Sandbox on November 11, 2024, revealing ongoing competition concerns despite Google's significant change in strategy announced earlier this year.

In a major shift announced on July 22, 2024, Google revealed it would no longer proceed with its original plan to fully deprecate third-party cookies in Chrome. Instead, the company will give users a choice on whether to allow or limit third-party cookies. This revision has prompted the CMA to reassess its oversight approach while maintaining scrutiny of Google's Privacy Sandbox tools.

According to the CMA's latest report, the current commitments between the regulator and Google need to be updated to reflect this revised approach. The CMA is actively discussing with Google the implications of the revised strategy for competition concerns and what changes are required to address them.

The regulator emphasizes that Google must continue developing Privacy Sandbox tools in compliance with existing commitments, as these tools will remain critical for targeting and measuring advertising in cases where users choose to limit third-party cookies.

"Our view is that competition concerns remain under Google's revised approach," states the CMA in its report. The regulator wants to ensure changes are made in a way that supports continued competition in digital advertising.

The CMA notes that if it cannot agree on changes to the commitments with Google that address competition concerns, it will consider what further action may be necessary. A public consultation on any proposed changes to the commitments is expected in Q4 2024.

Industry stakeholders, particularly ad tech companies and publisher groups, have expressed near-unanimous opinions that competition concerns persist and that continued CMA oversight is necessary. However, some individual respondents argued that Google should revert to its original plan of fully removing third-party cookies to better protect user privacy.

The Information Commissioner's Office (ICO) remains closely involved in the process, focusing on ensuring both competition and privacy are protected. The ICO will monitor how the industry responds to Google's revised approach and retains independence to take regulatory action against any parties where non-compliance with data protection legislation is identified.

Based on available evidence, the CMA considers that Google has complied with existing commitments between April 1, 2024, and September 30, 2024. This means Google has followed required processes and engaged with regulators to resolve concerns about Privacy Sandbox development.

The CMA's assessment covers multiple technical components of the Privacy Sandbox, each with distinct implications for competition and privacy:

Topics API

The Topics API, designed for interest-based targeting, continues to raise concerns about Google's control over the taxonomy of topics and potential advantages from first-party data. The CMA notes that while Google has made improvements to user controls and transparency, questions remain about the effectiveness of privacy controls and potential competitive advantages.

Protected Audience API

Formerly known as FLEDGE, this remarketing tool faces scrutiny over its auction dynamics and integration with Google Ad Manager. Publishers have expressed concerns about reduced visibility into auction processes and potential advantages for Google's ad tech services.

Attribution Reporting

The Attribution Reporting API (ARA) remains under review regarding its effectiveness for measurement and reporting compared to current solutions. Stakeholders have raised concerns about limitations on multi-touch attribution and cross-device measurement capabilities.

Technical Infrastructure

The requirement for Trusted Execution Environments (TEEs) has drawn particular attention, with stakeholders expressing concerns about:

• Implementation costs and complexity
• Limited cloud provider options (currently only AWS and Google Cloud Platform)
• Potential competitive advantages for Google through its cloud platform
• Timeline pressures for adoption

Governance Framework

Google has proposed improvements to its governance framework including:

1. A formal consultation period for strategic decisions
2. An externally managed appeals process
3. Codified privacy and utility principles
4. Annual reporting on cross-site tracking risks

These proposals aim to address concerns about Google's discretion over Privacy Sandbox development and implementation.

Historical context

The CMA's involvement with Google's Privacy Sandbox began in January 2021 when it launched an investigation under Chapter II of the Competition Act 1998. This investigation led to legally binding commitments from Google in February 2022, establishing a framework for regulatory oversight of the Privacy Sandbox development.

The strategic importance of this oversight has grown as digital advertising continues to evolve. The original Privacy Sandbox proposal represented one of the most significant changes to web advertising infrastructure in decades, aiming to phase out third-party cookies while introducing new privacy-preserving alternatives.

Google's July 2024 revision to maintain third-party cookie availability as a user choice marks a fundamental shift in approach. This change reflects the complex balance between:

• Privacy protection goals
• Competition concerns
• Technical feasibility
• Industry readiness
• User experience considerations

The revision came after extensive testing and feedback from the advertising industry, highlighting challenges in replicating current functionality through Privacy Sandbox APIs alone. The CMA's continued oversight ensures this strategic pivot doesn't inadvertently create new competition issues.

Industry Implications

The CMA's latest assessment carries significant implications for the digital advertising ecosystem:

Market Competition

• The revised approach may reduce immediate disruption to current advertising practices
• Questions remain about long-term competitive dynamics, especially regarding Google's advantages in first-party data
• Smaller ad tech companies face uncertainty about resource investment and technical implementation

Privacy Protection

• The ICO will monitor how industry responds to the user choice mechanism
• Privacy risks persist where parties may use cookies or other identity signals inappropriately
• Technical privacy controls in Privacy Sandbox tools continue to evolve

Technical Implementation

• Ad tech companies must prepare for both cookie-based and Privacy Sandbox scenarios
• Implementation timelines may extend due to the revised approach
• Technical standards and cross-browser compatibility remain important considerations

User Experience

• The impact of user choice mechanisms requires careful evaluation
• Multiple privacy controls and settings need clear presentation
• Browser performance and functionality must be maintained

Key Facts

• Original investigation launched: January 7, 2021
• Binding commitments accepted: February 11, 2022
• Strategy revision announced: July 22, 2024
• Latest assessment published: November 11, 2024
• Current phase: Ongoing oversight with commitment updates under discussion
• Key concern: Maintaining competition while protecting privacy
• Primary tools under review: Topics API, Protected Audience API, Attribution Reporting
• Technical requirements: Trusted Execution Environments on specific cloud platforms
• Oversight duration: Continues through implementation of revised approach
• Primary stakeholders: Advertisers, publishers, ad tech companies, privacy advocates