Google’s announcement in late July that it is dropping its plan to eliminate third-party cookies in its Chrome browser suggests regulators must strengthen institutional mechanisms for balancing the demands of promoting business competition and protecting consumer privacy. The United Kingdom’s privacy regulator, the Information Commissioner’s Office (ICO), wanted Google to block privacy-invasive cookies, while its competition authority, the Competition and Markets Authority (CMA), wanted to make sure doing so would not even more effectively entrench Google’s dominance in the ad tech market. Ultimately, the company decided that leaving cookies in place, while proposing an “updated approach that elevates user choice,” is the only way forward. This is a cautionary tale for industry, policy makers and advocates alike.
How We Got Here
Third-party cookies are bits of code stored on computers as their users visit different websites. These records of visits reveal user interests and preferences and enable websites, ad tech firms and advertisers to target ads to these users. For years, they have been the engine of the online advertising model.
But users, privacy advocates and privacy regulators think profiling users in this way is invasive and have been nudging the industry to find another way to conduct its business. In response to these concerns, some browsers, including Mozilla’s Firefox and Apple’s Safari, have blocked third-party cookies by default.
Google, with 65 percent of the browser market, responded in 2019, when it announced it would eliminate third-party cookies entirely from its Chrome browser. Then, in 2020, it proposed replacing them with a new system of “cohort tracking,” which it called the Privacy Sandbox. The idea was that Chrome would keep track of users as they visited different websites, but websites would no longer have access to these tracking cookies. Instead, Google would tell the website only what interests the users had, by placing them in such ad-relevant categories as “Student Loans & College Financing” or “Parenting.” Ads would be targeted at users without the websites, publishers or other ad tech companies knowing anything more about them than that they’d fallen into these general categories.
Advertisers and ad tech companies worried this new plan would cut into advertising revenue. They complained it would entrench Google’s monopoly even more deeply, since the company controlled access to the underlying individual-level data. They found a receptive ear at the CMA, which opened an investigation into the proposed change.
Among the concerns CMA raised was the lack of consumer choice. It characterized Google’s proposal to eliminate third-party cookies as an attempt to “exploit its apparent dominant position by denying Chrome web users substantial choice in terms of whether and how their personal data is used for the purpose of targeting and delivering advertising to them.” The tech giant delayed implementation while it cooperated with the competition regulator.
At the time, commentators wondered about the irony of regulators investigating Google for an apparently pro-privacy proposal. Wired’s political editor, Gilad Edelman, wrote in an insightful 2021 article that “just about everyone agrees that third-party cookies are terrible. It would be weird if Google was prevented from killing them in the name of antitrust law.”
Also in 2021, in his Platform Law Blog, competition policy commentator Damien Geradin emphasized the same danger, saying, “It would be a bad outcome for consumers if (e.g.) the CMA’s investigation into Google’s Privacy Sandbox ended up with a remedy that was great in competition terms but awful in privacy terms.”
But privacy regulators and advocates were not entirely pleased with the new regime, either. Max Schrem’s privacy group, None of Your Business (NOYB), filed a complaint with the Austrian data protection authority, arguing that Google’s new system of tracking by ad topic is also privacy-invasive, even though it is “less terrible” than third-party cookies. In particular, NOYB determined it was misleading for Google to ask users to consent to its new system of tracking by describing it as an “ad privacy feature,” concluding that any user consent was not fully informed.
In a 2021 opinion, the UK privacy regulator, ICO, said that the phasing out of third-party cookies was “a welcome development” but warned it would not accept “alternatives that use the same fundamentally flawed approaches.” According to the Financial Times, the ICO “still had issues with the proposed replacement technologies, calling them ‘deeply flawed’, which contributed to the decision to cancel.”
The new system likely would have caused severe disruption in the advertising business. Google’s own studies showed a decline in performance compared with the old system of individualized third-party cookies. Criteo, an ad tech company that provides a service for online retailers to retarget customers who leave their website without buying anything, has said the decline in revenue for publishers using Privacy Sandbox would be
60 percent.
Even though things seemed to be on track for implementation as recently as April of this year, the combination of industry distress and unhappiness from all regulators has proven to be too much. In July, Google pulled the plug on its plan and decided to keep third-party cookies after all.
The bad news is that consumers are not now in the best position to evaluate what these choices concern. They do not understand the intricacies of the ad tech world.
The Way Forward
Google says it is now committed to a path that preserves third-party cookies but gives users more control over them. “Instead of deprecating third-party cookies,” the company has said, “we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time.”
The ICO has said it is disappointed in Google’s decision, noting that “blocking third-party cookies would be a positive step for consumers.” But it encourages the industry to adopt “more private alternatives to third-party cookies — and not to resort to more opaque forms of tracking.”
In its reaction to the Google decision in July, CMA noted that the company will be introducing “a user-choice prompt, which will allow users to choose whether to retain third party cookies” and has promised to “carefully consider Google’s new approach.” The agency is likely to be pleased with the new system, since it appears to restore its preference for a system of user choice in connection with third-party cookies.
But now Google, the industry, privacy groups and regulators must turn to designing a choice architecture that satisfies all concerns.
As Dave Lee has noted in an insightful comment for Bloomberg, this will not be easy. If the choice screens make it too difficult for users to say yes to third-party cookies or nudge them to say no, advertisers will not be happy and competition regulators will suspect anti-competitive motives. If the choice screens nudge them to say yes, or if users are faced with inferior service should they refuse cookies, privacy advocates and regulators will insist that privacy concerns are being shortchanged.
Chrome’s existing choice screen for “ad topics” illustrates the problem. When users initially launch Chrome, a screen appears that reads as follows: “Turn on an ad privacy feature. Ad topics help sites show you relevant ads while protecting your browsing history and identity. Chrome can note topics of interest based on your recent browsing history. Later, a site you visit can ask Chrome for relevant topics to personalize the ads you see. You can see ad topics in settings and block the ones you don’t want shared with sites. Chrome also auto-deletes ad topics that are older than 4 weeks.”
As NOYB has noted, this choice is misleadingly described as turning on an ad privacy feature. But the rest of the information seems to be reasonably accurate. Going forward, regulators will now be in the business of determining whether the phrasing and design of choice screens for third-party cookies is fair enough to give users a meaningful choice.
The bad news is that consumers are not now in the best position to evaluate what these choices concern. They do not understand the intricacies of the ad tech world. It therefore may not be good public policy to outsource this crucial decision on the future of third-party cookies, and the online ad industry itself, to poorly informed and hurried users.
Regulators may have to impose a default solution, one they think will best protect both consumers and competition, perhaps by requiring that Google imitate Apple and Mozilla in blocking third-party cookies by default. This option would allow consumers a choice to affirmatively opt back in if they really desire to be tracked around the internet. The regulators could then work with the industry to design a fair and effective alternative.
In any event, it’s clear that regulatory cooperation is essential for a united and coherent government response to tech industry challenges.
The CMA and the ICO both recognize this and have committed to ongoing collaboration, saying in an important joint statement in May 2021 that their “overlapping objectives regarding competition and data protection in the context of the digital economy are strongly aligned and complementary.”
They’ve pledged to work together to resolve any potential conflicts and tensions between the two policy areas. They also are collaborating on these and other issues with the United Kingdom’s online safety regulator and financial regulator in the consultative Digital Regulatory Cooperation Forum. As the industry moves beyond the wreckage of Google’s plan to dismantle third-party cookies, these institutional partnership mechanisms must be strengthened to provide a unified government response.