The Elephants in the Room: On Advertising Privacy and Competition

For an industry that over the years has benefitted from spotty enforcement and a relative ease of tracking and profiling users online, the CMA (and the ICO) refereeing Google's Chrome privacy changes represents a new normal.

The Elephants in the Room: On Advertising Privacy and Competition
"Ad Privacy and Competition" / Alex Krylov via Microsoft Creator

An abridged version of this essay first appeared in the April 2 issue of The Lucid Privacy Bulletin.

Test, engage and adapt… or be trampled by the big elephant in the room. Ok, two elephants. This was the IAB [Ad] Tech Lab’s rallying call at the aptly named 'As the Cookie Crumbles' event in a suitably rainy NYC.

To an industry looking to innovate itself from under a regulatory rock and over a cookieless hard place the day’s Spring showers promised renewal.

Horton hears a what

The conference centered around Google's Privacy Sandbox, a key part of what IAB Tech Lab CEO Tony Katsur dubbed the Great Shift for the ad industry.

To recap, the Sandbox is a set of policies and APIs that will turn Chrome – the world's most popular browser – into an on-device ad platform. Cross-site tracking and other data sharing would be restricted by design.

Chrome's privacy model is very much a brain child of its time:

Even if you don't count Washington's My Health My Data Act or California's Delete Act, the US now has at least 15 state privacy laws. More state laws are on their way and we once again have bipartisan interest in a preemptive federal privacy law.

Meanwhile, California’s Privacy Agency is turning its sights to first-party advertising (page 7 here), and both the California Attorney General and the Federal Trade Commission have been enforcing against errant data sellers. (i.e. Doordash, Avast etc.) This is on top of fresh enjoiners about the virtues of data minimization.

Across the pond, the UK Information Commissioner (ICO) is cracking down on cookie consent malpractices and Europe continues to build out its holistic tech policy where digital privacy intertwines with consumer protection and antitrust.

Against this backdrop it's understandable why privacy veteran Alan Chapell calls Google's strategy a preemptive “flipping over the proverbial table”.

“And Horton called back to the Mayor of the town, ‘You’re safe now. Don’t worry. I won’t let you down.‘” – Dr. Seuss, 'Horton Hears a Who'

The jungle of null

For ad sellers and buyers, a Sandboxed, cookieless Chrome will exacerbate an ongoing 'signal loss' and its commercial implications.

'Signal' is adtech euphemism for unique identifiers like cookies and mobile advertising IDs that make personalized ads possible. (i.e. An ad served to a buyer of high-end sneakers vs in an article about how ASICS got its tiger stripes.)

When there is a recognized user (or device) associated with an ad placement, there are higher revenue opportunities for publishers and ad service providers – advertisers are willing to pay more for targeted ads, and more still for certain users.

But when a user opts out, turns on limit ad tracking features or does any number of other things that literally or figuratively null such identifiers out, advertisers pay less.

These challenges, in context:

  • Platform self-regulation: Over the past few years, Apple, and more slowly Google, have made significant platform changes that give iOS and Android users more default options and device-level privacy controls. These features are buffered by algorithmic anti-tracking & anti-fingerprinting protections. The two giants are arguably the most effective tech regulators in the world.  
  • Browser intervention: Safari, Firefox, Brave, DuckDuckGo and Edge offer a range of similar anti-tracking and anti-fingerprinting features. Covert (and overt) tracking protections are the new status quo, and Chrome is no exception.
  • User self-determination: Users are not just opting out of 'selling' or 'sharing'/behavioral ads. They are continuing the largest sustained boycott in the world by changing their device and social app privacy settings, turning on VPNs and using increasingly sophisticated ad (and consent request) blockers.

The economics at play here are the same ones that underpin debate over (i) how much Facebook should charge for its ad-free subscription plan, and (ii) how much platforms should pay news publishers for their content.

In response to these and related data challenges the ad industry has been investing in Data Clean Rooms and an array of cookie-alternative ID solutions.

For its part, the Chrome team has put forward targetable interest groups and a form of retargeting that will, staying within the Sandbox privacy model, control what external parties can glean about a user.

“*Everyone* seemed to be yapping or yipping! *Everyone* seemed to be beeping or bipping! But it *wasn’t enough...*” – Dr. Seuss, Horton Hears a Who

Playing nice

During a diplomatic but pointed panel named 'Be Nice When You Play in the Sandbox', the IAB Tech Lab Privacy Sandbox Taskforce sat down with Google to discuss the Taskforce's testing experiences and concerns. Namely, that the APIs have a steep learning curve, and as built today omit, degrade or cost-prohibit important advertising use cases.

The degraded functionality observed included competitive separation, fraud prevention and granular performance attribution – all things that help make the ad market fair and transparent.

Google disagrees with the Taskforce... but the European Commission disagrees with Google. The EU Digital Markets Act (DMA) requires Google, Meta and other ad gatekeepers to be transparent about their algorithmic twiddling... for ad targeting and fee charging.

These are all issues ad buyers and sellers seek contractual assurances around, and are likely to sue Google over.

Nevertheless, all panelists called for further industry collaboration to test Privacy Sandbox APIs, contribute to helpful documentation and innovate new ways of running effective and accountable advertising within Chrome's new privacy model.

None of this is lost on the UK Competition and Markets Authority (CMA) – the other elephant in the room. The CMA attended virtually and presented on their ongoing work to hold Google to its fair play Commitments when it, sooner or later, deprecates third-party cookies in Chrome.

The CMA's involvement should not be underestimated. The UK is one of the largest digital markets relative to its size, and having delved deeply into online ads in recent years the competition regulator is uniquely qualified (and empowered) to deal with Google's 'table flip'. To be sure, their international counterparts are watching too.

″‘My friends!’ cried the elephant. ‘Tell me! Do tell! Are you safe? Are you sound? Are you whole? Are you well?‘” – Dr. Seuss, Horton Hears a Who

Weathering the storm

While event attendees were accepting of the new pro-privacy paradigm, some did not feel the CMA was doing enough (or at least being public enough) to acknowledge a broader competition issue – market consolidation. 

One sign that you are in a regulated industry is a rising cost of doing compliant business. 

  • Per Gartner, global spending on privacy-compliance is projected to reach $8.8 billion by end of 2024.
  • The NBER projects that storage and computation costs will increase by ~20% year over year to accommodate privacy-forward data strategies.
  • The ITIF estimates that the US patchwork of state privacy laws could generate $104 billion in market inefficiencies that result in higher cost and decreased innovation.

Panelists said small and medium size organizations will struggle to retool while riding out 10-30% drop in ad revenues from Chrome changes. The fear is that the resulting attrition will only further empower incumbent industry players.

That is, unless the CMA’s EU and US counterparts start actually breaking the giants up

In answering attendee questions on this front, CMA staff confirmed all constructive proposals and antitrust remedies remain on the table. That said, the authority reiterated that proposals that would loosen Chrome’s ad privacy model would be non grata: the ICO won’t stand for it, and British Parliament won’t legislate around it.

These wider factors lent a particular note of urgency to Katsur's and the Taskforce’s calls for more testing and more (confidential) engagement with the CMA.

“The first thing to do is prop up this tree and make it much stronger. That has to be done before I get on it. I must weigh a ton.” – Dr. Seuss, Horton Hatches the Egg

The great shift

For an industry that over the years has benefitted from spotty enforcement and a relative ease of tracking and profiling users online, the CMA (and the ICO) refereeing Google's Chrome privacy changes represents a new normal.

To echo Allison Schiff’s column over at AdExchanger, gone are the days where the industry could lean on voluntary standards and hope to fly below radar. Normative laws have been passed. Regulators have awakened. And tech giants have responded.

Against this backdrop, Google's Privacy Sandbox seems an ironic opportunity for adtech to wash away past transgressions and rebuild for a sustainable future. On the one hand, Chrome's restrictive data sharing model makes good privacy sense, including on covert tracking. On the other, the same model may well make Chrome a black box that, when combined with the limitations the IAB Tech Lab's Taskforce observed, raises valid existential concerns.

But even if the CMA decides to halt Google's plans on competition grounds, the delay will likely be temporary, and the privacy concerns driving the great shift forward will still be there the next day.

Indeed, the ad industry as a whole has matured into a set of heady legal and regulatory challenges stakeholders have no choice but to play nicely together to overcome – in or out of the sandbox.

Policymakers meant what they said and said what they meant. Adtech is regulated one-hundred percent.