Presenting these views as anything other than my personal notes is disingenuous. None of this is legal advice, and if it were you still shouldn't be listening to some random guy on the internet.
The need to significantly improve privacy on the Web is well-documented but in order for it to happen and to work, the decrease in access to data has to be distributed fairly across stakeholders. Quite predictably, given that one of the major browser implementers is to privacy what James Mickens's Mossad is to security, the project isn't exactly overburdened with a sense of warm, fuzzy, mutual trust between participants.
In this context, the Competition and Markets Authority (CMA) stepping into the project is promising news. One way to foster trust is to make commitments that would be costly to renege, and the CMA has outlined a framework for that. More generally, the Web has suffered from standards work and regulation happening in largely separate spheres. Given the scale and impact of the issues we face, stronger cooperation between these two worlds is very much desirable.
Overall, I personally see this as a step in the right direction, and it is only a draft so that we can hope that some of the issues with it can be addressed before it is finalised. The primary difficulty, however, is that there are many data exfiltration opportunities, and if you miss one you aren't much better off than if you had closed none.
With this in mind, a great first step towards credible 2021 commitments would be for Google to start abiding by its 2007 commitments. Specifically, this is what David Drummond, then Google's SVP of Corporate Development & Chief Legal Officer, represented to the U.S. Senate antitrust subcommittee in his testimony regarding the Google/DoubleClick merger:
Again, no control over the advertising, no ownership of the data that comes with that that is collected in the process of the advertising. That data is owned by the customers, publishers and advertisers, and DoubleClick or Google cannot do anything with it.
That's a strong statement, and it reflects a key expectation in the earlier ad ecosystem: adtech intermediaries don't get to own their customers' data. This is rather self-evident: knowledge of your audience is a key publisher asset. It's not easy to run a business is someone just helps themselves to your key assets. If you ran a cheese factory and your electricity provider just absconded with your cheese or stole your best recipes which it reused on the cheap elsewhere, you'd find it hard to stay afloat. I don't think that anyone would have been interested in partnering with an adtech provider that would just help itself to the audience.
Fast-forward a decade to the 2018 negotiations around GDPR terms for Google's ad products. Under those terms:
- Google owns the audience data.
- Publishers are required to obtain informed consent for a non-exhaustive list of Google's data processing. (If this doesn't crack you up you might need to read it again.)
- Publishers are liable for Google's GDPR infringements downstream of that consent.
In one of the most ambitious crossover events in history, four publisher trade bodies representing several thousand publishers across two continents, including many of the biggest, wrote a letter requesting that this change.
That the terms stuck should give you an idea of what asymmetric market power looks like.
The reason I bring this is because advertising data is absent from the Google/CMA draft commitments to help ensure a competitive ad market. On p.80 of the CMA's notice, we can see that for third-party inventory, Google promises not to use data (for ad targeting or measurement purposes) from:
- Google’s current and future user-facing services, including Android;
- a user’s Chrome browsing history, including synced Chrome history;
- a publisher’s Google Analytics account; and
- uploaded by an advertiser to Customer Match in accordance with Google’s Customer Match policy.
Additionally, for owned & operated inventory, Google commits not to use data (for ad targeting or measurement purposes) from:
- a user’s Chrome browsing history, including synced Chrome history; and
- a publisher’s Google Analytics account.
This leads to the first thing that I would personally like to see changed in the CMA's agreement. These lists are oddly ad hoc. Instead of listing data sources that are excluded for specific purposes, at the very real risk of omitting an important source of distortion as Google competes with publishers in the ad market, I would like to suggest relying on a principled approach, which is essentially a return to the Drummond Doctrine: Google commits to not using publisher data for any purpose other than those explicitly requested by the publisher as part of a service agreement. On the assumption that everyone's intentions here are to strike the best deal possible, this should not be a difficult change to agree to. It's hard to understand how anything else would be fair.
The second thing that I would like to see changed in this agreement is closely related to the first. Restricting the purposes to ad targeting and measurement is very limiting. If Google uses data that it takes from its competitors in order to increase engagement with one of its ad-supported surfaces (even if not directly targeting targeting or measurement), then ad spend will shift towards that surface and away from competitors whose data is being taken.
Imagine if a mobile device vendor relied on sludging to get its users to give it permanent access to the microphone, and that microphone access then allowed it to listen in on the confidential discussions that took place inside its competitors' offices. That is at heart what Chrome Sync does. Audience data is a trade secret but short of blocking Chrome from your site you cannot avoid Google's espionage. If Sync data puts publisher audience data to work enhancing, say, Search in such a way that it gets increased ad spend, then that is evidently an unfair practice.
I have heard Chrome people say that Sync is never used for nefarious purposes, which I assume includes invading privacy or harming competition. It should therefore not be a problem to agree to the following change: Google commits to not using Chrome Sync data for any purpose other than the sync service, improving Chrome, or security.
And for the third and final change I would like to see: they forgot AMP! I can't say I blame them, most of us would like to forget AMP too. For the uninitiated, AMP is a system through which Google forces publishers to host content on its owned & operated site (on penalty of poor ranking). A key issue with AMP is that publishers become third parties to their own content. Delivering important services in AMP, such as keeping users logged in or showing ads based on first-party data, relies on third-party cookies. To put this clearly: removing third-party cookies while maintaining AMP destroys publishers' own advertising technology. It's hard to see this as a procompetitive outcome.
Google has made some progress on this front with a new way of measuring performance called CWV, but it is insufficient because, under CWV, AMP remains preferenced. There are several different options that could be hashed out here, so in order not to constrain the solution space I would like to suggest the following commitment: Google commits to addressing issues pertaining to AMP by reaching consensus with interested publishers in a W3C group prior to removing third-party cookies.
Given that all parties appear to be of a constructive bent, I find myself hoping that we can see these omissions easily resolved. It's daunting to have so many moving parts in need of updating at once, but such is the nature of the beast we have wrought.