Despite improvements, delaying the deprecation of third party cookies in the CMA’s Privacy Sandbox commitments will hold back privacy on the open web

Recently, the UK’s Competition and Markets Authority (CMA) initiated a second round of consultation on the voluntary commitments offered by Google in the Chrome Privacy Sandbox (GCPS) investigation. We welcome the inclusion of greater transparency, consultation, and restrictions on self-preferencing, as we had advocated for in the initial consultation. However, we remain concerned by the broadening scope of the standstill period that will further delay both the deprecation of Third Party Cookies (TPCs) and the deployment of privacy forward technologies such as Privacy Budget or GNATCATCHER which have the potential to address cross-site tracking that occurs through fingerprinting and IP addresses.

Many of the new Commitments are positive and align with our own thinking. Specifically, we commend the CMA for proposing:

  • strengthening restrictions on how Google cannot self-preference its own services;
  • clarifying the internal limits on the data that Google is allowed to use for advertising (including that Google will only be able to use GCPS technologies in the same ways as third parties will be able to use them); and
  • improving the process around transparency and consultation with third parties to ensure public disclosures and engagement with third party viewpoints.

Broadly speaking, the various initiatives that are being considered under GCPS can be split into two categories: (1) new features that support more private advertising (such as FLOC, TURTLEDOVE, etc.) and (2) mechanisms that restrict excessive data collection that already occurs right now (such as TPC deprecation, Privacy Budget, and GNATCATCHER). On the first category, we agree with the CMA that new features may merit a standstill period both because of the potential for them to be forced upon websites and  browsers due to lopsided dynamics in the browser market as well as questions about their privacy properties (as we’ve elaborated in the past). The formal processes and oversight at open standard development organizations (SDOs) such as the W3C and IETF provide an ideal forum to ensure these proposals and their implications are vetted by all relevant stakeholders prior to implementation.

Our primary concern is with the framing of the standstill period to include the second category of mechanisms, because this will delay technology that can protect consumers from data collection and identification practices that are known to be harmful. Withholding these privacy forward technologies from deployment on Chrome will only entrench behaviour in the ad-tech ecosystem that should never have been permissible in the first place. For example, regulatory mandates should not prevent Google from restricting the use of TPCs —something Firefox has advocated for since 2019 to protect consumers from online tracking—and which has also been adopted by several other browsers. There are also other privacy forward measures that are being worked on today to combat tracking such as the Privacy Budget (which while imperfect, at least pushes the debate forward on anti-fingerprinting) and GNATCATCHER, which helps protect against the use of IP addresses for tracking. We hope the CMA weighs these privacy equities to enable Chrome to quickly deploy these technologies when they are ready.

At Mozilla, we have been working for years to drive the industry in this better direction, away from pervasive and opaque web tracking. We’ve done so by limiting the use of TPCs, developing more privacy preserving ways to measure user interactions online, and working on advancing privacy preserving advertising. In our view, the CMA has an incredible opportunity to show the world that privacy and competition are not mutually exclusive, and smart regulation can equally enhance both ideals. To achieve this, we hope to see final Commitments that do not encourage Google to leave Chrome users unprotected by indefinitely delaying the rollout of technologies that could lead to a more privacy preserving internet.