Google recently announced that it has changed its plans to phase out third-party cookies in the Chrome web browser. The company had previously planned to disable third-party cookies in Chrome, a change supported by many in the privacy-stakeholder community, but which was met with criticism from the adtech industry and competition lawyers. Google’s new plans face similar criticism, while raising additional concerns from privacy advocates.
In short, Google is caught between EU privacy laws like the General Data Protection Regulation (GDPR) and competition laws like the Digital Markets Act (DMA). And despite claims that those laws are not in conflict, this episode very clearly shows how different interpretations are clearly in tension.
Google’s new plan is to ask Chrome users whether they want to keep third-party cookies. While key details remain unknown, some commentators (e.g., Eric Seufert) suggest that user choice is likely to be framed in such a way that most users will opt out of cookies. Thus, the final result may be similar to Google’s initial plan. Note that other browsers, Safari and Firefox, already block third-party cookies by default. In contrast, as Seufert points out, Google’s solution will likely require users to make an express choice.
Privacy advocates have long argued for web browsers to include a single option to reject nonessential cookies across all websites. This approach has been proposed as a solution to the prevalent “cookie consent popup fatigue.” The privacy advocates’ argument is not, however, just about giving users meaningful choices. It has also been suggested that the open-advertising ecosystem, which relies on third-party cookies, is too invasive of privacy to be allowed by default (see, e.g., this from Jan Tomisek).
It has been suggested (e.g., by Omar Duque) that instead of asking users whether to allow third-party cookies in general, or having one default setting for all third-party cookies, “personalized defaults” could be used. This way, a user’s default settings for third-party cookies could take into consideration more information about that user than merely whether they answered “yes” or “no” to a question (e.g., based on some standardized information that the user provides in a survey collected by their web browser).
But given prominent opposition in the privacy world to personalized advertising—especially through the open-advertising ecosystem—there is a high likelihood that privacy authorities would insist on disallowing third-party cookies wholesale for all users. Disabling third-party cookies by default also has support from privacy authorities like the UK Information Commissioner’s Office (ICO). ICO Deputy Commissioner Stephen Bronner recently told The Financial Times that the agency is “disappointed that Google has changed its plans” because “blocking third-party cookies would be a positive step for consumers.”
Simplifying somewhat, the more likely Google makes it that users will refuse third-party cookies, the greater the chance that privacy lawyers will accept their solution. But Google also faces the challenge of satisfying competition authorities, especially the UK Competition and Markets Authority (CMA), which is investigating precisely this issue.
Google’s advertising-market competitors and the competition lawyers who represent them have criticized Google’s new plan. One of their key points is that privacy law should not be an instrument for anti-competitive behavior. I have a lot of sympathy for this argument: the EU GDPR is not a “super law” that trumps other EU legal rules, especially those directly included in the EU’s foundational treaties (the key EU competition-law provisions have that status).
Competition-oriented laws like the DMA, however, tend to state expressly that they are meant to apply without “prejudice” to the GDPR. In response, competition lawyers tend to offer their interpretations of privacy law, which would not require disabling third-party cookies by default. Here, too, I have a lot of sympathy with the argument.
The problem is that the more prominent interpretations of EU privacy law contradict this approach. This, I think, is a serious defect in competition-law discussions: they do not engage with the privacy-law approach imposed on companies like Google by privacy regulators, even when those same privacy regulators may be happy to pay lip service to the argument that privacy law is not in tension with competition law and that solutions can always be found. Such statements tend to be made at a high level of generality. When it comes to the specifics—like whether third-party cookies should be disabled by default—the “Kumbaya” song breaks down.
I don’t envy Google and other companies caught between the rock of privacy law and the hard place of competition law. It’s counterproductive to pretend these tensions don’t exist, or to suggest that some magical, unspecified solution will satisfy everyone’s concerns. It’s also counterproductive to expect businesses to comply with an interpretation of privacy law that faces significant opposition among privacy lawyers, without any guarantees that privacy authorities will accept it.