The European Commission and the UK have announced parallel, formal antitrust investigations into Google and Facebook in relation to their online display ad businesses.

The twin probes, announced today by the EU’s competition division and the UK’s Competition and Markets Authority (CMA), are focused on allegations of collusion between Google and Facebook (aka, Meta) via a September 2018 internal agreement known as ‘Jedi Blue which stands accused of undermining a competing ad system (aka header bidding) in favor of Google’s Open Bidding system.

Details of Jedi Blue have previously emerged through a US states antitrust lawsuit against Google’s ad business, led by the State of Texas, which alleges that Google and Facebook forged a quid pro quo agreement to rig the market in their favor — by Google giving Facebook preferential rates and priority choice of prime ad placements in return for the social networking giant supporting its ad system and not building competing ad technologies or using the publisher rival system, header bidding.

The US lawsuit is ongoing but the EU said today it’s similarly concerned that the ‘Jedi Blue’ agreement “may form part of efforts to exclude ad tech services competing with Google’s Open Bidding programme, and therefore restrict or distort competition in markets for online display advertising, to the detriment of publishers, and ultimately consumers”.

In a statement, the EU’s EVP and competition chief, Margrethe Vestager, added: “Many publishers rely on online display advertising to fund online content for consumers. Via the so-called ‘Jedi Blue’ agreement between Google and Meta, a competing technology to Google’s Open Bidding may have been targeted with the aim to weaken it and exclude it from the market for displaying ads on publisher websites and apps. If confirmed by our investigation, this would restrict and distort competition in the already concentrated ad tech market, to the detriment of rival ad serving technologies, publishers and ultimately consumers.”

The UK’s watchdog said its parallel probe will “consider whether an agreement between Google and Meta (previously Facebook) — which Google internally codenamed ‘Jedi Blue’ — broke the law… [and] also scrutinis[e] Google’s conduct in relation to header bidding services more widely to see if the firm abused a dominant position and gained an unfair advantage over competitors trying to provide a similar service”.

Also commenting in a statement, CMA CEO, Andrea Coscelli, said: “We’re concerned that Google may have teamed up with Meta to put obstacles in the way of competitors who provide important online display advertising services to publishers. If one company has a stranglehold over a certain area, it can make it hard for start-ups and smaller businesses to break into the market — and may ultimately reduce customer choice.”

The European regulators are playing catch up on this specific ad probe — and more widely on enforcement against the adtech duopoloy.

Although the EU did finally open a wide-ranging investigation of Google’s adtech last summer — a couple of years after a 2019 enforcement against Google’s AdSense product, when it fined the tech giant around $1.7BN for violations specifically related to its search ad brokering business. (A decision Google is appealing.)

The CMA, meanwhile, kicked off a deep-dive market study of the online ad sector back in 2019 — which went on to flag range of harms and conclude in summer 2020 that a new regulatory approach and dedicated oversight is needed to address what its report summarized as “wide ranging and self reinforcing” concerns attached to the market power of Google and Facebook. So it has been holding solid concerns about the shape of the online ad market for well over a year. 

“The concerns we have identified in these markets are so wide ranging and self-reinforcing that our existing powers are not sufficient to address them,” it wrote in July 2020, when it urged “a new, regulatory approach — one that can tackle a range of concerns simultaneously, with powers to act swiftly to address both the sources of market power and its effects, and with a dedicated regulator that can monitor and adjust its interventions in the light of evidence and changing market conditions”.

However — at the time of that final report — the CMA shied away from taking any enforcement against Google and Facebook to fix the systemic issues it had identified. Instead it deferred action in favor of pushing for a ‘pro-competition’ reform of the country’s competition regulations — to ensure “concerns can be dealt with swiftly, before irrevocable harm to competition can occur”, as it rather ironically put it then; as well as pressing for the dedicated Digital Markets Unit (DMU) to have powers “to increase interoperability and provide access to data, to increase consumer choice and to order the breakup of platforms where necessary”.

That UK competition reform is still pending the necessary legislation to empower the DMU — which likely explains why the CMA has decided to forge ahead and open an investigation into Jedi Blue now, under existing competition rules.

“We will not shy away from scrutinising the behaviour of big tech firms while we await powers for the Digital Markets Unit, working closely with global regulators to get the best outcomes possible,” noted Coscelli in today’s statement.

The EU has a similar ex ante competition reform in train — aka the Digital Markets Act – which is set to impose operational and behavioral conditions on so-called “gatekeeper” platforms, and will very likely apply to both Google and Facebook. But that too isn’t fixed in place yet. The EU has had a detailed proposal out there since December 2020 but the draft legislation is still making its way through trilogues — and even when adopted by all the EU institutions there will be an implementation period before the new regime applies, so, again, legal reform of a systemically broken market isn’t going to arrive overnight.

It is therefore notable that the EU and UK are coordinating their announcements of formal probes of this shared competition concern — which implies a degree of joint working that may help expedite their parallel investigations, such as if they’re able to find ways to share findings or undertake other types of supportive working.

Although both emphasized today that their respective investigations remain separate and independent, with the EU noting: “As customary, the Commission has been in contact with the CMA and intends to closely cooperate on this investigation following the applicable rules and procedures.”

“The CMA will seek to work closely with the EC as the independent investigations develop,” the UK’s watchdog also added.

One thing to watch here will be how quickly the two investigations conclude.

Under Vestager’s watch the EU has been speeding up competition probes of big tech — with a string of enforcement decisions against Google under her watch: Google Shopping (2017), Android (2018) and AdSense (2019).

The CMA has also been tooling up to tackle tech, ahead of the expected competition reforms. And has — recently — been closely engaged with Google over an investigation of its Privacy Sandbox proposal.

Smarter collaboration between international regulators — including between European watchdogs and attorneys general in the US who have been pursuing Google over this issue since 2020 — may also help speed up scrutiny of a tech area that cuts right across the digital sphere, affecting consumers and businesses alike, and which has been allowed to cloak itself in obfuscating complexity for far too long.

That said, it will be months at least before we see any conclusion to these latest investigations.

The CMA’s probe of Facebook’s acquisition of Giphy, for example, took from June 2020 when its inquiry launched until November 2021 when it ordered the deal to be undone — and an M&A review is likely a more straightforward piece of work than an antitrust probe of business dealings around adtech.

Google and Meta were contacted for comment on the dual antitrust investigations into ‘Jedi Blue’.

Google denied that the agreement with Meta provide’s Facebook’s Audience Network with an advantage in Open Bidding auctions, and also rejected any suggestion that the arrangement has restricted header bidding, claiming that since its Open Bidding system launched header bidding’s popularity has continued to grow.

The tech giant also sent this statement attributed to a Google spokesperson:

“The allegations made about this agreement are false. This is a publicly documented, procompetitive agreement that enables Facebook Audience Network (FAN) to participate in our Open Bidding program, along with dozens of other companies. FAN’s involvement is not exclusive and they don’t receive advantages that help them win auctions. The goal of this program is to work with a range of ad networks and exchanges to increase demand for publishers’ ad space, which helps those publishers earn more revenue. Facebook’s participation helps that. We’re happy to answer any questions the Commission or the CMA have.”

Reached for comment, Meta also denied any wrongdoing — sending this statement:

“Meta’s non-exclusive bidding agreement with Google and the similar agreements we have with other bidding platforms, have helped to increase competition for ad placements. These business relationships enable Meta to deliver more value to advertisers and publishers, resulting in better outcomes for all. We will cooperate with both inquiries.”

The UK government has again announced an extension to the scope of the draft Online Safety Bill — this time bringing scam ads into scope following pressure from campaigners.

In parallel, it has also launched a consultation on strengthening existing regulation of the online ad industry, laying out a range of options to beef up rules for advertisers more generally.

Scam ads in scope

Back in May, when the draft Online Safety Bill was published, the government said it would impose a duty of care on digital service providers to moderate user-generated content in a way that prevents people — and especially children — from being exposed to illegal and/or harmful stuff online.

Since then parliamentary committees have been pouring over the proposal. And while there has been broad backing from MPs and peers for regulating online platforms there have also been calls from parliamentarians for changes to ensure the legislation does not misfire — including by failing to hit its intended targets. (Not least because these targets are myriad: From terrorists and distributors of CSAM, to bullies, racists and trolls, to name a few.)

Outside parliament, campaigners on a range of online safety issues have also been very vocal in pressing for the bill to be beefed up to deal with their particular ‘beefs’.

So despite earlier drafts already facing criticizism of being a ‘kitchen sink’ bill on account of the sprawling scope — and a warning from a former secretary of state, no less, that “everyone is going to try and hang their own particular hobby horse” on the bill — in recent weeks there have been a flotilla of announcements from the Department of Digital, Culture, Media and Sport (DCMS), to bolt on even more provisions in the name of further strengthening the proposal.

See, for example, the government bringing pornography websites in scope so the bill can require “robust” age checks to prevent kids accessing adult content online; or it expanding the list of criminal content and offences that will be added to the face of the bill to force more proactive takedowns from platforms; or the recent announcement that the largest platforms will be required to provide users with a verification option and the ability to only receive replies and messages from verified accounts — with the goal of giving people tools to beat trolls.

Scam ads is another issue the government has been under sustained pressure for the ‘Online Safety’ legislation to tackle, with consumer protection campaigners warning that a law which purely targets user-generated scams could simply end up driving scammers to professional channels by encouraging bad actors to pay platforms to carry their malicious messages as ads.

Two parliamentary committees which scrutinized the draft bill, and published reports in recent months, also pressed for certain types of harmful paid advertising to be brought into scope.

The government has again responded to campaigners’ concerns by agreeing to further expand the bill’s scope. (Pity Ofcom, the regulator that has been tasked with overseeing the lion’s share of compliance with so many ‘Online Safety’ provisions.)

“A new legal duty will be added to the Online Safety Bill requiring the largest and most popular social media platforms and search engines to prevent paid-for fraudulent adverts appearing on their services,” DCMS said in a press release put out yesterday evening (UK time), presumably to catch late news bulletins and the early editions of next day newspapers.

The government’s appetite to regulate Internet content appears proportionate to how populist a cause it believes it has identified — with so many public grievances conglomerating into one piece of legislation. And “scam ads” are a particularly good example of that: Who doesn’t hate ‘scam ads’? (Well, apart from ad platforms which are happy to monetize any messaging anyone wants to pay them to send… )

“The change will improve protections for internet users from the potentially devastating impact of fake ads, including where criminals impersonate celebrities or companies to steal people’s personal data, peddle dodgy financial investments or break into bank accounts,” DCMS’ release goes on.

The government said the new measures will apply to the largest social media platforms and search engines.

These tech giants will be required to “put in place proportionate systems and processes to prevent (or minimise in the case of search engines) the publication and/or hosting of fraudulent advertising on their service and remove it when they are made aware of it”, as it puts it.

“It will mean companies have to clamp down on ads with unlicensed financial promotions, fraudsters impersonating legitimate businesses and ads for fake companies. It includes ‘boosted’ social media posts by users which they pay to have promoted more widely.”

Once again, the detail of what exactly major platforms will be required to do to tackle scam ads isn’t clear because it’s pending guidance which Ofcom will set out in forthcoming codes of practice.

But DCMS suggested provisions could include “making firms scan for scam adverts before they are uploaded to their systems; measures such as checking the identity of those who wish to publish advertisements; and ensuring financial promotions are only made by firms authorised by the Financial Conduct Authority (FCA)”.

The FCA has already been applying pressure to Google over scams ads in the financial sphere — and last summer the tech giant announced a policy change, agreeing from September to only run ads for financial products and services when the advertiser has been verified by the financial watchdog, after the FCA threatened it with legal action.

Evidently, the government believes those quasi-voluntary tweaks by Google don’t go far enough.

In a statement on the latest bit of beefing up, culture secretary Nadine Dorries said: “We want to protect people from online scams and have heard the calls to strengthen our new internet safety laws. These changes to the upcoming Online Safety bill will help stop fraudsters conning people out of their hard-earned cash using fake online adverts.

“As technology revolutionises more and more of our lives the law must keep up. Today we are also announcing a review of the wider rules around online advertising to make sure industry practices are accountable, transparent and ethical – so people can trust what they see advertised and know fact from fiction.”

Anti-scam ad campaigners were quick to welcome the latest expansion of the Online Safety Bill — while also warning that attention to detail (to close off loopholes) and enforcement will be essential to ensure the measures don’t flop.

Commenting in a statement, Martin Lewis, the founder of the MoneySavingExpert.com website — who has previously resorted to suing Facebook for defamation for running scam ads bearing his likeness — said: “I am thankful the government has listened to me and the huge numbers of other campaigners — across banks, insurers, consumer groups, charities, police and regulators — who’ve been desperate to ensure scam adverts are covered by the Online Safety Bill. We are amidst an epidemic of scam adverts. Scams don’t just destroy people’s finances — they hit their self-esteem, mental health and even leave some considering taking their own lives.

“The government now accepting the principle that scam adverts need to be included, and that firms who are paid to publish adverts need to be responsible for them, is a crucial first step. Until now, only user-generated scams were covered — which risked pushing more scam ads, incentivising criminals to shift strategy. Yet it is a complex area. Now we and others need to analyse all elements of this new part of the Bill, and work with Government and Parliament to close down the hiding places or gaps scammers can exploit.”

The consumer rights group Which? also welcomed scam ads being brought into scope of the bill — but also warned that the legislation “must ensure the regulator has the support and resources it needs to hold companies to account and take strong enforcement action where necessary”.

Tougher online ad rules?

There could be more coming from the government vis-a-vis online ads as DCMS has also announced the launch of a consultation on proposals to tighten the rules for the online advertising industry — potentially signalling a move away from the current self-regulatory approach which is overseen by the Advertising Standards Authority.

“Rapid technological developments have transformed the scale and complexity of online advertising leading to an increase in consumer harm,” DCMS warns, suggesting tighter rules are needed to “bring more of the major players involved under regulation and create a more transparent, accountable and safer ad market”.

Discussing the consultation, the government points again to the problem of online ads that seeks to defraud people through investment scams and promotions for fraudulent products and services (“including fake ticketing”), and which it notes often involve fake celebrity endorsements — reiterating that such scams have proliferated online.

“People are also being targeted through legitimate-looking adverts that contain hidden malware. When clicked on they allow hackers to commit malicious cyber security attacks such as ‘cryptojacking’ — the unauthorised use of people’s devices to mine for cryptocurrency,” DCMS also warns.

“Elsewhere there is evidence of online adverts selling items prohibited in UK law, such as prescription medicines and counterfeit fashion, misleading adverts misrepresenting the product or service they offer, and influencers failing to reveal sponsorship arrangements with companies in their posts.”

In light of so much dubious activity being laundered through digital ad channels, the government believes it’s time to change how online advertising is regulated — although it’s not yet sure exactly how best to do this to tackle the proliferation of scammy and fraudulent ad content.

In a ministerial forward to the new Online Advertising Programme (OAP) Consultation — which runs for 12 weeks from today — Julia Lopez, the minister for Media, Data and Digital Infrastructure, writes:

“The Online Advertising Programme will review the regulatory framework of paid-for online advertising to tackle the evident lack of transparency and accountability across the whole supply chain. It will consider how we can build on the existing self-regulatory framework, by strengthening the mechanisms currently in place and those being developed, to equip our regulators to meet the challenges of the online sphere, whilst maintaining this government’s pro-innovation and proportionate approach to digital regulation. We want to ensure that regulators have good sight of what is happening across the vast, complex, often opaque and automated supply chain, where highly personalised adverts are being delivered at speed and scale.”

The UK’s competition watchdog, the CMA, conducted a deep-dive market study of the online ad sector back in 2019 which already flagged a range of harms and finally concluded that a new regulatory approach — and a dedicated oversight body — is needed to address what it summarized as “wide ranging and self reinforcing” concerns attached to the market power of Google and Facebook.

That CMA market study has been feeding an in-train ‘pro-competition’ reform of the UK’s digital competition regime — which is set to bring in bespoke ex ante rules for the largest and most powerful Internet platforms. (Which is also still pending legislation to empower the new, dedicated Digital Markets Unit.)

But the government is now signalling that it thinks market specific rule changes are also needed to clean up widespread, murky activity in the online ad industry — and which would supplement targeted competition interventions likely to be applied to the adtech duopoly once the country’s new antitrust regime is in force.

“The [OAP] programme will look at the current regulations and regulators including whether they are properly empowered and funded,” DCMS writes. “It will consider the whole supply chain and whether those within it should do more to combat harmful advertising, including ad-funded platforms such as Meta, Snap, Twitter and Tik Tok and intermediaries such as Google, TheTradeDesk and AppNexus.”

Options on the table include strengthening the current self-regulation approach or creating a new statutory regulator with tough enforcement powers, per DCMS.

It says some specific options being considered are:

• Rule-making powers such as setting mandatory codes of conduct and enforcing them with fines and the ability to block and ban advertisers which repeatedly break the rules

• Increased scrutiny across the supply chain related to high-risk advertising such as the promotion of products related to alcohol or weight loss. Companies could be required to demonstrate they are taking care to protect users — for example avoiding targeting vulnerable groups

• Increased scrutiny of advertisers which repeatedly breach codes of conduct and more checks on firms and individuals placing adverts and buying ad space. This could include requiring third-party intermediaries or platforms to make advertisers self declare an interest in placing high-risk advertising such as age restricted ads

• Information gathering and investigatory powers such as the power to audit and request transparency reports from companies and request data from them

“Harmful or misleading adverts, such as those promoting negative body images, and adverts for illegal activities such as weapons sales, could be subject to tougher rules and sanctions,” DCMS suggests, adding: “Influencers failing to declare they are being paid to promote products on social media could also be subject to stronger penalties.”

While it’s not clear exactly what is coming down the pipe for the online ad industry in general under tighter UK rules, or exactly when a beefier regime will be in force, far tougher oversight of paid messaging now looks to be a given — not least because the government has already confirmed targeted measures against scam ads in the Online Safety Bill.

While the FCA also recently announced an incoming crackdown on crypto marketing this summer — after a boom in risky ads.

On the wider ad industry rule changes, the government said it will respond to the OAP consultation and outline reform proposals later this year.

The UK arm of the online ad industry body, the IAB, was quick to raise “concerns” about the parallel move of ministers slotting scam ads into the Online Safety Bill while simultaneously proposing to update the regulatory regime wrapping online advertising more generally.

In a statement calling for “an evidence-led process” to build on what the IAB UK’s CEO, Jon Mew, claimed are “strong industry standards and initiatives already in place”, he warned that the government’s “duplicate… focus on scam ads across both programmes creates unnecessary regulatory fragmentation and risks constraining proper policy development”.

Mew added:

“Together with government, regulators and law enforcement bodies, the UK digital advertising industry wants to play its part in restricting, detecting and disrupting scam ads. However, the regulatory coherence that we believe the OAP can deliver on this and other issues is undermined by provisions on ‘fraudulent advertising’ being added to the Online Safety Bill (OSB).

“To announce legislative changes on the same day as launching such a wide-ranging consultation on the sector undermines the purpose of the OAP and could pre-empt its outcomes. The Government has said that the OAP will aim to holistically review digital ad regulation and consider a range of potential policy responses. Today’s announcement makes that process more difficult.

“We are also concerned that the widened scope of the OSB has not been subject to industry consultation and that it could have unintended consequences for legitimate advertisers — particularly small businesses — if it is applied across the board.

“The approach set out today seems at odds with the principles set out in the Government’s Plan for Digital Regulation, which emphasises the importance of drawing on industry expertise to develop effective regulation, and of a coherent and streamlined regulatory landscape.”

In further responses from the tech industry to Russia’s invasion of Ukraine last week and the country’s continued aggression against its neighbor, Google and Microsoft have both now said they’re pausing sales in Russia.

We understand that Google’s pause — which is focused on its own ad sales — began last night and has been rolling out over subsequent hours. The news was reported earlier by Reuters.

It’s not the first to do this. Snap and Twitter previously announced ad sales suspensions in Russia. But Google’s ad business is of course considerably larger.

Google’s action boils down to a pause on all ads in Russia, including Search, YouTube, and Display ads, effective immediately — meaning people in Russia won’t see ads from Google.

But we also understand that it does not prevent Russian advertisers from using Google’s ads services to serve ads outside Russia if they wish.

This suggests Russian publications could still seek to monetize content by serving ads to people outside the country via Google’s ad network — at a time when independent journalists in the country are facing an unprecedented crackdown. (Earlier today the Russian parliament passed a law that could land reporters in jail for up to 15 years for spreading ‘false’ information about the military.)

Microsoft, meanwhile, has also announced its own sales suspension in Russia — writing in a blog post today that it will “suspend all new sales of Microsoft products and services in Russia”.

This presumably covers Bing ads, as well as other Microsoft services. (We’ve asked for confirmation.)

“In addition, we are coordinating closely and working in lockstep with the governments of the United States, the European Union and the United Kingdom, and we are stopping many aspects of our business in Russia in compliance with governmental sanctions decisions,” Microsoft’s president and VP Brad Smith also writes in the blog post.

Google’s more limited move restricting ad sales is an expansion of measures it announced Tuesday — “promoting information quality”, as it put it then — several days after Russia’s invasion began in the early hours of February 24; and after European leaders had spent a day piling pressure on tech platforms to act decisively against Russian disinformation.

Initially, Google said it would geoblock the YouTube channels of the Kremlin-linked media outlets Russia Today and Sputnik in Europe. It soon followed by geoblocking the pair’s apps from its Play Store — also only in Europe, and ahead of a pan-EU sanction on the channels coming into legal force on Wednesday.

Prior to that Google had announced an “indefinite pause of monetization of Russian state-funded media across our platforms” — meaning media outlets such as RT are unable to generate ad revenue or buy advertising via its platforms.

But the tech giant confirmed today it’s taken things further by freezing its ad sales in Russia.

In a statement on the ad sales suspension, a Google spokesperson told us: 

“In light of the extraordinary circumstances, we’re pausing Google ads in Russia. The situation is evolving quickly, and we will continue to share updates when appropriate.”

Google is not suspending sales of other types of services (e.g. paid consumer services, Google Pay, sales of apps etc) at this time. It is also continuing to provide Russians with access to information services (e.g. Google Search, Maps, YouTube etc).

The piecemeal nature of the tech giant’s announcements since Russia invaded Ukraine suggests Google has been scrambling to come up with a coherent response to an unfolding crisis.

Microsoft has looked more decisive — announcing a more rounded package of measures targeted at Russia’s “state-sponsored disinformation” at the start of this week; and further extending that today with a blanket sales ban.

Earlier this week Apple also said it was halting product sales in Russia and restricting some of its services (such as Apple Pay). Plus it pulled RT and Sputnik from the App Store globally this week (with the exception of the Russia market itself).

The picture from Facebook’s parent Meta is fuzzier. Since the invasion began the social media giant been announcing a series of restrictions (such as demoting RT and Sputnik content) — but at the time of writing the adtech giant does not appear to have suspended ad sales in Russia itself. (Again, we’ve reached out with questions.)

Bans by private companies are not the only disruption Russians are facing to accessing digital services, of course: Wider sanctions on Russian banks also appear to have been hitting locals’ access to some tech services.

LinkedIn — the social network for people looking to connect with others in their professional fields and find work with upwards of 810 million users — has a long-standing business in marketing and advertising on its own platform; today it is announcing an acquisition that could points to its ambitions to provide more analytics and insights across the wider internet. The Microsoft-owned networking platform has acquired Oribi, a Tel Aviv startup that specializes in marketing attribution technology. The deal will see LinkedIn establish its first office in Israel.

Terms of the deal were not disclosed in the blog post announcing the acquisition but we have contacted LinkedIn to ask for that detail and will update this post as and when we learn more. As a startup, Oribi had raised just under $28 million in funding, according to PitchBook data, from investors that included Sequoia, TLV Parnters, Ibex and others (including taking a bit of funding from Google as part of a local accelerator run by the search giant).

The deal is interesting on two levels. First, it’s signal of LinkedIn continuing to invest in its marketing and advertising services, an area that is growing at a fast clip for the company. Chief product officer Tomer Cohen noted in the blog post today that marketing services revenues have grown 43% year-over-year. But with some 57 million businesses “building their brands on Pages” and over 24,000 virtual events being created weekly on LinkedIn, there is clearly lot more growth that can be tapped here if those businesses are given more functionality, and tools to realize that.

Second, the acquisition of Oribi specifically points to a sea change in what LinkedIn is setting out to do in marketing. Oribi’s mission — as we have described previously — has been to democratize web analytics. In other words, it wants to make it easier for smaller companies to build and run customized analytics to measure the impact of their marketing strategies, something that larger companies might have teams to execute but smaller organizations typically have to forego because they lack the resources.

“A lot of companies are more focused on the high end,” Iris Shoor told TechCrunch previously. “Usually these solutions are very much based on a lot of technical resources and integrations — these are the Mixpanels and Heap Analytics and Adobe Marketing Clouds.”

Notably, Oribi competes with the likes of Google Analytics, which means that now LinkedIn (and by association Microsoft) is also squaring up against one aspect of the formidable Google digital advertising and marketing machine.

“Through the integration of Oribi’s technology into our marketing solutions platform, our customers will benefit from enhanced campaign attribution to optimize the ROI of their advertising strategies,” Cohen wrote today. “This means that our customers will be able to more easily measure website conversions with automated tags and code-free technology, as well as build more effective audiences, all in a way that is privacy-first by design.”

LinkedIn doesn’t specify how many people from Oribi are joining except to note that “several members of the Oribi team, including founder and veteran entrepreneur, Iris Shoor,” are expected to join the bigger company and work out of the new LinkedIn Tel Aviv office. 

Nick Clegg, the former deputy prime minister of the UK, has been elevated to new heights at Meta, the tech giant formerly known as Facebook — under a new title of president of global affairs in its senior management team.

This is an upgrade on the VP of global affairs and communications title Clegg was recruited for back in 2018 — with more responsibilities and a direct reporting line to founder Mark Zuckerberg in addition to COO Sheryl Sandberg.

Why is a US tech giant elevating a Brit to such a senior position?

In a statement announcing Clegg’s new crown, Zuckerberg said Clegg would be key to helping Meta chart the choppy waters of a fast changing regulatory landscape (aka those “headwinds” it’s been warning investors are coming for its ad biz) — this of course as it simultaneously seeks to rebrand its data-mining ad empire as a future-building “metaverse company”, while continuing (it hopes) to trample privacy so it can mint money by targeting ads at “relevant” eyeballs.

Thing is, incoming European regulations look poised to directly target Meta’s tracking-based ad business model. Which could slay the cash cow it needs to fund an expensive rebranding of its ads business as really just an even more invasive and immersive surveillance environment (aka “the metaverse”).

Moreover, long-delayed enforcement of existing EU privacy laws now also pose a rising threat to Meta’s empire (see, for example, the recent $267M fine against WhatsApp for breaches of GDPR transparency rules).

Indeed, they now threaten to cut off its lucrative transatlantic data flows. (And, well, if Google Analytics — and, indeed, Google Fonts — breach the EU’s General Data Protection Regulation over personal data exports it’s hard to see how even a very well paid Meta lawyer could successfully defend a claim that Facebook’s data flows don’t.)

In Europe, Meta’s long game of forum shopping and regulatory whack-a-mobile which has enabled the adtech giant to just keep spinning make a mockery of EU citizens’ privacy rights — successfully dodging data protection regulations for well over a decade — may, finally, be approaching a hard stop.

Unless, that is, Meta can pull out a trump card to flip European lawmakers into ‘alignment’ with its preferred policy positions. (Clegg has been clear about those before.)

And that is the role Zuckerberg is not-so-subtly sketching for president Clegg.

Indeed, the strategy is so very obvious as to almost look like trolling tbh. Which may explain the exceptionally bland choice of language in Zuckerberg’s announcement — anointing Clegg on his mission to stop those regulatory headwinds a-blowin’.

“We need a senior leader at the level of myself (for our products) and Sheryl (for our business) who can lead and represent us for all of our policy issues globally,” he writes in a public statement accompanying Clegg’s ascendance. “Nick will now lead our company on all our policy matters, including how we interact with governments as they consider adopting new policies and regulations, as well as how we make the case publicly for our products and our work.”

(For “interact with” read ‘lobby for massive loopholes which will allow us to continue our privacy-hostile ad-targeting business as usual’, in case you needed a deeper take.)

Meta president of global affairs is undoubtedly the most powerful position Clegg has ever held — in politics, government or the private sector; yes, even as deputy UK PM — which simply underlines the vast power Meta/Facebook has come to wield in the global world order, off the back of having 2.5BN+ users whose attention it monetizes by selling access to (to anyone).

Clegg was deputy PM/willing stooge in a coalition government led by David Cameron’s Conservative Party. A highlight of his tenure was when he famously apologized for breaking a Liberal Democrat election pledge to oppose any rise in student tuition fees after he ended up doing exactly that once in coalition government… Oops.

Having a reputation as an opportunist/Tory stooge appears to have done nothing to harm Clegg’s career at Meta/Facebook, of course — where he’s spent several years acting as chief spin doctor for smoothing the sizeable cracks between claimed platform policies and corporate ‘mission’ statements and the actual reality of how MetaFace operates — pumping out a steady flow of societal harms, via its systematic deployment of mass Internet surveillance, population-level profiling and engagement-chasing algorithms — all the way up to literal genocide.

Can anything stop Meta’s manipulation machine?

This is certainly a question lawmakers and regulators across Europe are pondering hard these days. (Indeed, the UK’s current digital minister seems particularly excited by the prospect of locking up Zuckerberg if Meta doesn’t do as she says — vis-a-vis incoming Internet content rules — although it’s highly likely she’d be more than happy to throw Clegg in the clink instead.)

Opting for a European — Clegg may be British but he’s also worked in the European Commission, the EU’s executive body, and been an elected member of the European Parliament, so has deep ties to the bloc’s co-legislating institutions — suggests that if Zuckerberg fears anything could challenge the power of his absolute Meta monarchy (via majority share voting power) it is actual regulation in the public interest actually being enforced.

That too should give governments all around the world pause for thought.

Zuckerberg would prefer lawmakers don’t think too deeply though.

“The work we do at Meta matters to a lot of people around the world,” pens the Facebook founder with studied banality. “We’re at the center of a lot of debates about technology and society. I can’t think of anyone better placed to represent us and help shape the future of internet policy than Nick.”

Google’s Privacy Sandbox initiative for its Chrome browser hasn’t exactly been an unmitigated success, but it has definitely kicked off a healthy discussion about online privacy — and the company’s own role in the advertising ecosystem. Now, with many of the initiatives around Chrome still in flux, Google also plans to expand many of these tools to its Android operating system and that will likely have a profound impact on the advertising industry.

If you’re in the advertising ecosystem, though, don’t despair just yet. Google says the current system will remain active for “at least” two more years while it tests these new systems.

Typically, on Android, advertisers use Google’s advertising ID to serve personalized ads and track your behavior across applications so they can, for example, attribute a purchase you made to an ad you clicked on. Simplified, you can think of the advertising ID as Android’s version of cookies. You can turn this off and opt for non-personalized ads in the Android ads settings by deleting your advertising ID. When you do, Google will then helpfully remind you that ads help keep many services free — which is also an argument Google makes for today’s changes.

In a briefing ahead of today’s announcement, Google’s VP of product management for Android security and privacy specifically stressed the importance of advertising (which, of course, also drives the vast majority of Google’s own revenue).

“It’s useful to highlight some of the critical capabilities that matter to the ecosystem,” he said. “So tools like [advertising] ID help provide better, more relevant advertising experiences, tackle fraud, and more. And this has helped make possible much of the free content and services that we enjoy today in mobile apps. So it’s vital that we ensure that these capabilities are supported as we build the next generation of mobile technologies.”

The elephant in the room here, of course, is Apple, which is using what Google’s team would consider a very blunt instrument since it basically makes tracking impossible. That’s a win for privacy but Google argues that, in their desperation, advertisers will just come up with new ways to fingerprint your behavior and devices to get that lucrative tracking data. The fact that Meta said it would lose $10 billion in ad revenue in 2022 because of Apple’s changes seems like it would invalidate this argument, though. If Meta can’t find a good way around this, who can?

So, like on Chrome, Google is trying to have it both ways: preserve your privacy and preserve the advertising ecosystem. And just to be clear, Google says its own advertising systems will follow the same rules here as third-party advertisers.

Some of the proposals here are based on Google’s work with Chrome. They include Topics, the recent replacement for FLoC, and FLEDGE, a system that allows advertisers to show ads based on their own definition of a ‘custom audience’ without having to rely on individual identifiers.

There would be no modern ad ecosystem without attribution reporting, so Google is also proposing a new system here that promises to still give advertisers the data they need while still improving its users’ privacy.

There will also be an SDK for developers that isolates third-party advertising code so that it will run separately from the app’s own code. As of now, this looks to be an Android 13-only feature as it requires a different overall SDK architecture that focuses on both these new privacy features but also provides additional security guarantees to any SDK.

Google says it wants to work with the advertising industry on this new system. So far, all of its supporting quotes are from app developers, not the wider advertising ecosystem.

Google’s dominance of the online ad market has been targeted by another antitrust complaint filed in the European Union by a coalition of publishers.

This time it’s the European Publishers Council (EPC) — whose members include the CEOs of News UK, Condé Nast, New York Times, Axel Springer and The Guardian, among others — arguing that, beginning with its 2008 acquisition of adtech firm DoubleClick, Google has deployed “a barrage of unlawful tactics to foreclose competition in ad tech” which they assert has allowed Google to gain a “stranglehold” over press publishers and all others in the adtech ecosystem.

The EPC appears to be seeking to put pressure on the European Commission which, since last summer, has been probing Google’s adtech but which also — historically — waived through Google’s DoubleClick acquisition, paving the way for the search giant to become a powerhouse in online advertising. 

Although the timing of this complaint also looks interesting given the UK competition regulator just accepted a set of behavioral commitments from Google that will allow it to continue to develop a stack of non-tracking based ad targeting technologies which it intends to replace cookie-based tracking. (Not to mention that, earlier this month, a key component of the current privacy-hostile adtech regime of tracking and profiling web users to target them with ads was found in breach of EU privacy rules, and given a six month deadline to reform.)

It’s also amusing to note that the EPC seems to have annoyed a bunch of reporters by moving its own embargo forward as the CMA’s announcement accepting Google’s Privacy Sandbox commitments hit. Hmmm!

In a statement on its complaint to EU competition regulators, EPC chairman, Christian Van Thillo, writes: “It is high time for the European Commission to impose measures on Google that actually change, not just challenge, its behaviour — behaviour that has caused and continues to cause considerable harm, not just to Europe’s press publishers but to all advertisers and eventually consumers in the form of higher prices (including ad tech fees), less choice, less transparency and less innovation.

“Competition authorities across the world have found that Google has restricted competition in ad tech, yet Google has been able to get away with minor commitments which do nothing to bring about any meaningful changes to its conduct. This cannot go on. The stakes are too high, particularly for the future viability of funding a free and pluralistic press. We call on the Commission to take concrete steps right now that will actually break the stranglehold that Google has over us all.”

The EPC further summarizes its complaint by claiming that Google’s monopoly dominance of the ad tech “value chain” has enabled it to charge a very high commission of at least 30% on transactions it intermediates between publishers and advertisers — accusing it of actively suppressed competition from rivals, developing “unmanageable conflicts of interests” and systematically self-preferencing at the expense of its clients, “introducing features that depress press publisher revenue and increase its own”.

“This Complaint presents a unique opportunity for the European Commission to rectify the problems that have arisen as a direct result of its 2008 clearance of the Google/DoubleClick merger, by imposing effective remedies that will restore competition in ad tech, for the benefit of European press publishers, marketers, and consumers,” Van Thillo adds, avoiding a more direct swipe at the Commission’s now very long record of not blocking any big tech M&A at all.

The Commission confirmed receipt of the EPC complaint — which it told us it would assess “based on our standard procedures”, adding: .”The Commission investigation into whether Google has violated EU competition rules by favouring its own online display advertising technology services in the so called ‘ad tech’ supply chain, is ongoing.”

We also reached out to Google for a response to the EPC complaint and it sent this statement, attributed to a spokesperson:

“Online advertising underpins much of the content we enjoy and learn from online. It has enabled millions of small businesses to afford advertising for the first time, and for news publishers big and small, it’s created new opportunities and substantial new revenue streams that did not exist in the print age. When publishers choose to use our advertising services, they keep the majority of revenue and every year we pay out billions of dollars directly to the publishing partners in our ad network.”

In further background remarks, Google said it hasn’t yet seen the complaint — saying it therefore can’t comment in detail — but it noted it has been responding to European Commission antitrust oversight attached to its adtech for many months, in addition to what it couched as an open consultation process with the wider industry around its Privacy Sandbox proposals. It also told us it’s committed to continuing to answer the ecosystem’s questions on that.

In additional remarks, Google also claimed it faces plenty of adtech competition, and suggested its ad tools drive positive ROI for its clients — claiming that, on average, publishers receive €8 euro back in profit for every €1 euro they spend on Google ads.

It also claimed publishers keep the majority of the revenue from adtech, also suggesting that news publishers keep over 95 percent of the digital advertising revenue they generate when they use Google’s Ad Manager tool to show ads on their sites.

Adtech antitrust complaints, meet privacy…

While the EU’s competition division has brought a series of antitrust enforcements against Google under current chief, Margrethe Vestager — including one focused on search ad brokering (AdSense) — the Commission has had more of a blindspot on the broader issue of Google’s role in the adtech supply chain, only finally opening a formal investigation last summer into issues that other European regulators have already dug deeply into and, in some cases, acted upon.

Such as the $268M fine Google was hit with by France’s competition authority last year over self-preferencing in the ad market on both the demand and supply sides. (The French regulator also extracted an offer of behavioral commitments from Google, including around interoperability.)

While a market study into online advertising carried out by the UK’s Competition and Markets Authority (CMA), beginning in 2019, also ended in a final report in July 2020 which concluded that the market power of both Google and Facebook generates “wide ranging and self reinforcing” concerns.

Although the UK regulator has, so far, been wary of wading in with structural remedies to tackle the adtech duopoly — electing to wait for domestic competition reforms to bring in ex ante powers so that a new Digital Markets Unit will be able to proactively curtail abusive behaviors, via interventions tailored to each platform, instead of taking immediate enforcement action (despite consulting on potential remedies that included breaking up Google).

Since then, the CMA has intervened to extract behavioral remedies vis-a-vis another adtech complaint related to a Google’s Sandbox proposal to deprecate support for tracking cookies in Chrome in favor of alternative ad targeting technologies — accepting a series of legally binding pledges over how it will develop this so-called Privacy Sandbox proposal, as we reported earlier today, with the aim of allaying competition concerns while ensuring consumer privacy is not squeezed out by one-sided adtech market interests.

In recent months, Google’s Sandbox has been targeted by other complaints from the wider adtech ecosystem, too.

Just last month, a coalition of German publishers also petitioned the European Commission to act against it. They complained that Google’s proposal to migrate to a stack of novel ad targeting technologies — which the company claims will better protect web users’ privacy while still allowing publishers to target and measures ads and generate revenues — poses a threat to their relationship with site visitors and to their ability to ask people for their consent to ad targeting.

However, since that complaint landed a flagship mechanism which was devised and promoted by the adtech industry as a ‘GDPR compliant’ standard for obtaining and passing user consent signals for targeted advertising (aka the IAB’s TCF framework) has been confirmed to be in breach of the GDPR.

So, very clearly, there are quite a number of moving pieces to this story.

Certainly it’s a tug of war over market power — but also around how power is and/or should be obtained.

On the one hand, Google’s dominance of online advertising is a clearly drawn and evidenced concern; and there are substantial competition questions related to the current structure of the ad value chain that absolutely require regulatory interrogation (and action).

After all, the adtech giant is facing major antitrust challenge in the US, too — where a states lawsuit, led by Texas and filed back in December 2020, accuses it of operating an illegal monopoly in online advertising; and, more recently, eye-raising accusations from the suit have leaked into the mainstream press, fleshing out these antitrust concerns. (And that’s just one of the anti-competition charges Google is now facing on home soil.)

At the same time, there is — originating in, but not limited to, Europe — a need for the adtech market as a whole to evolve its practices beyond the tracking and profiling creepy status quo which has been shown to be damaging to and hated by consumers (who have flocked to ad-and-tracker-blockers); and, at least in the EU, it’s also been found to be operating illegally — where experts argue the model is fundamentally incompatible with the long-established legal framework of privacy and data protection by design and default.

EU lawmakers are also starting to take up the baton to call for privacy respecting ad targeting alternatives to abusive tracking. (See, for example, the European Parliament voting last month to put explicit limits on behavioral targeting into incoming digital regulations.)

Unfortunately, rather than spotting this very obvious trend away from tracking-based ad targeting — and seeking to press a solid-looking market structure antitrust case against Google (say by acknowledging the web-wide privacy abuse that its dominance of the ad value chain has entrenched and flipping to a reformist position that backs privacy compliant ad targeting alternatives) — the adtech industry (and some publishers) instead appears to be trying to tie Google by using antitrust claims to sustain an illegal abuse of privacy, just with less control for it and more chance for people’s data to flow through their own profiling machines.

Clearly increased competition at the expense of privacy is not reform, it’s just more abuse.

These complainants are also making their play right at a time when European competition regulators and privacy watchdogs have woken up to the need for nuanced joint working to effectively regulate the digital sphere. (See, for example, the joint statement put out last year by the CMA and the ICO, following close working on the Privacy Sandbox case.)

The CMA’s resolution of the Privacy Sandbox complaint — in the form of accepted commitments from Google — similarly bakes in joint working with the UK’s data protection watchdog to ensure consumers’ privacy protection standards are not forgotten in the name of increasing competition.

And when the Commission announced its probe of “possible anticompetitive conduct by Google” in the online ad sector last summer, it also made a point of publicly highlighting the need for digital advertising solutions to protect people’s privacy — saying it would “take into account the need to protect user privacy, in accordance with EU laws in this respect, such as the General Data Protection Regulation (GDPR)”.

“Competition law and data protection laws must work hand in hand to ensure that display advertising markets operate on a level playing field in which all market participants protect user privacy in the same manner,” the Commission also warned then.

Yet the EPC’s press release complaining about Google now does not make one single mention of privacy — with Van Thillo’s theory of consumer harm centering on higher prices (which he stipulates includes “ad tech fees”), as well as linking Google’s dominance of the ad market to reduced consumer choice, transparency and innovation.

In additional notes in its press release the coalition also writes:

“Absence of effective competition in ad tech causes considerable harm to press publishers, advertisers, and European consumers in the form of supra-competitive fees, lower quality of service, and less innovation. Less advertising revenue means press publishers have less resources to invest in news content and fulfil their socially important mission of informing the general public and holding those in power accountable. Supra-competitive ad tech fees are also borne by advertisers, which they may pass on to consumers in the form of higher prices for advertised goods or services. Everyone loses but for one company: Google.”

But Van Thillo’s statement is overwhelmingly silent on how current-gen adtech routinely — and, indeed, by design — means that consumers get less/no privacy and little/no data protection.

Which suggests (these) publishers are still missing in action when it comes to the key strategic fight over reform and the future of ad targeting — even as the UK’s antitrust watchdog gives the okay to a Google-shaped evolution of ad targeting.

And that looks incredibly dumb.

The wider adtech ecosystem appears to be pinning its hopes on EU regulators taking a different tack vs the UK.

Although the joint working that’s now going on on digital issues also extends to chatter between international counterparts, including between the UK and the EU, so it may well find there are far fewer schisms to exploit than it hopes.

Regardless, the tracking industry is not for turning.

Back in September, a coalition of (unnamed) marketers, adtech players and publishers — which self-styles as the “Movement for an Open Web” (aka MOW) — also complained to the European Commission about Google’s Privacy Sandbox.

And in a statement today, fast-following the CMA’s acceptance of Google’s Sandbox commitments, the group can be seen respinning its complaint from one that’s targeted at stopping Sandbox to broadly blasting Google in the hopes of summoning a more radical regulatory intervention — larding on the flattery with a claim that “all eyes” are now on Brussels (i.e. after the UK didn’t stop Sandbox), and going on to press the Commission for “swift and comprehensive action; addressing not only Google’s Privacy Sandbox Browser changes but also other issues throughout the ad tech ecosystem, on which publishers and society depend”.

“Google has a series of conflicting positions being both an ad buyer, a seller and owner of the largest ad exchange. It gives itself an inside track which it misuses for its own benefit, undermining free and fair competition — a position that demands regulation and remedies, as the European Publishers Council has highlighted,” MOW goes on, before entreating the Commission “and concerned parties” to acknowledge what it calls “the scale and depth of Google’s strategy of enclosing the Open Web”.

“Far from disconnected issues, the Privacy Sandbox and its recently announced Topics are both subject to the Commitments and such gatekeeper controls affect everything — requiring public interest oversight,” it also urges, echoing a piece of terminology the Commission’s Digital Markets Act (DMA) proposal for ex ante rules to curb abusive digital giants also uses (aka “gatekeeper”). Although the DMA isn’t likely to make it into EU law before 2023; plus, if the EU parliament gets its way, both the DMA and the broader Digital Services Act will bake in hard limits on behavioural advertising.

As with MOW’s missive today, the EPC complaint tries flattery on the Commission, with the publishers penning that the EU is “uniquely positioned” to act on their complaint — and implying the Commission can go one better than other local and international competition authorities, including by drawing on findings in the US States lawsuit.

That the adtech industry would be guilty of bundling legitimate competition complaints with an illegitimate desire to continue tracking and profiling everyone on the Internet should hardly surprise us.

That is, after all, their original sin.

Where exactly the industrial data complex is on the ‘denial, anger, bargaining, depression and acceptance’ scale of grief is interesting to ponder. Clearly they haven’t got to ‘acceptance’ yet — since they still haven’t realized their old way of doing business is fast going away.

Still, a direct appeal to the European Commission to take radical action against a US tech giant may soon deliver adtech into a deep depression, given Vestager’s long stated preference for accepting behavioral commitments and eschewing structural remedies. And the bloc’s record on antitrust enforcement and tech M&A which also makes clear that the US’ own antitrust enforcers will have to grapple with whether — and how — they might want to break up homegrown data empires.

So if the tracking industry has got to the point where it’s trying to bank on the Commission to save it from the privacy doom of its own making — opting for cynical complaints instead of good-faith engagement with a process of reforming an abusive business model — then this mob of mostly faceless data brokers, adtech entities, unknown marketers and a smattering of named publishers do kinda look like they’re drinking in the last chance salon.

The UK’s competition authority has accepted commitments from Google over how it develops the post-cookie future of interest-based ad targeting online under its self-styled “Privacy Sandbox” proposal.

In an announcement today, the Competition and Markets Authority (CMA) said it is satisfied that the legally binding commitments secured from Google will ensure that the evolution of ad tracking will promote competition, support publishers to raise revenue from ads while also safeguarding consumer privacy. So quite the juggling act.

In a statement, the CMA’s chief exex, Andrea Coscelli, said:

“Our intervention in this case demonstrates our commitment to protecting competition in digital markets and our global role in shaping the behaviour of world-leading tech firms.

“The commitments we have obtained from Google will promote competition, help to protect the ability of online publishers to raise money through advertising and safeguard users’ privacy.

“While this is an important step, we are under no illusions that our work is done. We now move into a new phase where we will keep a close eye on Google as it continues to develop these proposals.
“We will engage with all market participants in this process, in order to ensure that Google is taking account of concerns and suggestions raised.”

The CMA has been investigating Google’s plan to deprecate support for tracking cookies in its Chrome browser for over a year — following complaints by a coalition of digital marketing companies that the move risked further entrenching Google’s dominance of the digital advertising market.

The competition watchdog very much agrees there are competition problems in the mobile market — per preliminary findings of its mobile market study, which were published in December. (And it continues to consult on potential interventions aimed at boosting competition and increasing consumer choice in both Apple’s iOS and Google’s Android mobile ecosystems — such as making it easier to switch between the two ecosystems and sideload apps or access web apps; mandating the ability for apps to use alternative payment tech; and making it easier for users to choose an alternative (non-bundled) services as the default, such as browsers.)

But the CMA is is also, today, giving Google the greenlight to continue developing Privacy Sandbox — just with a set of legally binding conditions attached to how it does that.

An earlier set of commitments offered by Google on the Sandbox were not deemed sufficient, following market feedback, leading to an improved offer last November — which added the key element of a monitoring trustee, as well as a slightly longer timeframe for the reporting requirements (six years) and other tweaks intended to provide greater reassurance to the market.

It’s this beefed up set of commitments the CMA has accepted now. Although it notes that it could choose to reopen an investigation if it’s not satisfied with how the Sandbox is being developed — also retaining the ability to impose interim measures in future if necessary.

Otherwise, Google’s commitments are set to terminate six years from February 11, 2022 — so running until 2028 — unless it is granted an early release by the regulator.

The full list binding Google — which spans development and implementation criteria for the Sandbox; transparency and consultation requirements with third parties; mechanisms for regulatory involvement in the design process and more — can be found here.

In its press release, the CMA highlights a few elements, noting the agreement commits Google to involving the CMA and the UK’s Information Commissioner’s Office (ICO), which leads on consumer privacy issues, in the development and testing of the Sandbox proposals; boosts transparency and engagement for third parties, including the publication of test results and an option for the CMA to require Google to address specific concerns; and binds Google by banning self-preferencing of its own ad services and through restrictions on data-sharing within its own ecosystem to ensure it doesn’t gain an advantage over competitors when third-party cookies are removed.

It also reaffirms that Google will not remove tracking cookies until it is satisfied that its competition concerns have been addressed.

The appointment of a monitoring trustee — which will clearly be a crucial role in ensuring Google actually does what it has agreed it will here — is expected to be made “shortly”, per the CMA.

In its own blog post on this latest chunk of the tracking cookie deprecation saga, Google writes that the aim of the commitments is “to provide reassurance that the Privacy Sandbox will protect consumers and support a competitive ad-funded web, and not favor Google”.

The adtech giant sumarizes the package of pledges into three main “principles”:

“First, the changes we will make in Chrome in the context of the Privacy Sandbox initiative will apply in the same way to Google’s advertising products as to products from other companies. Second, we will design, develop and implement Privacy Sandbox with regulatory oversight and input from the CMA and the ICO. And third, we will inform the CMA in advance of our intention to remove third-party cookies and agree to wait for their feedback on whether any competition law concerns remain.”

“We’re pleased that today the CMA has accepted these commitments, which now go into immediate effect,” Google adds, before reiterating its promise to apply the agreed approach everywhere: “We will apply the commitments globally because we believe that they provide a roadmap for how to address both privacy and competition concerns in this evolving sector.”

It is still tbc what the Privacy Sandbox will actually be and mean in practice — as the stack of alternative ad targeting and measurement technologies remains in development.

Just recently, for example, Google announced a major change by killing off FLoCs — aka, its erstwhile flagship replacement ad targeting idea to put web users into buckets of interest-based cohorts for targeting (aka FLoCs), which critics such as the EFF had dubbed a privacy disaster — swapping in a new idea to target web users based on “topics” tracked locally in the browser.

Whether or not topics-based tracking is a substantial improvement, in privacy terms, vs FLoCs — or, indeed, whether it’s substantially worse than contextual targeting (which does not require any user data to be processed to select relevant ads to serve but instead ads are targeted based on the website content that’s being accessed at the time, likely combined with broad-brush signals such as a general location) — all remains to be seen.

So we still don’t know exactly what will replace tracking cookies when/if Google finally turns off support (at the earliest next year).

But what we do know is that it won’t only be Google deciding what that future looks like — given it’s given a legally binding pledge to involve regulators, factor in feedback from third parties and act on concerns.

In its blog post today, Google writes that it will be “consulting with the CMA and ICO on a regular basis in relation to the design, development and implementation of the Privacy Sandbox (including testing and public announcements)”, as well as “increas[ing] its engagement with industry stakeholders (including publishers, advertisers and ad tech providers) by providing a systematic feedback process to take on board reasonable views and suggestions”.

Info on how Google is engaging with third parties in the design and development of the Sandbox are set out on a website — privacysandbox.com — which includes a project overview and a timeline; and, per the CMA, now includes new details on how it will engage with third parties.

For all the criticism Google can and does attract — including via some highly relevant antitrust lawsuits in the US which certainly underline the need for close monitoring of its behavior — when it comes to Privacy Sandbox the tech giant is at least evolving its proposals in response to antitrust concern and critical feedback.

Meanwhile the UK-based coalition of marketers which has been raising complaints against Privacy Sandbox — including in the EU — was still sounding off about Google’s proposal earlier this week.

The self-styled Movement for an Open Web (aka, MOW; neé Marketers for an Open Web) put out a press release calling for the CMA to include what it described as “non-discrimination remedies” against Sandbox in its ongoing mobile ecosystem study.

In it MOW appears to be lobbying to continue the privacy-horrible status quo — in which scores of faceless identity- and data-trading third parties are able to track web users’ browsing via the use of what are billed as “pseudonymous identifiers” — yet which, through syncing and matching (with other “alternative ID providers” in a surveillance-based tracking ecosystem) allow for ad IDs to be linked back to individuals to power user profiling and exploitative targeting, all of which are horrible for privacy.

The ICO itself has put the adtech industry on notice that a ‘keep on tracking’ scenario simply won’t fly — with the outgoing commissioner writing in an opinion in November that adtech must move away from online tracking and profiling, stop obfuscating how it operates and provide consumers with genuine control over what’s done with their data.

“Any proposal that has the effect of maintaining or replicating existing tracking practices (such as those described in the 2019 Report) is not an acceptable response to the significant data protection risks that the Commissioner has already described,” the outgoing commissioner Elizabeth Denham also warned in a thinly veiled parting shot at unreformed adtech.

Google’s blog post today makes an explicit reference to this opinion — with the company writing:

“Privacy by design and by default have been at the heart of the Privacy Sandbox from the outset, and we are also intent on ensuring that the new tools meet the requirements set out in the recent ICO’s Opinion on Data protection and privacy expectations for online advertising proposals. To that end, we are designing these new tools to avoid cross-site tracking, provide people with better transparency and control, and result in better outcomes for people and businesses on the web.”

The data-mining tech giant’s claim to be championing privacy of course deserves plenty of critical scrutiny.

However when set against the vista of a trench-digging adtech industry at large — which desperately continues to reject calls for reform in favor of clinging to creepy tracking, whether by sicking up some new window dressing for the same old tracking wheeze via slightly respun jargon or through head-in-the-sand denials that its built its ad auction castle on illegal sands — Google’s Privacy Sandbox starts to look very enlightened indeed.

As ever, the devil will be in the detail. But if it’s a choice between change or the creepy status quo it’s clear where the web needs to go.

We asked MOW for its response to the package of commitments the CMA has now accepted. At the time of writing it did not have one but a spokesman it was preparing a press release to put out later this morning — so we’ll update this report when we get it.

Last December, Facebook officially began allowing crypto advertisers to buy ads on its platform. This quiet but important change meant that a long-closed marketing avenue for crypto products was now open. But what are best practices for crypto marketers in general? And is the platform worth exploring for crypto and NFT projects?

First, let’s understand just what is allowed on Facebook and other platforms. Facebook allows some crypto companies to advertise without submitting proof of financial licenses. These include crypto tax services, events, blockchain news and wallets. What’s interesting, however, is you probably haven’t seen many of these ads popping up on social media at all, a testament to the long-running contention between crypto marketers and platforms like Twitter or Facebook.

Further, if you want to advertise mining hardware, cryptocurrency exchanges or trading platforms, or even a wallet that allows you to buy, sell, or swap crypto, you will need a BitLicense (if you’re in New York) or a FinCEN Money Services Business license (in the rest of the U.S.). For international projects, you can find your requirements on Facebook’s policy site.

But just because you can advertise on Facebook doesn’t mean you should.

‘The real opportunity is SEO/organic’

Many marketers have given up on Facebook entirely.

“What’s Facebook?” asked Itai Elizur of MarketAcross. “I think the crypto ‘watercooler’ is Twitter, but the real opportunity is SEO/organic, as we see search volumes increasing while Google keeps penalizing many crypto news sites. This means there is a place for brands to capture that high-quality user intent traffic.”

Elizur doesn’t believe paid ads on Facebook or Twitter work for crypto projects, which makes things much harder for traditional marketers to take on these kinds of gigs.

Help TechCrunch find the best growth marketers for startups.

Provide a recommendation in this quick survey and we’ll share the results with everybody.

Crypto marketing is a very new field. A few years ago, PR professionals would avoid crypto entirely, but now they’re running to well-heeled clients who may or may not have a real business model. And they’re finding out that it is wildly hard to get the attention they once got for other tech products like gadgets and software.

“Paid social does have a place for driving awareness for blockchain and crypto projects, but there are a lot of challenges in the space right now,” said Rachel Stoll, founder of Persephone Digital. “Specifically, NFT social is filled with pay-to-play opportunities for promotion, giveaways, or pinned posts across various subreddits and Discords without any real transparency. Most of our clients who do these types of paid placements as one-offs don’t see success, and I suspect that is because the people selling these spots are relying on their bot-driven following.”

Google is being sued in Europe on competition grounds by price comparison service PriceRunner which is seeking at least €2.1 billion (~2.4BN) in damages.

The lawsuit accuses Google of continuing to breach a 2017 European Commission antitrust enforcement order against Google Shopping.

As well as fining Google what was — at the time — a record-breaking antitrust penalty (€2.42 billion), the EU’s competition division ordered the search giant to cease illegal behaviors, after finding it Google giving prominent placement to its own shopping comparison service while simultaneously demoting rivals in organic search results.

Immediately following the order, Google made some initial tweaks to how its product search service works — doubling down on an auction model. But complainants were instantly critical of the changes, arguing they neither remedied the unfairness nor complied with the EU’s requirement for equal treatment of price comparison services.

The following year, an investigation by Sky News also accused Google of trying to circumvent the EU antitrust ruling by offering incentives to ad agencies to create faux comparison sites filled with ads for their clients’ products which Google could display in the Google Shopping box to present the impression of a thriving marketplace for price comparison services.

More recently (April 2020) Google announced a major retooling of product search under the Shopping ‘tab’ — saying it would switch Google Shopping to mostly free listings globally by the end of 2020. Albeit, the service still offers advertisers the ability to pay Google for featured listings.

Google also continues to show product search ads alongside general search results — in an ads box which includes a “Shop now” call-to-action in the title (see the box displayed below right for examples of ads displayed after a product search for “Samsung TV”):

Screenshot: Natasha Lomas/TechCrunch

PriceRunner’s lawsuit alleges Google has continued to violate competition law in relation to product search, as well as seeking compensation for historical infringements that have allowed Google to reap revenue at rivals’ expense.

To back up its allegations, the search comparison company points to a study conducted by accountancy company, Grant Thornton, which it says found prices for offers shown in Google’s own comparison shopping service can be 16-37% higher for popular categories like clothes and shoes, and between 12-14% higher for other types of products vs rival price comparison services.

PriceRunner also cites estimates that European consumers are overpaying billions per year as a result of Google’s search engine returning links to products that are more expensive than equivalents offered via (non-Google) price comparison services.

“What the EU Commission stated was [Google is] moving down competitors in the search results. It is causing consumers to overpay enormous amounts of money every year because Google is not showing the most relevant results and with too high prices when they could show better results further up,” PriceRunner CEO, Mikael Lindahl, told TechCrunch.

“They’ve tried to do some changes to the service meaning it’s possible to resell the ads based on top of Google… It’s still an auction-based model… And when Google knows that they should show results from [rivals] they have to do this and they are not. So they are definitely still abusing their position since consumers are still hurt.”

The tech giant’s search engine continues to have a massively dominant share of the market in the region — taking over 90% of marketshare in most countries in the European Economic Area and in the UK.

“Google should show the most relevant result and it should be based on the normal search algorithms,” Lindahl added. “What they cannot do — what the EU Commission says is illegal — is when they manually and with algorithms manipulate the search results to get the competitors further down in the results, and this is what they’re doing.”

The Commission’s 2017 order against Google Shopping was upheld last year by the General Court of the EU which largely dismissed Google’s appeal against the Commission’s antitrust decision — paving the way for litigation funders to feel more confident about opening their wallets.

PriceRunner says its legal action is being supported by a litigation funder called Nivalion.

“Of course this is a David against Goliath situation and we had to make sure that we are really well prepared for a very long fight so we have external financing,” said Lindahl, adding: “Nivalion is taking tens of millions of euros of costs — for an upside when we win this. Basically they’re as convinced as we are that this will work out very well for us.

“So we’re prepared for many years of fight and we have all the resources we need.”

When pressed on its exact objections to changes Google has made since the 2017, Lindahl also pointed to the General Court ruling, saying: “Reading between the lines but also rather concrete from the General Court statement from November last year it’s clear that the remedies are not sufficient.

“I don’t want to comment in detail — because it will of course be part of this process — but it’s very obvious to us that Google has not changed their behavior and it seems to be obvious to the General Court as well. That’s my judgement.”

“What they have done is they’ve made it possible for more people to pay Google money to be on top,” he added in further remarks on how Google has changed price comparison since the EU’s antitrust order. “It’s still an auction-based model. So the one paying the most will be on top on the Google results — and if you’re looking for a Samsung TV for a low price, for a good deal, well it’s impossible for someone paying the most for the traffic to also show the lowest price.

“They’re opposites, so Google’s solution here doesn’t make sense. They haven’t stopped the abuse.”

Reached for comment on PriceRunner’s lawsuit, Google sent us this statement — attributed to a spokesperson:

“The changes we made to shopping ads back in 2017 are working successfully, generating growth and jobs for hundreds of comparison shopping services who operate more than 800 websites across Europe. The system is subject to intensive monitoring by the EU Commission and two sets of outside experts. PriceRunner chose not to use shopping ads on Google, so may not have seen the same successes that others have. We look forward to defending our case in court.”

Asked for a response to Google’s rebuttal Lindahl added: “Google’s response today is exactly what we expected, avoiding the fact that they have been convicted by both the European General Court in November 2021 and that consumers are paying higher prices because of their service. We look forward to this fight and the legal process begins now.”

We also asked PriceRunner whether it has sought to press its complaint about Google’s Shopping remedy still not working with the Commission itself.

Lindahl said it has had “several” meetings with the EU’s executive — but he also pointed to Google’s lobbying blitz in Brussels — and urged the Commission to “finish this”.

“It’s obvious that Google has a lot of power in all instances and in all markets in Europe and that they can push things in their favor… The Commission has to wrap this up, they have to stop this abuse, because otherwise they are showing the European consumers that they tried but they can’t beat the tech giants — and that’s not acceptable.”

“It’s really important that they wrap this up because no one will thank commissioner [Margrethe] Vestager for starting this if she doesn’t stop it,” he added. “What happens here is we see a movement in power, in strength — where the really big tech giants they don’t have to change their models, they can continue abusing the situation because they’ve reached a certain size and that’s just not acceptable.

“This time it’s about a product comparison but next time… it can be flights or insurance or whatever. So if we don’t take this battle for the sake of European tech companies everyone else will be hurt next, that’s my view.”

The Commission was contacted for comment on the lawsuit and to ask whether it has ongoing concerns about Google’s compliance with the Shopping enforcement order but at the time of writing it had not responded. We’ll update this report if we get a response.

What does Meta/Facebook’s favorite new phrase to bandy around in awkward earnings calls — as it warns of “regulatory headwinds” cutting into its future growth — actually mean when you unpack it?

It’s starting to look like this breezy wording means the law is finally catching up with murky adtech practices which have been operating under the radar for years — tracking and profiling web users without their knowledge or consent, and using that surveillance-gleaned intel to manipulate and exploit at scale regardless of individual objections or the privacy people have a legal right to expect.

This week a major decision in Europe found that a flagship ad industry tool which — since April 2018 — has claimed to be gathering people’s “consent” for tracking to run behavioral advertising has not in fact been doing so lawfully.

The IAB Europe was given two months to come up with a reform plan for its erroneously named Transparency and Consent Framework (TCF) — and a hard deadline of six months to clean up the associated parade of bogus pop-ups and consent mismanagement which force, manipulate or simply steal (“legitimate interest”) web users’ permission to microtarget them with ads.

The implications of the decision against the IAB and its TCF are that major ad industry reforms must come — and fast.

This is not just a little sail realignment as Facebook’s investor-soothing phrase suggests. And investors are perhaps cottoning on to the scale of the challenges facing the adtech giant’s business — given the 20% drop in its share price as it reported Q4 earnings this week.

Facebook’s ad business is certainly heavily exposed to any regulatory hurricane of enforcement against permission-less Internet tracking since it doesn’t offer its own users any opt out from behavioral targeting.

When asked about this the tech giant typically points to its “data policies” — where it instructs users it will track them and use their data for personalized ads but doesn’t actually ask for their permission. (It also claims any user data it sucks into its platform from third parties for ad targeting has been lawfully gathered by those partners in one long chain of immaculate adtech compliance!)

Fb also typically points to some very limited “controls” it provides users over the type of personalized ads they will be exposed to via its ad tools — instead of actually giving people genuine control over what’s done with their information which would, y’know, actually enable them to protect their privacy.

The problem is Meta can’t offer people a choice over what it does with their data because people’s data is the fuel that its ad targeting empire runs on.

Indeed, in Europe — where people do have a legal right to privacy — the adtech giant claims users of its social media services are actually in a contract with it to receive advertising! An argument that the majority of the EU’s data protection agencies look minded to laugh right out of the room, per documents revealed last year by local privacy advocacy group noyb which has been filing complaints about Facebook’s practices for years. So watch that space for thunderous regulatory “headwinds”.

(noyb’s founder, Max Schrems, is also the driving force behind another Meta earnings call caveat, vis-a-vis the little matter of “the viability of transatlantic data transfers and their potential impact on our European operations“, as its CFO Dave Wehner put it. That knotty issue may actually require Meta to federate its entire service if, as expected, an order comes to stop transferring EU users’ data over the pond, with all the operational cost and complexity that would entail… So that’s quite another stormy breeze on the horizon.)

While regulatory enforcement in Europe against adtech has been a very slow burn there is now movement that could create momentum for a cleansing reboot.

For one thing, given the interconnectedness of the tracking industry, a decision against a strategic component like the TCF (or indeed adtech kingpin Facebook) has implications for scores of data players and publishers who are plugged into this ecosystem. So knock-on effects will rattle down (and up) the entire adtech ‘value chain’. Which could create the sort of tipping point of mass disruption and flux that enables a whole system to flip to a new alignment. 

European legislators frustrated at the lack of enforcement are also piling further pressure on by backing limits on behavioral advertising being explicitly written into new digital rules that are fast coming down the pipe — making the case for contextual ad targeting to replace tracking. So the demands for privacy are getting louder, not going away.

Of course Meta/Facebook is not alone in being especially prone to regulatory headwinds; the other half of the adtech duopoly — Alphabet/Google — is also heavily exposed here.

As Bloomberg reported this week, digital advertising accounts for 98% of Meta’s revenue, and a still very chunky 81% of Alphabet’s — meaning the pair are especially sensitive to any regulatory reset to how ad data flows.

Bloomberg suggested the two giants may yet have a few more years’ grace before regulatory enforcement and increased competition could bite into their non-diversified ad businesses in a way that flips the fortunes of these data-fuelled growth engines.

But one factor that has the potential to accelerate that timeline is increased transparency.

Follow the data…

Even the most complex data trail leaves a trace. Adtech’s approach to staying under the radar has also, historically, been more one of hiding its people-tracking ops in plain sight all over the mainstream web vs robustly encrypting everything it does. (Likely as a result of how tracking grew on top of and sprawled all over web infrastructure at a time when regulators were even less interested in figuring out what was going on.)

Turns out, pulling on these threads can draw out a very revealing picture — as a comprehensive piece of research into digital profiling in the gambling industry, carried out by researcher Cracked Labs and just published last week, shows.

The report was commissioned by UK based gambling reform advocacy group, Clean Up Gambling, and quickly got picked up by the Daily Mail — in a report headlined: “Suicidal gambling addict groomed by Sky Bet to keep him hooked, investigation reveals”.

What Cracked Labs’ research report details — in unprecedented detail — is the scale and speed of the tracking which underlies an obviously non-compliant cookie banner presented to users of a number of gambling sites whose data flows it analyzed, offering the usual adtech fig-leaf mockery of (‘Accept-only’) compliance.

The report also explodes the notion that individuals being subject to this kind of pervasive, background surveillance could practically exercise their data rights.

Firstly, the effort asymmetry that would be required to go SARing such a long string of third parties is just ridiculous. But, more basically, the lack of transparency inherent to this kind of tracking means it’s inherently unclear who has been passed (or otherwise obtained) your information — so how can you ask what’s being done if you don’t even know who’s doing it?

If that is a system ‘functioning’ then it’s clear evidence of systemic dysfunction. Aka, the systemic lawlessness that the UK’s own data protection regulator already warned the adtech industry in a report of its own all the way back in 2019.

The individual impact of adtech’s “data-driven” marketing, meanwhile, is writ large in a quote in the Daily Mail’s report — from one of the “high value” gamblers the study worked with, who accuses the gambling service in question of turning him into an addict — and tells the newspaper: “It got to a point where if I didn’t stop, it was going to kill me. I had suicidal ideation. I feel violated. I should have been protected.”

“It was going to kill me” is an exceptionally understandable articulation of data-driven harms.

Here’s a brief overview of the scale of tracking Cracked Lab’s analysis unearthed, clipped from the executive summary:

“The investigation shows that gambling platforms do not operate in a silo. Rather, gambling platforms operate in conjunction with a wider network of third parties. The investigation shows that even limited browsing of 37 visits to gambling websites led to 2,154 data transmissions to 83 domains controlled by 44 different companies that range from well-known platforms like Facebook and Google to lesser known surveillance technology companies like Signal and Iovation, enabling these actors to embed imperceptible monitoring software during a user’s browsing experience. The investigation further shows that a number of these third-party companies receive behavioural data from gambling platforms in realtime, including information on how often individuals gambled, how much they were spending, and their value to the company if they returned to gambling after lapsing.”

A detailed picture of consentless ad tracking in a context with very clear and well understood links to harm (gambling) should be exceedingly hard for regulators to ignore.

But any enforcement of consent and privacy must and will be universal, as the law around personal data is clear.

Which in turn means that nothing short of a systemic adtech reboot will do. Root and branch reform.

Asked for its response to the Cracked Labs research, a spokeswoman for the UK’s Information Commissioner’s Office (ICO) told TechCrunch: “In relation to the report from the Clean Up Gambling campaign, I can confirm we are aware of it and we will consider its findings in light of our ongoing work in this area.”

We also asked the ICO why it has failed to take any enforcement action against the adtech industry’s systemic abuse of personal data in real-time bidding ad auctions — following the complaint it received in September 2018, and the issues raised in its own report in 2019.

The watchdog said that after it resumed its “work” in this area — following a pause during the coronavirus pandemic — it has issued “assessment notices” to six organisations. (It did not name these entities.)

“We are currently assessing the outcomes of our audit work. We have also been reviewing the use of cookies and similar technologies of a number of organisations,” the spokeswoman also said, adding: “Our work in this area is vast and complex. We are committed to publishing our final findings once our enquiries are concluded.”

But the ICO’s spokeswoman also pointed to a recent opinion issued by the former information commissioner before she left office last year, in which she urged the industry to reform — warning adtech of the need to purge current practices by moving away from tracking and profiling, cleaning up bogus consent claims and focusing on engineering privacy and data protection into whatever for of targeting it flips to next.

So the reform message at least is strong and clear, even if the UK regulator hasn’t found enough puff to crack out any enforcement yet.

Asked for its response to Cracked Labs’ findings, Flutter — the US-based company that owns Sky Betting & Gaming, the operator of the gambling sites whose data flows the research study tracked and analyzed — sought to deflect blame onto the numerous third parties whose tracking technologies are embedded in its websites (and only referenced generically, not by name, in its ‘Accept & close’ cookie notice).

So that potentially means onto companies like Facebook and Google.

“Protecting our customers’ personal data is of paramount importance to Sky Betting & Gaming, and we expect the same levels of care and vigilance from all of our partners and suppliers,” said the Sky Bet spokesperson.

“The Cracked Labs report references data from both Sky Betting & Gaming and the third parties that we work with. In most cases, we are not — and would never be — privy to the data collected by these parties in order to provide their services,” they added. “Sky Betting & Gaming takes its safer gambling responsibilities very seriously and, while we run marketing campaigns based on our customers’ expressed preferences and behaviours, we would never seek to intentionally advertise to anyone who may potentially be at risk of gambling harm.”

Regulatory inaction in the face of cynical industry buck passing — whereby a first party platform may seek to deny responsibility for tracking carried out by its partners, while third parties which also got data may claim its the publishers’ responsibility to obtain permission — can mire complaints and legal challenges to adtech’s current methods in frustrating circularity.

But this tedious dance should also be running out of floor. A number of rulings by Europe’s top court in recent years have sharpened guidance on exactly these sorts of legal liability issues, for example.

Moreover, as we get a better picture of how the adtech ecosystem ‘functions’ — thanks to forensic research work like this to track and map the tracking industry’s consentless data flows — pressure on regulators to tackle such obvious abuse will only amplify as it becomes increasingly easy to link abusive targeting to tangible harms, whether to vulnerable individuals with ‘sensitive’ interests like gambling; or more broadly — say in relation to tracking that’s being used as a lever for illegal discrimination (racial, sexual, age-based etc), or the democratic threats posed by population scale targeted disinformation which we’ve seen being deployed to try to skew and game elections for years now.

Google and Facebook respond

TechCrunch contacted a number of the third parties listed in the report as receiving behavioral data on the activities of one of the users of the Sky Betting sites a large number of times — to ask them about the legal basis and purposes for the processing — which included seeking comment from Facebook, Google and Microsoft.

Facebook and Google are of course huge players in the online advertising market but Microsoft appears to have ambitions to expand its advertising business. And recently it acquired another of the adtech entities that’s also listed as receiving user data in the report — namely Xandr (formerly AppNexus) — which increases its exposure to these particular gambling-related data flows.

(NB: the full list of companies receiving data on Sky Betting users also includes TechCrunch’s parent entity Verizon Media/Yahoo, along with tens of other companies, but we directed questions to the entities the report named as receiving “detailed behavioral data” and which were found receiving data the highest number of times*, which Cracked Labs suggests points to “extensive behavioural profiling”; although it also caveats its observation with the important point that: “A single request to a host operated by a third-party company that transmits wide-ranging information can also enable problematic data practices”; so just because data was sent fewer times doesn’t necessarily mean it is less significant.)

Of the third parties we contacted, at the time of writing only Google had provided an on-the-record comment.

Microsoft declined to comment.

Facebook provided some background information — pointing to its data and ad policies and referring to the partial user controls it offers around ads. It also confirmed that its ad policies do permit gambling as an targetable interest with what it described as “appropriate” permissions.

Meta/Facebook announced some changes to its ad platform last November — when it expanded what it refers to as its “Ad topic controls” to cover some “sensitive” topics — and it confirmed that gambling is included as a topic people can choose to see fewer ads with related content on.

But note that’s fewer gambling ads, not no gambling ads.

So, in short, Facebook admitted it uses behavioral data inferred from gambling sites for ad targeting — and confirmed that it doesn’t give users any way to completely stop that kind of targeting — nor, indeed, the ability to opt out from tracking-based advertising altogether.

While its legal basis for this tracking is — we must infer — its claim that users are in a contract with it to receive advertising.

Which will probably be news to a lot of users of Meta’s “family of apps”. But it’s certainly an interesting detail to ponder alongside the flat growth it just reported in Q4.

Google’s response did not address any of our questions in any detail, either.

Instead it sent a statement, attributed to a spokesperson, in which it claims it does not use gambling data for profiling — and further asserts it has “strict policies” in place that prevent advertisers from using this data.

Here’s what Google told us:

“Google does not build advertising profiles from sensitive data like gambling, and has strict policies preventing advertisers from using such data to serve personalised ads. Additionally, tags for our ad services are never allowed to transmit personally identifiable information to Google.”

Google’s statement does not specify the legal basis it is relying upon for processing sensitive gambling data in the first place. Nor — if it really isn’t using this data for profiling or ad targeting — why it’s receiving it at all.

We pressed Google on these points but the company did not respond to follow up questions.

Its statement also contains misdirection that’s typical of the adtech industry — when it writes that its tracking technologies “are never allowed to transmit personally identifiable information”.

Setting aside the obvious legalistic caveat — Google doesn’t actually state that it never gets PII; it just says its tags are “never allowed to transmit” PII; ergo it’s not ruling out the possibility of a buggy implementation leaking PII to it — the tech giant’s use of the American legal term “personally identifiable information” is entirely irrelevant in a European legal context.

The law that actually applies here concerns the processing of personal data — and personal data under EU/UK law is very broadly defined, covering not just obvious identifiers (like name or email address) but all sorts of data that can be connected to and used to identify a natural person, from IP address and advertising IDs to a person’s location or their device data and plenty more besides.

In order to process any such personal data Google needs a valid legal basis. And since Google did not respond to our questions about this it’s not clear what legal basis it relies upon for processing the Sky Betting user’s behavioral data.

“When data subject 2 asked Sky Betting & Gaming what personal data they process about them, they did not disclose information about personal data processing activities by Google. And yet, this is what we found in the technical tests,” says research report author Wolfie Christl, when asked for his response to Google’s statement.

“We observed Google receiving extensive personal data associated with gambling activities during visits to skycasino.com, including the time and exact amount of cash deposits.

“We did not find or claim that Google received ‘personally identifiable’ data, this is a distraction,” he adds. “But Google received personal data as defined in the GDPR, because it processed unique pseudonymous identifiers referring to data subject 2. In addition, Google even received the customer ID that Sky Betting & Gaming assigned to data subject 2 during user registration.

“Because Sky Betting & Gaming did not disclose information about personal data processing by Google, we cannot know how Google, SBG or others may have used personal data Google received during visits to skycasino.com.”

“Without technical tests in the browser, we wouldn’t even know that Google received personal data,” he added.

Christl is critical of Sky Betting for failing to disclose Google’s personal data processing or the purposes it processed data for.

But he also queries why Google received this data at all and what it did with it — zeroing in on another potential obfuscation in its statement.

“Google claims that it does not ‘build advertising profiles from sensitive data like gambling’. Did it build advertising profiles from personal data received during visits to skycasino.com or not? If not, did Google use personal data received from Sky Betting & Gaming for other kinds of profiling?”

Christl’s report includes a screengrab showing the cookie banner Sky Betting uses to force consent on its sites — by presenting users with a short statement at the bottom of the website, containing barely legible small print and which bundles information on multiple uses of cookies (including for partner advertising), next to a single, brilliantly illuminated button to “accept and close” — meaning users have no choice to deny tracking (short of not gambling/using the website at all).

Under EU/UK law, if consent is being relied upon as a legal basis to process personal data it must be informed, specific and freely given to be lawfully obtained. Or, put another way, you must actually offer users a genuine choice to accept or deny — and do so for each use of non-essential (i.e. non-tracking) cookies.

Moreover if the personal data in question is sensitive personal data — and behavioral data linked to gambling could certainly be that, given gambling addiction is a recognized health condition, and health data is classed as “special category personal data” under the law — there is a higher standard of explicit consent required, meaning a user would need to affirm every use of this type of highly sensitive information.

Yet, as the report shows, what actually happened in the case of the users whose visits to these gambling sites were analyzed was that their personal data was tracked and transmitted to at least 44 third party companies hundreds of times over the course of just 37 visits to the websites.

They did not report being asked explicitly for their consent as this tracking was going on. Yet their data kept flowing.

It’s clear that the adtech industry’s response to the tightening of European data protection law since 2018 has been the opposite of reform. It opted for compliance theatre — designing and deploying cynical cookie pop-ups that offer no genuine choice or at best create confusion and friction around opt-outs to drum up consent fatigue and push consumers to give in and ‘agree’ to give over their data so it can keep tracking and profiling.

Legally that should not have been possible of course. If the law was being properly enforced this cynical consent pantomime would have been kicked into touch long ago — so the starkest failure here is regulatory inaction against systemic law breaking.

That failure has left vulnerable web users to be preyed upon by dark pattern design, rampant tracking and profiling, automation and big data analytics and “data-driven” marketers who are plugging into an ecosystem that’s been designed and engineered to quantify individuals’ “value” to all sorts of advertisers — regardless of individuals’ rights and freedoms not to be subject to this kind of manipulation and laws that were intended to protect their privacy by default.

By making Subject Access Requests (SARs), the two data subjects in the report were able to uncover some examples of attributes being attached to profiles of Sky Betting site users — apparently based on inferences made by third parties off of the behavioral data gathered on them — which included things like an overall customer “value” score and product specific “value bands”, and a “winback margin” (aka a “predictive model for how much a customer would be worth if they returned over next 12 months”).

This level of granular, behavioral background surveillance enables advertising and gaming platforms to show gamblers personalized marketing messages and other custom incentives tightly designed to encourage them return to play — to maximize engagement and boost profits.

But at what cost to the individuals involved? Both literally, financially, and to their health and wellbeing — and to their fundamental rights and freedoms?

As the report notes, gambling can be addictive — and can lead to a gambling disorder. But the real-time monitoring of addictive behaviours and gaming “predilections” — which the report’s technical analysis lays out in high dimension detail — looks very much like a system that’s been designed to automate the identification and exploitation of people’s vulnerabilities.

How this can happen in a region with laws intended to prevent this kind of systematic abuse through data misuse is an epic scandal.

While the risks around gambling are clear, the same system of tracking and profiling is of course being systematically applied to websites of all sorts and stripes — whether it contains health information, political news, advice for new parents and so on — where all sorts of other manipulation and exploitation risks can come into play. So what’s going on on a couple of gambling sites is just the tip of the data-mining iceberg.

While regulatory enforcement should have put a stop to abusive targeting in the EU years ago, there is finally movement on this front — with the Belgian DPA’s decision against the IAB Europe’s TCF this week.

However where the UK might go on this front is rather more murky — as the government has been consulting on wide-ranging post-Brexit changes to domestic DP law, and specifically on the issue of consent to data processing, which could end up lowering the level of protection for people’s data and legitimizing the whole rotten system.

Asked about the ICO’s continued inaction on adtech, Rai Naik — a legal director of the data rights agency AWO, which supported the Cracked Labs research, and who has also been personally involved in long running litigation against adtech in the UK — said: “The report and our case work does raise questions about the ICO’s inaction to date. The gambling industry shows the propensity for real world harms from data.”

“The ICO should act proactively to protect individual rights,” he added.

A key part of the reason for Europe’s slow enforcement against adtech is undoubtedly the lack of transparency and obfuscating complexity the industry has used to cloak how it operates so people cannot understand what is being done with their data.

If you can’t see it, how can you object to it? And if there are relatively few voices calling out a problem, regulators (and indeed lawmakers) are less likely to direct their very limited resource at stuff that may seem to be humming along like business as usual — perhaps especially if these practices scale across a whole sector, from small players to tech giants.

But the obfuscating darkness of adtech’s earlier years is long gone — and the disinfecting sunlight is starting to flood in.

Last December the European Commission explicitly warned adtech giants over the use of cynical legal tricks to evade GDPR compliance — at the same time as putting the bloc’s regulators on notice to crack on with enforcement or face having their decentralized powers to order reform taken away.

So, by hook or by crook, those purifying privacy headwinds gonna blow.

*Per the report: “Among the third-party companies who received the greatest number of network requests while visiting skycasino.com, skybet.com, and skyvegas.com, are Adobe (499), Signal (401), Facebook (358), Google (240), Qubit (129), MediaMath (77), Microsoft (71), Ve Interactive (48), Iovation (28) and Xandr (22).”

A piece of compliance theatre that the behavioral ad industry has for years passed off as “a cross-industry best practice standard” — claiming the consent management platform allowed advertisers to keep tracking and surveilling European Internet users without having to worry about pesky EU privacy laws — has today been confirmed to breach the bloc’s rules.

The decision puts a ticking time-bomb under the behavioral ad industry’s regional ops — with the IAB Europe having been given just two months to submit an action plan to its Belgian regulator explaining how exactly it will fix the mess it helped create.

Polishing the turd in question looks very tricky give the regulatory sanction prohibits behavioral advertisers from using the IAB’s so-called “Transparency and Consent Framework” (TCF) to bypass user consent by claiming legitimate interest as a legal base to track and profile web users.

Nor can they rely on the dark pattern of pre-ticked consents. And, well, if Europeans are actually asked to consent to ad stalking they are extremely likely to say no.

The ad industry body has been given a hard deadline of six months for bringing the TCF into compliance with EU standards of data protection and privacy, after which a fine of €5,000 per day will be levied if the IAB fails to clean up its own processes — and really, by association, the wider practices the TCF leans into and encourages.

The TCF is deployed on websites to justify user data being passed to a string of publisher ‘partners’ to process the information for real-time-bidding (RTB) programmatic ad auctions. So if one piece of this ‘value chain’ has been found not to be operating lawfully it does rather yank on the whole chain.

The IAB, meanwhile, has been hit with a fine €250,000 due to the gravity of the violations.

While the size of that fine may sound small — under the EU’s General Data Protection Regulation (GDPR) it could have faced a maximum penalty of €20M — the regional organization only booked less than €2.5M in revenue in 2020 and the sanctioning regulator notes it took “business volume” into account in deciding how much to sting it.

There’s more than a fine too: The IAB has been ordered to delete any illegally gathered data.

Although the lack of any controls on how RTB broadcasts and trades Internet users’ personal data means it’s essentially impossible for all this lawlessly gathered tracking intel to be purged by the IAB alone — which exists like a glossy cherry atop a massive layer cake of data brokers and exchanges; a cake of unknown ingredients. Which is essentially the problem.

There’s a particular irony here in that the adtech industry has, in recent months, been campaigning against explicit limits on behavioral advertising being written into new EU laws by parliamentarians — as adtech lobby groups like the IAB have argued that the bloc’s current data protection rules are perfectly adequate to regulate their industry.

So, er, that sound you can hear is the cheering of all the privacy campaigners who have spent literally years trying to get EU regulators to actually enforce the law against adtech.

Finally — finally — enforcement is happening.

While the TCF being confirmed to breach the GDPR is definitely very big news it remains to be seen whether the adtech industry’s response will be to regroup with a fresh wheeze for cynically circumventing people’s privacy — instead of what’s actually needed: Full spectrum reform to meets both the letter and spirit of the law.

Despite what the ad lobbyists like to claim, online advertising doesn’t have to be creepy in order to be targeted; other forms of targeted advertising that don’t require individual tracking and profiling are both available and profitable (e.g. contextual ads).

Even Google is working on alternatives to individual-level targeting — even if its proposed alternatives aren’t as radical a “privacy” reform as its PR likes to suggest.

Clearly, getting adtech to kick its lucrative addition to tracking is proving to be a work of years, plural. But in Europe the operational noose is tightening and the calls for reform are getting harder to ignore.

Commenting on the breach finding, one of the original complainants against adtech’s systemic abuse of people’s privacy, Johnny Ryan, a former industry insider who’s now a senior fellow at the Irish Council for Civil Liberties, was upbeat — telling TechCrunch: “Today’s decision frees hundreds of millions of Europeans from nuisance and misleading consent requests. It should also protect them from illicit surveillance by tech firms.”

Multiple GDPR breaches

The Belgian data protection authority (APD) today published its final decision (English translation here) on a long running complaint against the IAB Europe’s TCF — the aforementioned “best practice” “compliance” “standard” — finding, as expected (in fact since 2020), that the IAB’s flagship mechanism for collecting Internet users’ permission to processing their data for behavioral advertising does not do what’s claimed (i.e. “Transparency” and “Consent”) and is in fact operating unlawfully with a murky lack of information and faux not legally valid ‘consent’.

No one should be surprised by this, of course. It is what a few actual regulators and plenty of experts have been saying for years.

The list of breach findings by the APD is almost as long as the list of personal data points its investigation notes can be contained in a RTB “bid request”, as it concludes that the GDPR very clearly applies to this high velocity personal-data-trading system (aka: “RTB operations by means of bid requests inherently entail the processing of personal data”).

The APD’s confirmed findings against the IAB and its TCF are the following breaches of the GDPR:

Articles 5.1.a and 6 (lawfulness of processing; fairness and transparency)
Articles 12, 13 and 14 (transparency)
Articles 24, 25, 5.1.f and 32 (security of processing; integrity of personal data; data protection by design and default)
Articles 30 (register of processing activities);
Article 35 (data impact assessment);
Article 37 (appointment of a data protection officer).

Aka: ‘Siri, show me a system that’s wildly out of control‘.

Breaking the findings out into a little more detail, the APD found the IAB wrongly claimed that it could rely on legitimate interest (LI) as a legal basis for processing people’s data under the TCF — a common adtech industry wheeze to try to scissor around the fact the vast majority of people don’t want to be tracked and profiled by online advertisers and deny consent if they are actually and fairly asked (ergo they don’t ask and/or just ignore a denial of consent by claiming they can override it anyway using LI).

Thing is, relying on legitimate interests as a legal basis under EU law means you need to carry out an assessment that considers whether the processing is actually necessary — or whether another less intrusive method could be used to achieve the same result. Moreover, you must also perform an LI balancing test which considers whether you are protecting people’s rights and freedoms. And here the APD’s Inspection Service found the IAB Europe “fails to provide evidence that the interests, in particular the fundamental rights and freedoms, of data subjects were adequately considered in the process”.

Moreover, any claim of consent obtained via the IAB’s TCF as a legal basis for tracking ads was also found not to be lawful under GDPR — as it is “currently not given in a sufficiently specific, informed and granular manner”. 

So, er, another massive, massive fail.

On transparency, the APD concluded there are a string of violations by the IAB — such as the way information is provided to users of the TCF not meeting the required standard of a “transparent, comprehensible and easily accessible manner”; users not being given “sufficient information about the categories of personal data collected about them”; nor being able to determine in advance the scope and consequences of the processing, as they should be able to if consents were being legally gathered.

“The information given to users is too general to reflect the specific processing of each vendor, which also prevents the granularity — and therefore the validity — of the consent received for the processing carried out using the OpenRTB protocol,” the regulator goes on. “Data subjects are unable to determine the scope and consequences of the processing in advance, and therefore do not have sufficient control over the processing of their data to avoid being surprised later by further processing of their personal data.”

The APD found the IAB Europe to be a joint data controller for processing related to the TCF — with all the associated legal responsibilities that entails — and in another major associated finding it says the organization does not “sufficiently monitor compliance with the rules it has developed with regard to participating organisations”.

This is important because in recent months the IAB has been promoting an ‘audit’ program — which it calls its “vendor compliance program” — under which it claims it will be able to audit companies that use the TCF to ensure they are not breaching GDPR.

However, as critics have quickly pointed out, this looks like an attempt to spin up fresh compliance theatre given that the RTB system lacks controls on data-sharing nor is it technically possible to know who exactly is getting people’s information (nor what on earth they might be doing with it) as bid requests are insecurely broadcast across the Internet at high speed and massive volume, countless times per day.

The APD’s analysis suggests the regulator has a good grasp of such concerns as it notes that under the current TCF system “adtech vendors receive a consent signal without any technical or organisational measure to ensure that this consent signal is valid or that a vendor has actually received it (rather than generated it)”.

“In the absence of systematic and automated monitoring systems of the participating CMPs and adtech vendors by the defendant [i.e. IAB], the integrity of the TC String [i.e. the choices users signalled/selected via the TCF] is not sufficiently ensured, since it is possible for the CMPs to falsify the signal in order to generate an euconsent-v2 cookie and thus reproduce a ‘false consent’ of the users for all purposes and for all types of partners,” it further explains, before adding. “[T]his hypothesis is also specifically foreseen in the terms and conditions of the TCF.

“The Litigation Chamber therefore finds that IAB Europe, in its capacity of Managing Organisation, has designed and provides a consent management system, but does not take the necessary steps to ensure the validity, integrity and compliance of users’ preferences and consent.”

A research study we reported on last month illustrated exactly this problem of user consent choices being totally ignored by the tracking industry. So this problem the regulator has identified as baked into the TCF and the IAB’s hands off approach looks a lot more like a feature of an intentionally lax system than a theoretically exploitable vulnerability…

That’s not all, either.

In a further finding, the APD says the TCF breaches the GDPR by failing to allow users to exercise their data subject rights (e.g. the right of access, the right to delete information etc).

So that’s another very big deal. The adtech industry loves to talk big about “online choices” — but is evidently rather less fond of providing web users with meaningful controls so they can exercise their actual legal rights.

Less big but quite funny: The regulator found the IAB failed to keep a register of processing operations — rejecting its claims otherwise by simply saying that it “cannot follow the defendant’s argument”. Ouch.

(On that the industry body had sought to claim an exemption from having to do that as it’s a smaller organization. However the GDPR clearly states that such an exemption does not apply where the processing is likely to result in a risk to the rights and freedoms of data subjects; where it is not occasional; or where it includes special category data. So, er… )

Finding yet another violation, the APD says the IAB failed to carry out “a comprehensive data protection impact assessment (DPIA) with regard to the processing of personal data within the TCF” — pointing out the glaringly obvious threats to the rights and freedoms of individuals posed by behavioral advertising which a comprehensive DPIA (i.e. if one had actually been carried out) would have robustly assessed.

This chunk of the decision sounds quite dry but it’s perhaps possible to detect the tiniest hint of sarcasm as it writes…

“The Litigation Chamber finds that the TCF was developed, among other things, for the RTB system, in which the online behaviour of users is observed, collected, recorded or influenced in a systematic and automated manner, including for advertising purposes. It is also not disputed that within the OpenRTB, data are widely collected from third parties (DMPs) in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of natural persons.”

The IAB has also been spanked for not appointing a DPO (data protection officer).

“Because of the large-scale, regular and systematic observation of identifiable users that the TCF implies, and in view of the defendant’s role, more specifically of its capacity as Managing Organisation, the Litigation Chamber rules that IAB Europe should have appointed a [DPO],” the regulator notes on that.

The IAB Europe has had many months — or really well over a year (at least) — to prepare its response to the ADP’s finding so ofc it’s chock full of spin.

The ad industry body is trying really hard to find a silver lining to both it and its TCF being taken to the cleaners. And even includes some magical-thinking — by suggesting the TCF might somehow now form the basis of a “GDPR transnational Code of Conduct”. Dream big guys!

Not that the IAB commits to accepting the regulator’s findings.

There is no acknowledgement of wrongdoing. Nor indeed any apology to all those Internet users who’s data has been illegally processed and used for goodness knows what…

Despite that it’s not clear whether the IAB will try to appeal. (If it’s going to do so it has to file within 30 days.)

Here’s the IAB’s statement:

“IAB Europe acknowledges the decision announced today by the Belgian Data Protection Authority (APD) in connection with its investigation of IAB Europe. We note that the decision contains no prohibition of the Transparency & Consent Framework (TCF), as had been requested by the complainants, and that the APD considers the purported infringements by IAB Europe that it has identified to be susceptible of being remedied in six months.

We reject the finding that we are a data controller in the context of the TCF.  We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry.  We are considering all options with respect to a legal challenge.

Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market.  As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin.”

It is correct to say that the APD has called for compliance rather than literally banned use of the TCF. So the IAB has bought itself a few more months’ grace for a law-breaking system.

However claiming that the existence of a deadline for compliance is affirmation that the regulator believes compliance will be a doddle looks fanciful. You could simply counter that by asking why then, if that’s the case, the regulator has stipulated a regime of daily fines for ongoing violations thereafter? If it believes it’s so simple why should it think fines may be needed?

One thing is amply clear: Much rests on what choices the adtech industry makes next.

For its own sake — as much as for anyone else’s — we should all hope they finally learn how to make good ones.

The European consumer organization BEUC has also responded to the Belgian DPA’s decision today — dubbing the fine levied on the IAB “paltry” in light of the systemic scale and seriousness of the infringements.

In a statement, its deputy DG, Ursula Pachl, added: “Surveillance advertising goes against the very core principles and rights that the GDPR is there to protect. This must be a wakeup call for the whole ad-tech industry, which illegally trades in personal data, to comply with the law, while data protection authorities must take decisive action against entities that continue to breach the General Data Protection Regulation.”