What are browser cookies?
Cookies are small text files left on a user’s web browser by visited websites. They might be placed there by the website operator to remember a user’s preferred language. Or they might be “third-party cookies” that provide for cross-site tracking of users as they surf the internet, targeting them with online advertisements, and measuring the outcome. (Think of the hotel ad that follows you around the internet after you visit a travel site.)
Third-party cookies are often placed by service providers, such as ad tech vendors, whose clients want to improve the conversion of online advertisements into customers. That might include advertisers who want to spend their advertising dollars wisely or website owners (“publishers”) who want to sell their advertising space for more.
Cross-site tracking with third-party cookies has been shown to increase online advertising revenue.1https://ppc.land/wp-content/uploads/disabling_third-party_cookies_publisher_revenue.pdf That is why the digital advertising ecosystem has come to rely heavily on third-party cookies, which in turn made them a prime area for privacy-based competition among web browsers .
The browser wars: 2017-2020
In the latter part of the previous decade, the public started to become more aware and concerned about how its personal data was being collected and used online.2 https://www.pewresearch.org/internet/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/ And in 2017 and 2018, two major browsers, Apple’s Safari and Mozilla’s Firefox, started to come with default settings restricting most tracking cookies. Their competition continued into 2019, when both rolled out additional limitations on cross-site tracking and third-party browser cookies. Some up-starts have gone even farther. Brave, launched in 2019, eliminates all user tracking and third-party ads, and rewards users for being served secured advertisements.3https://brave.com/features/
In response, Chrome released the latest version of its browser in February of this year with new limits on tracking cookies not accessed from secure connections.4https://clearcode.cc/blog/chrome-privacy-features/ (Roll-out has been temporarily delayed by the coronavirus crises.)5 https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html But the bigger announcement was that Chrome will eventually phase out the use of third-party cookies and replace them with Privacy Sandbox, Google’s own initiative for developing standards and tools for collecting data and personalizing advertisements for users.6https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html
Although competition between Safari and Firefox had already been pulling the market in a more privacy-aware direction for several years, Chrome’s larger share of web browser usage has caused its move away from tracking cookies to be seen as a game changer for digital advertising.
Impact on the online advertising ecosystem
By limiting access to user data and ad-targeting capabilities, the phasing out of third-party cookies could cut into publisher revenues, impede advertising campaigns, and pose an outright existential threat to some ad tech vendors.7https://www.adexchanger.com/online-advertising/google-chrome-will-drop-third-party-cookies-in-2-years/ On top of that, many in the industry expect Chrome’s transition to its own privacy standards to cause user-level information to be funneled through the browser instead of being collected (and exchanged) by third-parties. As one commentator put it, Chrome’s own “first-party” data could replace third-party data with the result being a “data wall around Google’s ad business.”8https://www.adexchanger.com/the-sell-sider/sudden-death-for-cookies-finally/
Ad tech vendors–and the publishers and advertisers who rely on them–are especially exposed to an increased dependence on Google’s services for measuring and targeting online ads. But not everyone will be impacted alike. Larger publishers with good first-party data about the users that visit their websites will be in a better position to navigate an internet without tracking cookies. Some large publishers may even benefit from the extinction of third-party cookies if it puts a higher premium on their first-party data, which could be exchanged with other publishers or sold to third parties.9https://digiday.com/media/publishers-planning-end-third-party-cookie/
Some commentators even think that eliminating tracking browser cookies may turn out to be the push that competition in digital advertising needs to develop new standards and approaches for personalized advertising that depend less on invasive cross-site tracking.10https://www.admonsters.com/google-privacy-sandbox/ Some even foresee a shift from individually-targeted advertising to a new golden age for “contextual advertising”–placing ads that a user should find relevant based on the content they are looking at–powered by the predictive powers of artificial intelligence.11https://marketingland.com/the-new-contextual-ad-targeting-works-study-says-278243
The close link between privacy and competition means that, as users become more privacy-savvy, digital advertising will evolve—on a free internet, its extinction is unlikely.
The browser wars show how changes in what consumers want–including more control over how personal information is collected and used–can drive online markets to improve data privacy practices.
With all the major browsers now moving away from third-party cross-site tracking, one might be tempted to call it a win for free market advocates who believe that competition in the long-run displaces the need for government intervention. On the other hand, to call it a “long-run” market response is an understatement, given that cookies have been around for three decades. The internet has not gone willingly down this path (and not without some privacy costs borne by users in the process).
Moreover, existing or anticipated data protection rules may have played some role in helping to nudge the industry in a more privacy-minded direction. Already in 2009, the European Union’s ePrivacy Directive required websites to get informed consent from users for non-essential cookies. The more recent sweeping data protection rules in the EU (GDPR) and California (CCPA) require disclosure and provide consumer protections when websites collect personal data—cookies included. Compliance with such regulations can prepare companies to be stronger competitors. One commentator notes that responding to GDPR helped position ad tech vendors to respond to Chrome’s recent changes restricting third-party cookies.12https://www.adexchanger.com/privacy/chrome-is-killing-cookies-but-samesite-still-needs-to-be-updated/ So regulation may deserve some of the credit for the shift away from third-party tracking.
Another reason to temper praise for the internet in weaning itself off cross-site tracking is that there may be a tendency to overstate just how much the end of third-party cookies improves data privacy online. As long as users continue to expect free online content, advertising revenue will be at the core of the internet. It did not take long after Safari and Firefox began restricting cross-site tracking for workarounds to pop up. “Browser fingerprinting”, for example, relies on unique identifiers for users based on difficult-to-block information about the basic features of their device or web browser.13https://www.nytimes.com/2019/07/03/technology/personaltech/fingerprinting-track-devices-what-to-do.html Some browsers added features to try to restrict fingerprinting. But the point remains: an advertising-driven internet will not give up trying to track users and target them with personalized ads.
Although phasing out tracking cookies does not signal an end to collecting personal data for advertising purposes, it may change who collects and keeps that data. Depending on one’s perspective, it might be better or worse to take data about users’ online activity out of the hands of thousands of unknown third-party ad tech vendors and put it into the hands of a smaller number of better-known (and arguably more accountable) tech players. That, in turn, may depend on one’s views on a more fundamental question about whether an “open” internet made up of many interconnected players is preferable to a more centralized “walled-off garden” version (think: Google’s Android versus Apple’s iOS).
What sort of internet the public wants, an evolving regulatory landscape, and free market dynamics all come together to shape the internet, including its digital advertising.
Competition law in an internet without tracking browser cookies
If an internet without tracking browser cookies means concentrating user data or ad-targeting capabilities in some hands and not others, competition rules are likely to put regulatory pressures on the digital advertising industry. The present regulatory climate is especially ripe for this, as the roll-out of stricter data protection rules around the world is now being followed by plans to use antitrust laws to prevent tech players from using “big data” to stifle competition.
These antitrust regulatory issues could arise in at least three areas: abuse of dominance, merger review, and cartel enforcement.
Abuse of dominance / monopolization
Browser operators may face new regulatory risks in their dealings with the various market players–publishers, advertisers, ad tech vendors–who see their businesses impacted by the loss of tracking cookies. As ad tech vendors and some publishers lose their ability to collect user data through cross-site tracking with third-party cookies, they will become more dependent on the data and ad-targeting services provided by web browsers such as Chrome. This could strengthen the market position of browser operators, especially those in a position to combine browser data with user data obtained from other sources (for example, Google’s other online services or Apple’s devices). Browsers deemed, as a result, to have obtained sufficient “market power” could be subject to the heightened antitrust requirements for how “dominant” firms must conduct themselves.
To abuse a dominant position is unlawful in the US, Europe, and other major jurisdictions, although what constitutes abusive conduct is hotly debated and varies around the world. Common features of these laws generally mean that browsers could face antitrust liability for how they treat the third parties who rely on them for data or services to help with targeting and measuring online ads. Particular troublespots would include giving commonly-situated vendors different terms for accessing data or ad-targeting services (“discriminatory pricing”), imposing trading conditions that could be deemed unfair or exploitative (by reference to, for example, prevailing market prices), cutting off access to certain data or services (especially if a pre-existing relationship exists), or simply making changes to existing policies, rules, and tools (especially if not clearly disclosed).
Such conduct, if it rose to an unlawful “abuse of dominance” under the antitrust laws, could be the basis for complaints raised by government competition authorities or market players–individually or collectively through, for example, consumer groups or class action lawsuits–who believe they’ve been harmed as a result.
The prospect for browser operators to obtain or increase a “dominant” market position also carries with it regulatory risks for them in future deal-making. Competition laws around the world allow regulators to review acquisitions and impose remedial measures on–or even outright block– transactions that could harm competition. If the shift away from third-party browser cookies causes browser operators to amass more of the data that fuels online advertising, then they may have a harder time convincing competition regulators to clear their deals. The same could be true for large publishers with extensive first-party data.
Acquisitions by these companies of any competitors—which are already the sort of deals most likely to attract regulatory scrutiny—could be made more difficult by regulators concerned that allowing big data to get more aggregated could harm competition in online advertising markets. But also vertical acquisitions (of companies upstream or downstream) could face challenges from regulators concerned that such deals might create new incentives for the combined companies to harm certain third parties who rely on their data or ad-targeting services.
Cartels and competitor collaborations
The phasing out of third-party browser cookies and cross-site tracking could cause players in the digital advertising space to respond by pursuing collaborative efforts with their competition. This would trigger its own variety of possible antitrust liabilities. It is practically universal for countries to prohibit cartels among competitors (such as price-fixing), and many laws also restrict the ability of competitors to collaborate or even simply exchange sensitive information (such as user data) with each other. These laws could pose problems for publishers who try to band together to share their first-party user data in an effort to replicate the cross-site tracking previously achieved with third-party cookies. Such cooperation could be seen as a sharing of sensitive competitive information or, in extreme cases, a cartel agreement.
Although risks exists, the antitrust laws would not set out an easy path for government regulators (or complaining businesses) looking to stop what they perceive to be abusive conduct, an anti-competitive acquisition, or improper competitor cooperation. Competition laws in major jurisdictions such as Europe and the US are usually driven not by what is best for an individual competitor but by what is good for a market as a whole, in particular, its consumers.
This would pose a challenge for bringing an antitrust complaint against a browser operator. Since protecting competition as a whole would be the most relevant issue, a browser operator facing scrutiny of an acquisition or its conduct with third parties may have a strong argument for why its activities are a pro-competitive response to increased consumer demand for privacy. As one commentator put it when describing Chrome’s move away from cross-site tracking: “with web privacy increasingly becoming a mainstream consumer concern, Google is under some competitive pressure to directionally follow suit.”14https://digiday.com/media/ad-tech-industry-questions-intentions-behind-googles-latest-privacy-moves/
The ultimate question would come down to whether, on balance, the conduct is pro-competitive or anti-competitive. So publishers entering into cooperative arrangements could, for example, argue that sharing first-party data promotes competition between publishers and the tech giants who might otherwise come to control the means for targeting and measuring online ads–what one commentator described as a return to a less open, “walled garden” internet.15https://www.adexchanger.com/the-sell-sider/sudden-death-for-cookies-finally/
Browser cookies, privacy, and competition
The close link between privacy and competition in digital advertising will continue to drive innovation. It will also attract the attention of regulators whose focus on big tech is especially strong of late. The ongoing browser wars are a good case in point.
Competition between browsers over privacy features is culminating in the phasing out of tracking cookies, shaking up the digital advertising industry in ways that will disrupt some businesses while creating opportunities for others. The changes could create legal risks—in particular under antitrust laws—for some of its larger players, with some browsers operators and major publishers, in particular, needing to take stock of their exposure. Those with the most to lose, such as ad tech vendors and small publishers, may be able to count on some protections against abusive conduct under the antitrust laws. But given the limitations of the competition laws, they would be well advised to try to innovate rather than litigate their way through the challenges of a cookie-free online advertising ecosystem.