Last week the UK’s Competition and Markets Authority accepted legally binding commitments from Google in its investigation into Google’s “Privacy Sandbox”, just over a year after the investigation was opened. While the CMA’s investigation into Google is now closed, this is not the end of the Sandbox saga, but rather the beginning of a new phase in which the CMA will keep a “close eye” on Google.

The CMA’s willingness to close the investigation without reaching a final resolution betrays a significant shift in regulatory attitudes over recent years. Along with other recent developments, the commitments can leave no doubt that we have entered a new era in which tech companies should expect to work hand in glove with regulators as technologies are developed. The (ongoing) Sandbox saga therefore offers important lessons for the future of tech regulation in the UK and beyond.

Google working with regulators: the investigation is only the beginning

The Sandbox is Google’s proposal to phase out third-party cookies. The CMA opened its investigation following a complaint from a group of publishers alleging that removal of third-party cookies would have a devastating impact on their ability to generate online advertising revenues.

As we have written previously, the Sandbox investigation forced the CMA to confront head on the tensions between competition and privacy regulation which sit at the heart of attempts to find a coherent regulatory solution for the digital world. Given this, it’s perhaps unsurprising that the speedy (for the CMA) “closure” of the Sandbox investigation has not seen this conundrum resolved. Instead, the CMA has secured itself a seat at the table in the ongoing development of a solution.

The commitments will see the CMA (with the assistance of a monitoring trustee – retained at Google’s expense) closely involved in Google’s plans to phase out third-party cookies. And the CMA’s supervision of Google has teeth: among other measures, Google must observe a standstill period of at least 60 days before withdrawing third-party cookies, during which the CMA and Google will work to resolve any remaining competition concerns.

For Google, this is the second occasion this year it has acceded to regulators’ demands to supervise its day-to-day: in January, Google accepted the first designation of “paramount significance across markets” by the German competition regulator (under new provisions introduced in 2021).

A (self interested?) regulatory change of heart on monitoring

Competition regulators have traditionally been reticent to accept commitments that require ongoing monitoring. It’s hard to imagine a set of commitments which could require more oversight by the CMA than those entered last week, so why the change of heart?

The dynamic and fast-changing nature of digital markets and perceived historical failures to successfully regulate Big Tech have fostered a growing consensus among competition regulators that it is better to help shape how markets develop than to intervene once things have gone wrong. Perhaps more crucially (and cynically) however, the use of commitments has allowed to CMA to secure itself a seat at the table in Google’s plans without having to establish to an appeal-proof standard that what Google was planning breached competition law.

This “market shaping” role is new and will be uncomfortable for both Google and the CMA, but it’s doubtless the way of the future. The UK’s Digital Markets Unit – when it eventually receives legal powers – is expected to have an ongoing supervisory role (and the CMA suggests it may transfer supervision of the Sandbox commitments to the DMU in due course). This power will doubtless be coveted by other regulators too, notably Ofcom with its forthcoming role regulating online harms.

Interagency cooperation is the new norm

The Sandbox investigation saw the CMA working closely with the Information Commissioner’s Office (the UK’s privacy regulator). The commitments provide a formal mechanism for the ICO to be consulted as the CMA supervises Google’s plans. 

In November last year, the ICO issued an opinion on its data protection and privacy expectations for online advertising proposals, which describes the phasing out of third party cookies as “a welcome development”, promotes a privacy by design and default approach for companies considering alternative solutions, and sets out the key principles and recommendations that it believes those solutions should meet. The opinion references the ICO’s involvement in the CMA’s investigation into Google, as well as the regulators’ ongoing collaboration in the AdTech space. It notes the “strong synergies between competition and data protection objectives”, and that the Commissioner at the time was “clear that data protection and privacy can work in harmony with the goals of ensuring fair competition”.

Close interagency cooperation is to be welcomed (and can be expected to continue through the Digital Regulation Cooperation Forum), but under the current legal framework there is no formal mechanism for the CMA to take into account non-competition concerns – another reason why the more informal “commitments” route is attractive as a regulatory solution.

It only takes one 

Finally, the Sandbox saga shows the potential for a single regulator to derail global business plans. The CMA is not a privacy regulator and it does not have extraterritorial jurisdiction, but the commitments it has secured from Google will, in practice, be applied on a global basis. The fact the CMA could unilaterally secure commitments with such broad effect is a coup and proof of its position at the top table of global regulators. It is also a warning beacon to businesses of the disruption that can be caused by a single regulator, and underscores the importance of a coherent approach to tech regulation on a global basis.