“Privacy Fixing” is a term that refers to using privacy as an excuse to conduct collusive, anti-competitive behavior. The first use of this term in US Federal Court appeared with the Texas v Google complaint, announced on 17 December 2020. This People in this case state:
“Of course, effective competition is concerned about both price and quality, and the fact that Google coordinates with its competitors on the quality metric of privacy – one might call it privacy fixing – underscores Google’s selective promotion of privacy concerns only when doing so facilitates its efforts to exclude competition.”[1]
The pleading states that Google “restricts information to foreclose competition and advantage itself” and “uses privacy concerns as an excuse to advantage itself over its competitors.”[2] The Texas pleading cites evidence from Google’s internal documents. They allegedly include Google’s proposal to eliminate third-party cookies from its Chrome browser, which “is justified on privacy grounds, but the effect is to increase information asymmetries between Google and its competitors.”[3]
What are we to make of these claims?
This Texas case against Google has particular relevance given the drastic changes to the digital ecosystem Google proposed in January 2020 as part of the planned end of support for cross-publisher IDs by its Chrome browser and Chromium browser engine.[4]
Google refers collectively to these changes as a “Privacy Sandbox”.
Google uses the loaded language, such as “cross-site tracking,” when interfering with the supply chains publishers rely upon to operate their businesses. Google casts the activity websites use to provide people ad-funded access to their websites into the category of assumed privacy invasion.
This language is a disservice to the vast majority of publishers who take the issue of end user privacy very seriously. These organizations devote much time and expense into writing and abiding by their privacy policies. Most importantly, given the absence of switching costs, without providing positive end-user experiences these publishers’ entire business would be at risk.
It is no exaggeration to say that Google has faced challenges for its approach to privacy for many years.[5] It was fined over $100 million for privacy breaches in France before Christmas.[6]
Google’s proposed browser changes substitute its own data collection and processing for the functionality currently provided by the competitive marketplace of vendors. This naturally would concentrate greater control over the web into Google’s hands, while removing choice from publishers. This is not disputed. For example, Google is clear that its intention is the removal of cross-site measurement:
“As we’re removing the ability to do cross-site tracking with cookies, we need to ensure that developers take the well-lit path of the new functionality.”[7]
What happens to those who take Google’s well-lit path?
We know that if Google were proposing that competitors agree to set prices, that would be illegal price fixing.
Price fixing agreements among competitors are also known as “cartels.” Cartels are illegal in many regions, and criminal sanctions exist in both America and the UK. Examples of price fixing cartels exist in many markets from computer contracts, to wine and beer, to milk, CDs and even Christmas trees.[8] These agreements, arrangements, or conspiracies are illegal because they restrict competitors’ commercial freedoms. So, where Google says “We think you should do the following” what is a competitor to do?
The answer is that much depends on the appetite for risk of the person involved in the decision making, and the nature of the markets concerned. If competitors agree to a Google privacy proposal tilts the marketplace in favor of existing organizations by greatly increasing barriers to entry for any new competitors, then this activity may expose all organizations to liability.
In offline markets the idea of fixing privacy in terms of trade sounds strange. However, as explained in the leading online competition journal “Competition Policy International” in 2017, Benjamin R. Dryden and Shankar Iyer in relation to US law, “the antitrust laws apply to non-price elements of competition like privacy policies. The Supreme Court has made clear that “for antitrust purposes, there is no meaningful distinction between price and non-price components of a transaction.”[9] for these reasons the antitrust rules have been applied “even to public safety rules by private standards-setting organizations”.[10]
In online markets, privacy may be a factor considered by consumers and as such is truly a non-price factor of competition. Whether privacy is important in users’ decisions will depend on the product and market concerned. For example, in Microsoft/LinkedIn, the Commission considered that data privacy is “a significant factor of quality” in the market for Professional Social Networks.[11]
For any given market basic questions need to be answered, such as: do customers take into account privacy terms when choosing websites or products? Does evidence exist that customers care about privacy and about cookies? Do different browsers compete on the basis of the level of privacy protection offered?
The Texas complaint also cites the example of Google’s announcement that it will unilaterally remove third-party cookies from its Chrome browser.[12] Google’s action will limit the ability of its advertising competitors to access the data relied upon to serve tailored, higher value advertising. The Marketers for an Open Web case initially filed with the CMA in the UK on the 23rd November 2020 makes a similar claim to that made in the Texas case; such unilateral action being an abuse of Google’s dominance. The CMA is currently investigating.
Privacy fixing, however, indicates a breach of competition law through collusion between competitors, rather than abuse. Such collusion is perhaps most likely to happen where competitors meet, such as in industry bodies, for example a trade body that sets out a best practice for privacy, or through standards-bodies which agree standards which affect access to private data.
Google suggests in its Privacy Sandbox announcement that “For ads focused API proposals in particular. we encourage you to give feedback on the web standards community proposals via GitHub and make sure they address your needs. And if they don’t, file issues through GitHub or email the W3C group.”[13]
Where standards bodies are making standards that promote interoperability, the open web and improve or facilitate competition among many different players they are unobjectionable.
Where they do not involve standards making and become collusive arrangements or a mechanism for collusion, and involve the participants in acquiescence or connivance in the anti-competitive actions of a dominant player, they may amount to anticompetitive and illegal collusion. In such scenarios, the industry body, along with every participant at a relevant meeting or discussion, could also face antitrust liability.
Given the fact that these matters are the subject of litigation in the US, and investigation by the CMA, at the very least care is needed and advice should be taken by anyone attending such meetings.
Companies and industry bodies may wish to consider updating their compliance policies in order to include privacy as a vector for antitrust violation, as well as price.
For more detail on the antitrust issues which can be raised by a company’s use and abuse of privacy, please click here.
[1] Paragraph 143, Texas et al v Google
[2] Paragraph 140, Texas et al v Google
[3] Paragraph 140, Texas et al v Google
[4] https://www.chromium.org/Home/chromium-privacy/privacy-sandbox
[5] In 2011, the FTC and Google arranged a consent decree to address the corporation’s deceptive tactics and violation of its own privacy promises when it launched Google Buzz, a social network, in 2010. Regulators alleged that the deceptive tactics violated the FTC Act, and FTC Chairman Leibowitz stated that the settlement, which included no fines or changes in practices beyond accurately representing user privacy, “ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.” http://www.ftc.gov/news-events/press-releases/2011/03/ftc-charges-deceptive-privacy-practices-googles-rollout-its-buzz
[6] https://www.bbc.com/news/technology-55259602
[7] https://www.chromium.org/Home/chromium-privacy/privacy-sandbox
[8] 2007 Christmas tree price fixing scandal. Airlines http://news.bbc.co.uk/1/hi/business/6925397.stm Gow, David (18 April 2007). “Heineken and Grolsch fined for price-fixing”. The Guardian. London. Retrieved 1 August 2007 “OFT hands out £116m in fines for milk price fixing”. The Guardian. Retrieved 29 October 2016
[9] Pacific Bell Tel. Co. v. Linkline Communications, Inc., 555 U.S. 438, 450 (2009). See generally also U.S Dep’t of Justice & Federal Trade Comm’n, Horizontal Merger Guidelines (2010) § 1 (“When the Agencies investigate whether a merger may lead to a substantial lessening of non-price competition, they employ an approach analogous to that used to evaluate price competition.”).
[10] Allied Tube & Conduit Corp. v. Indian Head, Inc., 486 U.S. 492 (1988).
[11] Similarly, in Google/DoubleClick, the US Federal Trade Commission (“FTC”) acknowledged that mergers can ‘adversely affect non-price attributes of competition, such as consumer privacy’
[12] Paragraph 140, Texas et al v Google
[13] https://www.chromium.org/Home/chromium-privacy/privacy-sandbox