There’s more to life than cookies, but a triple chocolate cookie is a great place to start

The long-running debate on cookie withdrawal from Chrome is moving towards its peace conference after Google’s u-turns this past year.

As with all battles, the terms coming out of the peace conference are pivotal.

This important chapter will do much to set the terms of individual-level identifiers in data-rich systems.

Comment submissions are open until July 4th. Will it be independence day for the cookie? Or independence day for Google? That depends on the quality of the evidence submitted now.

What just happened?

On Tuesday April 22^nd, Google announced that it would shelve its plan to deprecate so-called third-party cookies as part of the Google Chrome Privacy Sandbox.

Then, on June 13^th, the UK Competition and Markets Authority published a proposal to release the Chrome Commitments on the basis that the cookie would be kept after all. (It remains to be seen whether the CMA will agree with the proposal.)

The result is significant, and not only for cookies, because it sets a clear precedent against withdrawing valuable data unless there is objective analysis of both privacy risks and consumer welfare impacts.

Here, that had been lacking, because neither Google’s asserted privacy improvements nor the consumer welfare impacts had been established on objective evidence.

What prompted the u-turn on cookies?

Dnes & Felver PLLC played an important role in helping to bring evidence to the debate. Please see our blog posts and press coverage summarizing key chapters:

• August 2023: Good cookies and bad cookies: What’s next for online match keys?
• July 2024: 3 Ways Forward for 3^rd Party Cookies.
• February 2025: Stephen Dnes was quoted as the last word on the cookie prompt debate by AdExchanger: The latest on Chrome’s Cookie Choice Prompt: It’s gonna be global.

The firm drew on its in-house expertise in the economics and market research so pivotal to antitrust cases to develop an ultimately winning strategy.

The essence of this strategy was to move the case towards a much sharper focus on what web consumers want. The inconvenient truth for the Sandbox proposals was that most consumers do not mind allowing advertising optimization for free content. Sensitive data is hardly ever engaged, and when it is, there are more tailored measures to improve signals on sensitivity, rather than curtailing non-sensitive data.

A simple example is incognito mode.

Better signals would address the approximately 20% of consumers concerned about rich data use, while not curtailing value for the 2/3 who are happy to for rich data use to fund content.

This proved to be an inescapable argument for the Sandbox. It was not possible to show why consumers benefited from the proposed global data diminution, rather than an improvement in risk-based signals and stronger private browsing modes.

The direction of travel changed markedly upon Dnes & Felver’s involvement. This inflection point was noticed by others. For instance, Alan Chapell’s Monopoly Report with Garrett McGrath of Magnite identified a sudden change in the CMA’s tone and lines of questioning from January 2024 (27 November 2024).

Something had changed in the Sandbox analysis: it was now based on consumer welfare, and the unanswerable question was why content funding should be harmed when most consumers are happy.

All of a sudden, the CMA stopped signing off on the Google reports.

Why no cookie prompt?

The CMA apparently demanded that Google retain at least a portion of data rich traffic for those users happy to accept personalisation.

However, no neutral prompt could ultimately be agreed; much less one that could apply on a global basis.

Further, many happy consumers ought not to be prompted at all: excessive pop ups undermine the user experience.

As survey evidence shows users happy with syncing of preferences across devices, if there were to be any personalisation prompt it would surely have to apply fairly, and not only to competing traffic.

So, any prompting regime removing data would have to apply to Google as well.

This created another unanswerable argument – this time, against prompting bias. This addressed the well-known issue with biased prompts common to the Sandbox and other data diminution initiatives, notably Apple ATT.

A simple visual comparison of owned-and-operated vs Sandbox prompts and demonstrated substantial anti-consumer prompting discrimination. The answer in Google’s latest quarterly report was remarkably weak: that the same data protection rules apply to all prompting systems – which is hardly the point.

The real question is why the prompts were different for Google and for others, whereas the Commitments required non-discrimination in feature diminution.

These very pointed observations from the CMA seemed to prompt a rethink by Google: would insisting on increased data integration in the open web necessarily be such a good idea? Might it accentuate arguments that competition is weak in the long tail? Could data diminution à la Sandbox even be an own goal that would primarily help Apple, and not Google?

So, it was not only the CMA that came to see the matter differently – the new strategy seemed to influence Google too. That helped to create a landing zone.

Ultimately, a precedent was set against the loss of rich data absent objective analysis of risk and consumer benefits:

• Shortly thereafter, the CMA’s analysis of benefits from Apple’s ATT in the Mobile Browsers case also became more sceptical.
• In March, the French competition authority fined Apple for bias in its ATT prompts.
• And this April, Google accepted that it would keep the third-party cookie after all.

On June 13^th, the CMA published an important report on the history of testing the Sandbox. The essential problem was that value continued to diminish. The so-called Privacy Enhancing Technologies (PETs) in the Sandbox simply were not up to the task of replacing the cookie. This contravened expectations from the 2019-20 CMA Market Study, which had expected the performance gap to close.

So ultimately, the position is driven by the fact that competitive content funding still needs access to decentralized data sources such as the ability to write information to local storage as with the third-party cookie.

It remains to be seen whether this is truly a “tombstone” to the case – but either way, it is a clear warning shot to any firm considering the impairment of a rich data system from which consumers derive value. This would be important for any future Apple ATT-like prompting system, or any possible restrictions to the Google Android MAID identifier.

Joshua Koran, an advertising technology expert, stated: “People’s privacy rights are important. Mere pretextual privacy improvement claims are not helpful to identifying nor implementing effective solutions to genuine privacy concerns. Recent clarifications from both the UK Information Commissioner’s Office and the European Commission have emphasized the importance of mitigating risks related to the context in which personal data is used, instead of where it is stored or processed—such as adopting appropriate deidentification measures.”

Senior Economic Counsel Antony Dnes has published a blog on the UK ICO’s cost-benefit analysis of proposed new Guidance on Storage and Access technologies.

The blog can be accessed here: https://datacuriosity.substack.com/p/data-storage-and-access-an-economic

On Feb. 3., 2025, Stephen Dnes was quoted by Allison Schiff in AdExchanger. The piece used Stephen’s perspective on what is next for cookie withdrawal as the conclusion to its report on the IAB Senior Leadership summit in Palm Springs, at which Google confirmed that the proposed cookie consent dialogue will be a “one time global prompt”.

The piece concluded:

But perhaps the more important question is not what the prompt could look like but rather how it will apply in light of Google’s commitments to the CMA, which require nondiscrimination, says Stephen Dnes, a founding partner at Dnes & Felver in the UK.

Consumers differ on whether they like or dislike personalization, he says. Surveys consistently show that roughly two-thirds of people are okay with trading personal data in exchange for a service, while around 20% of people are against it.

“The key to resolving the current debate about cookies and prompts is to surface those differing preferences,” Dnes says. “By enriching these signals, rather than truncating the data, the world can move on from the stale debate about cookies.”

https://www.adexchanger.com/data-privacy-roundup/the-latest-on-chromes-cookie-choice-prompt-its-gonna-be-global/

In January 2025, Stephen Dnes was appointed national reporter for the UK by the Competition Law Association, which is the UK chapter of the International League of Competition Law. The League goes by its French initials, LIDC, and provides a forum for competition law enforcers around the world to share expertise.

Every year, the League commissions national reporters to address a topical question in competition law. For 2025, the reports will address the topic of relative market power in competition law, reflecting significant developments relative to large technology companies.

Stephen will report on the relevant UK developments including the CMA’s recently opened cases against Apple and Google regarding online search, operating systems, and web browsers. The reports will be presented at a conference of enforcers in Vienna in October.

There is much discussion of the recent App Store litigation between Epic, Apple and Google. Apparently divergent results highlight issues with evidence of market power and the need to apply consistent quantitative analysis, rather than to focus solely on contractual restrictions. This note provides an economic commentary on these prominent cases, and provides recommendations for future cases in which contractual restrictions and network effects interact.

The Epic Litigation

In January, the US Supreme Court declined to hear appeals by both Apple and Epic Games (developers of Fortnite) from antitrust decisions of the District Court for the Northern District of California (Epic Games v. Apple Inc., 559 F. Supp. 3d 898 (N.D. Cal. 2021)) and the 9th Circuit Court of Appeals (Epic Games, Inc. v. Apple, Inc., 73 F.4th 785 (9th Cir. 2023)). This denial leaves Apple held to have broken California’s Unfair Competition Law in relation to blocking without excuse a producer’s right to steer business to its own product.  These were bench trials.

Apple had delisted Fortnite from its iOS App Store and denied Epic’s paying affiliates access to developer tools after Epic included a link directing its gamers to a payment mechanism outside of Apple’s iOS App Store. The link evaded a maximum 30% commission to Apple for sales of Fortnite and subsequent in-app purchases.  Epic sought to lower charges to 12%.  In the District Court, Apple claimed that its marketing and technical support justified the difference in fees and pointed to a wide definition of the market to bolster its defense that it was a competitive large firm, not a monopolist. As part of wider accusations of monopolizing behavior, Epic focused on iOS as a specialist market within smartphone operating systems and claimed that Apple’s iOS fees were unnecessarily high.

The District Court was unpersuaded by Epic’s general case in antitrust (dominance, tying and other claims) and declined to reinstate Fortnite onto the App Store outside Apple’s contract terms, taking the view that Epic had breached its contract and made its own trouble. Judge Rogers did temporarily restrain Apple from blocking Epic’s affiliates’ access to developer tools. More significantly, Judge Rogers ruled for Epic on one antitrust claim: that Apple placed harmful anti-steering provisions in its contracts. The District Court permanently enjoined Apple from blocking all iOS developers’ links to payment mechanisms.

Economic analysis

From an economic perspective, the District Court identified many uncertainties concerning market definitions and the impact of market segments like iOS on other operating systems and monetized platforms.  Apple successfully claimed it was a competitor in a wide market including many alternative apps available from competitors such as Google and operating systems including Android. Stating a narrow view of the market as a specialist area that Apple had monopolized, Epic then ran into difficulties because its games are functional across platforms:

“[N]ot all games” feature cross-platform functionality, and some platforms have taken steps to limit it. Epic Games, Inc. v. Apple Inc., 559 F. Supp. 3d 898 (N.D. Cal. 2021). But when it comes to the games that do offer such cross-platform functionality, app-transaction platforms (like the App Store and Epic Games Store) “are truly competing against one another.” Id. (Epic Games, Inc. v. Apple, Inc., 73 F.4th 785, 787 (9th Cir. 2023)) 

Uncertainties over market definition are particularly intrusive in deconstructing modern, network-creating operating systems and highlight the need for much more investigative economic analysis to quantify the nature of these new markets. The Epic cases did not produce significant quantitative analysis of firm-to-firm marginal impacts, which usually require modeling, estimates of demand elasticities, mark-ups on costs and other variables key to traditional regulatory analysis. Detailed contractual arrangements in the new electronic data and gaming industries, as practiced, are also critical in assessing competition. These are significant gaps in analysis, and future cases would benefit from more detail on these critical economic effects.

The 9th Circuit subsequently affirmed the District Court’s enjoining of Apple’s anti-steering provision concerning all iOS developers.  The Court of Appeals found no abuse of discretion in granting the permanent injunction and regarded the required protection of all developers as necessary to correct the harm from anti-steering. Thus, the courts required Apple to take Fortnite back at its standard fees with the proviso that Epic and any other iOS developer may add payment links to storefronts. The 9th Circuit stayed the lower court’s mandate pending Apple’s appeal to the US Supreme Court, and so the mandate becomes immediately effective now that the Supreme Court has denied certiorari.  Apple’s pricing policy embodied a form of anti-steering considered unacceptable if shown to harm providers and consumers following earlier reasoning in Ohio v. American Express Co. (138 S. Ct. 2274 (2018)).

Consumer welfare impacts

The economics of information and restrictive agreements can be usefully applied to Apple’s delisting of Fortnite and the retaliatory measures targeted at Epic’s affiliates. More information is generally better than less for gamers particularly when the result is lower prices. However, unanswered questions remain:

• Will Epic’s own payment link increase traffic for Fortnite, or just reduce revenue for Apple while increasing benefits for Epic? That is, was there an effect on total output, or just a movement of output?
• Moreover, was the removal part of a wider restriction of competition as Epic claimed, or simply a consequence of contract express terms, as accepted in the District Court?
• Apple claimed, but could it show, that apparently unfair contractual requirements digging into in-app payments can have efficiency purposes, such as incentivizing Apple to do the marketing and keep its Apps and platforms working efficiently?

It seems that it was more Epic’s failure to persuade than contrary proof from Apple that led to the District Court’s decision and the 9^th Circuit’s affirmation. Future cases could helpfully examine these and other arguments using detailed economic modeling.

Ancillary restraints

Consistent with an ancillary restraints doctrine, the District Court and Court of Appeals applied a rule-of-reason standard to review Apple and Epic’s disputed agreement, which could be seen as subordinated to a separate transaction (marketing) and as reasonably necessary to achieving that transaction’s pro-competitive purpose (driving consumer benefits). A rule-of-reason approach amounts to a benefit-cost analysis.  Epic Games v. Apple Inc., 493 F. Supp. 3d 817, 836 (N.D. Cal. 2020) summarizes the required analysis:

“First, plaintiff must show “diminished consumer choices and increased prices” as “the result of a less competitive market due to either artificial restrains or predatory or exclusionary conduct” by the defendant. Then, “if a plaintiff successfully establishes a prima facie case … by demonstrating anticompetitive effect, then the monopolist may offer a ‘procompetitive justification’ for its conduct.” For example, the monopolist may show “that its conduct is … a form of competition on the merits because it involves, for example, greater efficiency or enhanced consumer appeal.” Finally, if defendant offers a non-pretextual procompetitive justification, the burden shifts back to the plaintiff to rebut defendant’s claim or “demonstrate that the anticompetitive harm of the conduct outweighs the procompetitive benefit.” (Quoting U.S. v. Microsoft Corp., 253 F.3d 34 (D.C. Cir. 2001)).

Epic failed to carry its burden of proof on general claims that Apple has a monopoly on mobile gaming and acted as an illegal monopolist by requiring consumers to get apps through its App Store. Its claims of a narrow post-iOS market segment did not help, tending to direct the courts into a contractual analysis of Apple’s fees, given difficulties in resolving market definition. This was a highly strategic decision: Epic gained the prospect of a narrower market in which market power is easier to prove, but the price of this was that wider evidence of market power is harder to use, as it arises chiefly in the wider market whose analysis is thereby truncated. It may prove fruitful for future litigants to move the needle towards the market power analysis.

Nor did Epic convince the courts of the existence of substantially less restrictive alternatives to Apple’s system. Epic prevailed over anti-steering express terms in the standard contract with Apple because there it could show practices giving plausible financial losses. California’s courts will associate such losses with loss of consumer welfare – although it might be noted that there is no necessary or direct link between rival financial loss and harm to consumer welfare. Epic could, as it claimed, lower prices for gamers by working around Apple’s systems. This shows another key strategic aspect of app store litigation: the argument that there is lost competition helps the plaintiff, but it can also be interpreted as the possibility of switching to what remains of that lost competition. The key to this puzzle is to ensure that the quantitative evidence is strong such that even a partial impairment raises concerns – or, alternatively, to show that such effects are absent, however restrictive the clauses may seem.

As in the Epic case, applying rule-of-reason legal analysis often leads to a qualitative benefit-cost analysis – and not a quantitative one. This has significant implications for litigation, not least, that benchmarking can be expanded; ideally, on a quantitative basis. Epic’s failure to persuade the courts, other than over the issue of steering, seemed not to weigh costs and benefits comparing the status quo with feasible alternatives.  The courts traditionally resort to broad assessments although they are clearly aware of the economic arguments at stake in antitrust cases. These could be significantly expanded to allow a richer analysis of the wider costs and benefits of competitive restrictions with a sharper focus on consumer welfare impacts. Again, this observation highlights the need for much more economic analysis to quantify the impacts and welfare effects of these new markets.

What’s the difference between a Google and an Apple?

For those inclined to look for logic, consistency and comparability in the law, Epic’s litigation foray has been a salutary experience.  In 2023, Epic prevailed in a very similar antitrust case against Google (In re Google Play Store Antitrust Litig., 21-md-02981-JD (N.D. Cal. Mar. 28, 2023)). This jury trial covered similar tying, pricing and exclusionary practice issues as the bench trial with Apple.  With Apple, Epic prevailed on just one issue concerning steering. With Google, Epic prevailed on all its allegations of anticompetitive behavior based on market dominance and restrictive practices. 

It is hard to find significant differences between the two cases and, while interesting, attempts to do so seem more like rationalization than statements of antitrust principle (https://www.theverge.com/23994174/epic-google-trial-jury-verdict-monopoly-google-play). That is, for all the attention on Google’s particular actions, it is not clear what exactly the difference in market power would be to justify the differential treatment.

Certainly, Google’s apps are used across many operating systems, which might make it more susceptible to antitrust enforcement than Apple’s more sealed iOS. It is also significant that Google’s was a jury trial; Apple’s was bench.  Google appears to have run sweetheart deals with some users and to have deleted documents needed at trial. But at the end of the day, both Apple and Google have been found to have restricted competition to some extent.  The cases more than anything illustrate the difficulties in unraveling contractual links in the new information industries and a need for much more research, especially on the relationship between contractual restrictions and market power. There is a particular premium on explaining these effects in a jury-friendly way, where relevant.

What’s next for app store analysis?

Finally, this type of case concerning two-sided markets (here, gamers and game developers) is increasingly important as cases spring up in many antitrust tribunals including those in the EU, UK and Australia. In the case of Apple, it will be particularly interesting to see the position taken on the contractual restrictions following the UK CMA’s victory at the Court of Appeal, such that the Mobile Ecosystems case will return. The same issues will also arise as the EU Digital Markets Act takes root.

In all these, and other cases, the relationship between market power and contractual restrictions will be paramount. Litigants will benefit from ensuring that case strategy incorporates economic evidence from the very beginning.

Photo by Christiano Betta 

As Parliament returns from its festive break, many competition law eyes will be on the Digital Markets, Competition and Consumers (DMCC) Bill – at the moment “Just a Bill” but probably not so for much longer…

The DMCC: “Just a Bill”… but for how much longer?

There are many rich questions as the Bill heads over to the Lords for critical scrutiny. This is the major audience for due process concerns, and the place where technocracy often meets accountability. Critical questions are up for debate including how to frame the relevant evidence rules, the extent to which existing rules should change given developments in online business, and how best to ensure high quality regulation over time. Essentially, the forward-looking question is all about the evidence requirements for future interventions.

As the UK Competition and Markets Authority has become increasingly active in global business in recent years, the law will be relevant well beyond the UK. For example, recent Commitments with Google apply on a worldwide basis. There is also clear global impact from recent merger reviews such as Facebook/Giphy, Microsoft/Activision and Adobe/Figma – not to mention the new investigations into OpenAI, and cloud computing.

Dnes & Felver provided an expert report on the relevant issues to the Legatum Institute, a leading London-based think tank seeking to promote prosperity in the UK.

Stephen Dnes’ co-author, Fred de Fossard, recently commented on Politics Home:

“The last decade has seen the world’s leading antitrust regulators, the CMA, the European Commission, and the Federal Trade Commission in the USA, take a much more interventionist approach to digital markets … even if businesses with large market shares continue to innovate and provide their users and customers with new and improved services, today’s regulators may decide to prosecute them for occupying too great a position in the market… 

This has caused great discord in the digital economy, where entrepreneurs often build businesses with the intention of selling them to a large acquirer, who can take the company and its products to a bigger audience. After all, not all founders are born managers of global companies: their skills often lie in establishing new businesses and new ideas.”

The core point is essential for growth: if large and small businesses sometimes complement each other, then the law must have a mechanism for answering a very difficult question:

When is big bad, and when is big beautiful?

The same theme was noted by Diginomica journalist Chris Middleton, who commented:

“To see ‘digital markets’ as something separate and distinct in 2023 seems almost quaint – a Web 1.0 perspective, three decades too late. What about AI, decentralized services, complex supply chains, cloud, and mobility? Will some Bill address those in 2053?

“While well intentioned, I would argue that the Bill is both 25 years too late and fundamentally misconceived. To see a handful of Big Tech titans as being of ‘strategic market importance’ (SMS), based largely on their size, ignores an obvious problem. Namely, that it is often smaller players, such as OpenAI and Spotify, which are really shaping what the future looks like”

The recommendations in the expert report correspond closely to several of the amendments introduced before Parliament. This complements earlier work with the Institute, which is now reflected in the strategic steer to the UK CMA.

Getting involved

How exactly the law sifts worthy from unworthy cases for intervention may well be the critical competition policy question of the year. For the UK, it will be a once-in-a-generation reform. Moreover, how the DMCC approaches this will have ramifications well beyond the UK – so this is not so much one to watch as one to get involved with.

The Report is available online.

Does it matter where data is processed? Should it? There are some interesting developments taking this question well beyond the familiar questions about data flows between jurisdictions.

What about data use on devices, on servers, and between them? There is a lesser-spotted trend for vertically integrated firms to encourage greater use of (1) on-device processing and (2) to limit the scope for interoperation between data on devices and on servers. These are significant competitive restrictions: they limit competition with no corresponding consumer benefit. They also harm rivals who use the server deployments set to be limited – rivals who may be highly innovative.

Two significant developments threaten the ability to use a range of competing servers:

Server restrictions in the Google Privacy Sandbox

Google’s Privacy Sandbox initiative currently proposes that only Google Cloud or Amazon Web Services (AWS) will be allowed to provide remote processing for the proposed Attribution Reporting API. This amounts to a ban on on-premises server use, that is, using your own server.

This is astonishing. It is like saying that you can lease any car, provided that it is a Ford or a Toyota. What if you would like to own a competing model – say, a VW?

There is simply no ability to do so while using the API as proposed, because it can only be used on a leased basis on the cloud.

This also bakes in the current generation of technology from the largest providers. So much for that innovative electric car you were thinking of trying out… A competing hosting provider simply isn’t allowed to interoperate with the API.

The proposal is all the more remarkable because approximately two thirds of existing deployments are on-premises:

So, the proposal is essentially to force a technological tie between data hosting and advertising systems.

This is all the more concerning because on-premise deployment is considered safer, on average, than cloud. KBV goes on to note:

“many benefits … come with on-premise deployment, including a high level of data protection and safety. Because on-premise deployment models have higher data security and fewer data breaches than cloud-based deployment models, industries prefer them, which fuels industry demand for on-premise deployment models.”

So there is no good reason to exclude the competing alternatives. This is especially so at a time when cloud computing restrictions are under review based on concerns about difficulties in switching.

If you currently use on-premise servers – or, indeed, anything other than Google Cloud or AWS – now would be a very good time to register a concern with the UK Competition and Markets Authority, which is reviewing Google’s proposals.

There is a quarterly reporting cycle with ample scope for concerns to be heard – the sooner the better, so as to influence the current reporting cycle.

Draft EDPB Guidance on Technical Scope

The same theme emerges from some important draft Guidance from the European Data Protection Board (EDPB). This revisits the much-maligned cookie consent box, which derives from Art. 5(3) of the ePrivacy Directive.

The draft Guidelines 2/2023 on Technical Scope of Art.5(3) of the ePrivacy Directive do not trip off the tongue, but their content is highly significant for competing data handlers. The draft extends the cookies analysis to other technologies including pixels and tracking links.

Significantly, there is a partial carve out for on-device storage. This risks a tilt towards those controlling devices, unless the rules are technologically neutral. The proposal is to capture movement into and out of local storage:

“The use of such information by an application would not be subject to Article 5(3) ePD as long as the information does not leave the device, but when this information or any derivation of this information is accessed through the communication network, Article 5(3) ePD may apply.”

That is very helpful to those able to execute local processing – but a tremendous hurdle for those who rely on server-side processing.

As server and on-device processing are indistinguishable from the consumer perspective, the technologically and competitively neutral rule would be to intervene on the basis of a reasonable evidence-based level of consumer protection – with the same rule, whether on-device or on the cloud, or moving between them. That would suggest that consent is not generally required to move data from the device to servers, as consumers are not harmed by this action.

IP addresses are highlighted as potentially requiring consent, without any carve out for innocuous use, such as audience definition. For example, an IP address with coarse location might contain no personal data at all, as where a business address is indicated. But the Guidance seems not to cater to that scenario.

There is also specific comment on the use of identifiers. The draft takes a highly precautionary stance: identifiers are seen often to link to identity – but is this so? Trillions of identifiers are used for innocuous audience matching purposes without any such link. If so, the guidance is over-broad and imposes a consent requirement beyond what is needed for a reasonable level of evidence-based consumer protection.

So, those with interests in the use of data for everyday, harmless but helpful audience optimization may wish to speak up. Comments can be submitted until January 18^th.

An expert article co-authored by Partner Stephen Dnes has appeared in the Competition Law Journal: “If the Competition and Markets Authority were an emoji: merger clearance lessons from Meta/Giphy.”

The article reviews the decision by the UK CMA to block Facebook / Giphy, the decision by by-then Meta to challenge this in the Competition Appeal Tribunal, and the implications of the CAT judgment in the context of developing merger clearance doctrines.

The article is relevant to those looking at the thorny questions surrounding international merger clearance work in technology markets, especially following Microsoft/Activision, Adobe/Figma and the merger-based intervention into OpenAI.

It is a particular pleasure that the article was co-authored with a graduate of Stephen’s competition law class, Joseph Day.

The article is available via Edward Elgar journals.

In September 2023, Stephen Dnes was appointed as a Fellow of the Dynamic Competition Initiative co-hosted by UC Berkeley and the European University Institute of Florence, Italy.

Details can be found here: https://www.dynamiccompetition.com/

Is targeted advertising creepier than Sleepy Hollow on Halloween? It depends on what data is used to deliver the advert. Few will mind an advert that uses anonymous data from internet activity, especially if it relates to something innocuous – say, a holiday or a sweater. It is quite different when the data used for such advertising relates to a specific individual’s sensitive information such as their health conditions. While it might be possible to cross-correlate on likely health conditions – and there might even be instances where this is useful – there is a strong argument that using sensitive data should only be undertaken subject to consent.

Addressing specific concerns

As with so much targeted advertising regulation, the issue then becomes: how to avoid banning everything, just to prevent a specific abuse. On this, the New York legislature has adopted an interesting new law by passing fiscal bill A.3007C/S.4007.

The new law bans a specific use: adverts cannot be delivered using an individual’s health-care related geolocation data. Significantly, that means that decisions to deliver ads not based on an individual’s health-related geolocation are not affected. For example, New Yorkers should not expect to interact with an ad-free internet as soon as they step into a pharmacy. Moreover, a responsible advertising system can still strip out the sensitive use, without losing other, innocuous but valuable insights. It just becomes illegal to use the data raising concerns for ad delivery and building profiles of individual consumers from this data. Most significantly of all, the law provides clarity around a specific boundary of acceptable use. There are none of the fuzzy boundaries seen elsewhere, most notably in the EU GDPR and its vague and cross-cutting definitions.

In this, the law is actually a microcosm of a wider pattern of different approaches to regulation. Historically, common law jurisdictions – such as most jurisdictions within the US and UK — take the position that all commercial activity is permitted unless banned, as in the ban on specific uses of an individual’s geolocation in the new New York law. By contrast, the EU GDPR reflects a continental European tradition in which regulators are empowered to promote the greater good – as they see it – subject only to light touch legal review for clear cases of error. The New York law seems much preferable because it provides clear boundaries, rather than empowering a technocratic elite on a discretionary basis.

What does this mean for any future federal privacy law?

If there is ever a US federal privacy law, it will be important to see whether it tracks to this common law tradition that offers more practical clearcut guidance on businesses’ acceptable and unacceptable uses of data. FTC privacy enforcement to date has developed from particular cases, which helps to provide a degree of clarity as to the boundaries of use. Some proposals for reform, notably the Klobuchar Bill, have included requirements to define and focus on high-risk use cases. Keeping the approach targeted on particular use cases, and on specifically defined harms, helps to avoid vagueness.

Responsible safeguards are also assisted by prior definition of the issues they are required to address. A specific law allows vendors to develop specific safeguards, and then to use the other, responsibly held data. Here the important dismissal of the FTC’s attempt to go after geolocation data on a scattergun basis in Kochava looms large. There, an Idaho data vendor had used reasonable safeguards to address concerns about geolocation data (e.g., such as filtering all known high risk locations from its data set) – and a federal judge could see grave issues in the FTC pursuing the business despite the reasonable safeguards used.

Back to the Future with Roberson v Rochester

Lawyers with a long memory may remember the classic 1902 case, still often taught in law schools, Roberson v Rochester Folding Box Co. There, the New York Court of Appeals found no right to control the use of Roberson’s image in an advertising campaign — prompting swift legal reform providing exactly this right, but on a specific and targeted basis. 121 years on, New York finds itself once again setting out a stall for a common law approach, in which specific and targeted action is favored over broad bureaucratic empowerments, and other, non-harmful business practices are left undisturbed.

Early personally Identifiable Information: 17-year-old Abigail Roberson on a Franklin Mills Flour advertisement

The Roberson case will also be of interest to those in Europe who question whether the GDPR approach is the right one; not least, in the UK which is currently considering clarifying some of the ambiguity within the GDPR in the Data Protection Bill (No.2). There, it might be time to define the boundaries of acceptable use, providing clarity over relevant harms, so as to address them while leaving other uses — and the value they generate — available. Looking to the New York distinctions for pragmatic guidance, the law prohibits the association of one type of sensitive data (health care) to specific individuals to build profiles or use such data when delivering advertising.

Lessons for the AI era

So, 121 years on from Roberson the same fundamental question arises: what is reasonable in context? What is the list of reasonable concerns, such that they can be addressed? This will be the key architectural question as data laws are updated for the AI era. Seen in this way the 121 years of experience in New York is historic in the best possible sense.