By Reuben Binns (Oxford University, UK ICO) and Elettra Bietti (Harvard Law School, Berkman-Klein Center for Internet and Society)
When firms with large amounts of personal data consolidate through mergers or acquisitions, we should be concerned about the potential threats arising from the newly combined data power they wield. A lot of attention has been paid to such cases where the personal data involved concerns individuals who are direct users or customers of the consolidating entities. But less attention has been paid to cases where the data involved is collected via third party trackers scattered across websites and apps – where the people involved have no direct relationship with the merging entities. Our paper focuses on this problem, addressing the role that antitrust authorities should (but have so far failed) to play, with regard to mergers and acquisitions in the third party tracking industry. The paper combines an empirical methodology with a critical inquiry into the existing antitrust precedents on these issues in the US and Europe to argue that a bolder approach is needed - one that engages in a pluralist analysis of economic and noneconomic concerns about concentrations of control over data.
Tracking consists of the range of data collection and processing practices aimed at collating information about the end-users of digital technologies through small bits of code called “cookies” and other tracking technologies that are included in websites and mobile apps. When Google collects information about individuals browsing even non-Google websites, or when Foursquare monitors individuals’ location via different mobile apps, they engage in so-called third party tracking. As they monitor users across websites and apps, and even different devices, third party trackers are able to combine and keep all of a user’s data into a single behavioral profile, which might include data about interests, demographics, content viewed, geolocation, and more.
Tracking can serve several different purposes. At its least intrusive, it provides basic measurements for the first party service, such as how an app or website is used, which pages are visited or when an error occurs. Other primary functionalities include payment provision, authentication or security. However, in many cases, tracking exists to support and enable behaviorally-targeted advertising. The third party advertising technology ecosystem is characterized by a series of complex arrangements between third parties, including ad brokers, ad networks and ad exchanges, each partaking in a different capacity via automated auctions whereby advertisers bid for ad space in real time. The ecosystem also includes ad network aggregators, such as Google Ad Manager (based on DoubleClick, acquired by Google in 2008), which allow first parties with advertising space to solicit bids for ads from multiple buyers in real-time.
Tracking is almost ubiquitous, and most first parties include code which allows their users to be tracked by multiple third parties. In many cases, third party tracking is carried out as an ancillary activity to the first party service but some entities, such as Google Ad Manager, are specialized and offer tracking and ad serving capabilities as a service. The following table lists the main trackers on web and mobile with their respective market shares.
Top 3 third party trackers on web and mobile
In spite of the significance of tracking on both web and mobile, antitrust authorities have for a long time been ignoring the existence of these activities in their decisions, even in merger reviews where it would have been natural for them to spot and scrutinize them. The reasons for antitrust agencies’ neglect in our view are at least two-fold.
First, they have tended to focus on first party aspects because they are more visible. In its decision assessing the Microsoft/LinkedIn merger, for example, the European Commission defined the relevant “data” as consisting of information about users’ job, career history, professional connections and search behavior on LinkedIn without considering whether LinkedIn’s database might contain information about these users’ browsing behavior outside LinkedIn, and even the browsing behaviour of people who don’t have LinkedIn accounts. As a result of this overall tendency to focus on first party activities, the upstream data processing activities of Microsoft and LinkedIn such as the collection and handling of data, the creation of profiles and use of data as part of internal sectors of activity are generally ignored. Two exceptions to this general trend are Google / DoubleClick where one of the parties, DoubleClick, had a business centered around third party tracking; and the German Bundeskartellamt Facebook Decision, which is not a merger case and remains narrowly confined in terms of approach and scope.
Second, antitrust authorities focus on data aspects that fall within mainstream antitrust analysis: monetized flows and visible advertising markets. This is because antitrust regulators define markets in terms of price substitutability of goods or services, and have difficulties accommodating sectors of activity that are not directly priced or monetized. Even where the merger of two databases seems a concern, antitrust authorities adopt a mainstream approach, asking questions that tend to be answered in the negative. Can the merger of the two databases strengthen the merging parties’ market power? Does it eliminate a competitor and thus a competitive constraint from the relevant (advertising) market? In Google / DoubleClick the European Commission also asked whether the variety of data being merged made a difference to the size of the resulting entity’s database and resulting market power. These questions have consistently been answered in the negative: the merger of two databases raises no competitive concerns because of the huge amount of data available and the competitiveness of data markets.
Our concern is that these arguments are too narrow and the framework of analysis too limited. Even if it were true that the merger of two databases raises no immediate competition concerns, it certainly might raise issues for consumers that are urgent to tackle. If tracker A knows the health websites you visit, and tracker B tracks the political news stories you’ve been reading, merging A and B could enable new opportunities for opaque targeted advertising (e.g. health misinformation as part of election campaigns). Antitrust authorities are well positioned to help address some of the harms that these mergers can bring to consumers. In the FTC’s case, they have the statutory powers to address data and privacy harms alongside competition harms as part of their consumer protection powers under section 5 of the FTC Act. In the case of the European Commission or other European authorities, these should be empowered to at least flag data-related questions to data protection regulators. Although there are positive signs of this beginning to happen, thanks to initiatives such as the Digital Clearinghouse, at present regulators are not generally making use of the tools available to them. Meanwhile, faith in neoclassical antitrust enforcement is starting to erode.
In the paper we distinguish a purist neoclassical view of antitrust law, according to which the privacy impacts of mergers are not within the scope of the antitrust analysis, from a pluralist view, according to which a plurality of values including privacy should inform antitrust analysis. The purist view, most prominently theorized by Robert Bork, sees competition as a self-regulating process, one governed by price theory and which requires minimal state interference. Recently, this view has come under attack for relying on an excessively narrow understanding of consumer welfare. The pluralist view, instead, has been gaining traction amongst a variety of stakeholders and academics, including New Brandeisians such as Tim Wu and other members of the so-called ‘hipster antitrust’ movement. Overall, their contention is that the antitrust toolbox needs to be extended to encompass more than just narrow understandings of welfare and include values such as inequality, power and privacy within the standard antitrust analysis. In our view, the incorporation of these values as part of the analysis of mergers could lead to real change, not least because data is not a mere commodity whose nature can be exhaustively understood by reference to market price.
We came to these conclusions in the paper through an empirical exercise. First, we analysed 10,000 websites and apps to uncover which third party trackers were present on them. Then we analysed the firms behind those trackers and their corporate ties to one another. We found that the most commonly found trackers on web and mobile included those owned by Alphabet / Google (e.g. Youtube, Firebase, Admob, and Google Ads (previously DoubleClick)), Facebook, Twitter, Verizon and Microsoft. Second, after excluding any third party trackers which were present on less than 5 websites or apps, we identified 42 mergers and acquisitions between the remaining firms. Finally, we checked these 42 transactions against the databases of 5 competition authorities: the US FTC, the EU Commission, and the UK, French and Italian national competition authorities. We found that only 21 transactions had been scrutinized by one or more of these five competition authorities. Only five of the 42 transactions were the subject of in-depth competition law investigations by one or more of these authorities: seven full-merits decisions in total. In only four of these seven decisions we found noteworthy analyses on questions surrounding data and market power. We singled out these four and also included Microsoft/Yahoo, an EU notification for a transaction that was not finalized for non-antitrust reasons.
In our analysis of these decisions, we found a progressive evolution of antitrust authorities’ approach toward greater concern for the effects of data concentrations, and yet an insufficient consideration – or in most cases a complete disregard – of third party tracking and their effects on consumers. Google/DoubleClick was an outlier, because DoubleClick’s activities were centered on third party tracking. In the US Google/DoubleClick case, FTC Commissioner Pamela Jones Harbour warned that “the merger create[d] a firm with vast knowledge of consumer preferences, subject to very little accountability.” (p. 10) She also presciently added:
Traditional competition analysis of Google’s acquisition of DoubleClick fails to capture the interests of all the relevant parties. Google and DoubleClick’s customers are web-based publishers and advertisers who will profit from better-targeted advertising. ... But this analysis does not reflect the values of the consumers whose data will be gathered and analyzed. (p. 10)
In all subsequent cases we considered, including Microsoft/Yahoo, Microsoft/LinkedIn and most recently Verizon/Yahoo decided in 2016, the analysis on data harms paradigmatically focuses on the market effects of the merger of two databases: whether the merger of two bases increased market power, whether it prevented some customers from accessing the data on the same terms, the kinds of contractual arrangements for data access in place before and after the merger, whether the removal of a separate database would have anticompetitive effects. Such conservative analyses resulted in consolidation of the third party tracking ecosystem with no positive privacy protections. The third party ecosystem remains well populated, with many small players and few very large trackers such as Google or Facebook. From the consumers’ standpoint, antitrust scrutiny has made no difference: whether or not there is competition amongst trackers, what is needed are more aggressive privacy guarantees. A welcome recent development in this sense has been the German antitrust authority’s ruling against Facebook, where combining data about users across from inside the platform with data gathered about them from the wider web, was prohibited.
Yet privacy and antitrust do not always go hand-in-hand. In some cases it seems that the more stringent the privacy standards, the harder it becomes for small players to compete on data markets. This should not however be taken as a chicken and egg problem. It is important to set privacy standards first, and then to consider how to enhance competition on digital markets. We cannot keep sacrificing user privacy for the sake of market efficiencies. Nor can we keep the privacy and antitrust analyses so separate as to create gaps and perpetuate unacceptable levels of opacity on third party tracking markets.
Overall, and notwithstanding the progressive evolution toward greater awareness of data concentration’s negative effects and also the changes in societal attitudes toward antitrust enforcement in the tech industry, we believe that data concentration should be made more visible and should be taken more seriously from the outset of antitrust merger analysis. Our present moment is one of opportunity; we are at a crossroad for holding technology platforms and data handlers accountable. Yet how to act and what to do is at present still unclear. The first step must be to analyze the current technological, legal and regulatory landscape identifying harms and opportunities for change. Merger control and the treatment of third party tracking is one such opportunity. Regulators should rethink the whole merger control apparatus in light of the harms that the merger of data monopolists, and of third party trackers, can cause to consumers and society.
 See Joel Purra and Niklas Carlsson, Third-Party Tracking on the Web: A Swedish Perspective IEEE 41st Conference on Local Computer Networks 28 (2016).
 See Reuben Binns et al., Third Party Tracking in the Mobile Ecosystem, in Proceedings of the 10th ACM Conference on Web Science 23 (May 2018).
University of Oxford
Harvard Law School