This working paper, which can be found here , draws attention to one particularly complicated kind of digital data intensive industry: third party tracking, in which a firm does not (only or primarily) collect and process personal data of its own customers or users, but focuses instead on collecting data of users of other ‘first party’ services. The authors focus on mergers and acquisitions of third-party tracking firms because they raise some unique challenges which are often missed in regulatory decisions and academic discussions of data and market concentration.
The paper is structured as follows:
Section 1 contains a brief overview of the technical elements of third party tracking and of the business practices associated with it. This description is somewhat long because it provides a good overview of these business practices; you may want to skip it if you are familiar with them.
‘Tracking’ refers to a range of data collection and processing practices which aim to collate the behaviours and attributes of end-users of digital technologies. The term is commonly used to refer to technology which is embedded by a third party on multiple first party websites or mobile applications. Typically, when a user installs the app, or views the website, the third party code collects data from the session and associates it with a (usually unique) identifier, which is then sent to a remote server controlled by a third party. Since the same third party code is typically embedded on multiple different websites or apps, a single user’s behaviour on multiple different apps / websites can be combined into a single behavioural profile, which might include session duration, content they viewed, or their geolocation data.
The third party advertising technology ecosystem has evolved to encompass ever more complex arrangements between multiple third parties. For instance, a user’s behavioural profile might comprise data collected by multiple third party trackers, and some third party trackers specialise in matching online users to their offline profiles held by data brokers. Recent studies of third party tracking on the web and mobile apps show that tracking is almost ubiquitous, and most that first parties include code in their websites which allows their users to be tracked by multiple third parties.
Third party tracking serves many different purposes. In some cases, it provides basic measurements for the first party, such as how an app or website is used, which pages are visited or when an error occurs. ‘Audience measurement’ and analytics’ services match website visitors to external information regarding their demographics and interests, and provide it back to the first party. Others trackers provide functionalities such as payment provision, authentication or security, and track users across services for these purposes. Where the purpose is targeted advertising by marketers, behaviours that a user engages in on one website or app could feed into a profile which may lead to targeted advertisements being delivered on another website or app.
In many cases, third party trackers do not provide monetary benefits to first parties, but instead provide some useful free service – such as analytics, proprietary fonts, or social media sharing buttons – as a means to collect user data for some other commercial purpose. The complexity and (often) lack of direct monetization of third party tracking activities has made them a much neglected aspect of digital markets for competition authorities. Overall, competition authorities have focused on directly monetisable sectors of activity. This has led them to gravitate towards areas where data is sold for profit such as data analytics services and the sale of advertising space, and to neglect third party tracking activities.
Section 2 presents an analysis of third party tracker activity on 5,000 of the most popular websites and mobile applications.
Third party trackers have commercial advantages over first parties; not only do they create efficiencies of scale by developing and maintaining tracking software, they can also aggregate data from multiple first party services to produce richer profiles of individuals. These aspects of third party tracker power have been discussed in terms of prevalence – defined as the number of first parties on which a third party tracker is present – and prominence – where such prevalence is weighted by the number of first parties’ users.
Recent large-scale empirical studies have investigated the prevalence and prominence of third party trackers on websites and apps. A small number of companies dominate across both the web and mobile; these include technologies that are owned by Google or Google subsidiaries (in turn owned by Alphabet), Facebook, Twitter, Adobe, and others. The third party tracker with the highest prevalence among first-party services, across both web and mobile, is the analytics service Google Analytics. In second place is DoubleClick, a behavioural advertising network. Google bought DoubleClick in 2008, and, in combination with other trackers under the Google family, it now has a combined prevalence of over 70% of websites and over 80% of all mobile applications.
Consolidation between third party trackers has the potential to result in the merging of personal data from multiple sources into a single profile. While not every corporate merger will necessarily result in data-merging, it seems likely that this will be the norm. Even in cases where acquiring firms promise to maintain separation between data sources, such promises may be broken or circumvented, as in the case of Facebook / WhatsApp. On this basis, the authors examine the extent to which consolidations raise the prevalence and prominence of a given firm, and provide a table with the largest such transactions.
Section 3 highlights why it is important to consider the specific kinds and sources of first party data that each of the third parties involved in a merger has access to, for both competitive market and privacy reasons.
The combination of different data sources as a result of a merger between two third party trackers could have important effects on both the economic position of the parties and on consumer privacy. First, the specific combinations of data sources that a third party tracker has access to might significantly determine their commercial opportunities, i.e. their position and power on the market(s) that they are active in, their ability to access neighbouring markets, or the kinds of services they can provide and the value of their data post-transaction. Second, combinations of first party data are also important from a privacy perspective, because if the acquisition results in user data from two different services being merged into a single user profile, new privacy risks may arise.
Section 4 analyses the practice of the European Commission and the US Federal Trade Commission as regards mergers in the third party tracking sector.
The authors note three things. Firstly, that competition authorities only reviewed a proportion of mergers that the authors consider significant. Of the 42 mergers identified in section 2, only 21 were subject to merger control. Secondly, that amongst the transactions that have in fact been scrutinised from a competition law perspective, only a small proportion were examined in depth. Most mergers were approved following a simplified procedure, with only five of the 42 transactions being subject to in-depth competition law investigations. Third, after an analysis of this latter subset of decisions – comprising Microsoft/Yahoo, Google/DoubleClick, Microsoft/Linkedin, and Verizon/Yahoo – the authors found that competition authorities’ approach largely disregards privacy impacts and focused largely on first party aspects. Competition authorities therefore ignored a number of substantial third party tracking issues that arise.
Section 5 presents two competing paradigmatic views of the role and scope of competition / antitrust law enforcement, and describes how each values data.
These two views comprise a purist neoclassical view, according to which the privacy impacts of mergers are not within the scope of the antitrust analysis, and a pluralist view, according to which a plurality of values including privacy inform antitrust analysis. Under the purist view, competition law’s goal is to ensure the efficiency of markets and the maximisation of a narrow understanding of welfare. The pluralist approach sees competition law as merely one tool in a larger toolbox which enables the promotion of a variety of economic values and societal goods, and which goes hand-in-hand with data protection and privacy law. The authors support this second approach: ‘Competition law cannot exclude the human and social impacts of data mergers from its scope of analysis. We must thus start thinking across and beyond competition and data protection’s disciplinary boundaries, looking for solutions to the dynamically evolving digital sector.’
Data can be valued in different ways. A first approach looks allows for proprietary or economic interests over data as an asset, including intellectual property rights or rights to use the data as part of an economic activity. A second approach focuses on personal human interests in data or data-flows related to the shaping of one’s own person and personal image in the eyes of others. When it comes to the assessment of mergers in the third party tracking industry, it seems that considering these two dimensions of data would complicate the task of competition authorities. While acknowledging this, the authors nonetheless argue that it would be wrong for competition authorities to consider data as a pure economic asset and to subsume data matters within routine competition law analysis. This is because the value attached to digital goods is highly contextual and subject to variations that are not explainable in mainstream economic terms. At the same time, adopting a pluralist perspective on the role of competition law enforcement would allow competition authorities to construe questions of “market effect” or “market power” broadly enough to encompass the analysis of direct and indirect harms resulting from the creation of large concentrations of power and control over data.
Section 6 reflects on some of the unique challenges raised by consolidation in third party tracking markets for regulators.
The authors argue that the way these challenges will be addressed depends on evolving institutional views about the relationship between competition and data protection, and argue in favour of a collaborative dialogue between competition and data protection authorities.
This is an ambitious paper – so much so that, in effect, it strikes me that the piece comprises two different papers. A first paper provides an interesting overview of a specific area of the digital economy and of how competition agencies have deal with efforts to merger in that area, and I found it very interesting. The second paper goes into a discussion of welfare and the role that privacy considerations should play in competition assessments. Followers of my reviews may be aware of my reservations regarding conflating data protection and competition. While I acknowledge that the concept of welfare adopted in traditional competition analysis could be said to be both simplistic and politically charged, I would nonetheless have liked the authors to devote more attention to the substantive and institutional challenges their position raises.