Italy's competition and consumer watchdog said it was investigating how Google obtains user consent to link user activity across different services for advertising profiling, accusing the ad tech giant of “unfair commercial practices.”
At issue is how Google, with consent from European Union users, will link user activity across its apps and services, including Google Search, YouTube, Chrome and Maps, allowing the company to profile users for ad targeting, which is its main source of revenue.
In response to the Italian AGCM's investigation, a Google spokesperson told TechCrunch that the company “will analyze the details of this incident and work closely with the authorities.”
Since the beginning of March, Google has been subject to the EU's Digital Markets Act (DMA), a pre-competition regime that applies across the European Union, including Italy. The company is one of the designated Internet “gatekeepers” that own and operate a number of major platforms (so-called “core platform services”), including Meta, X, Amazon, ByteDance and Microsoft.
The EU-wide regulation is relevant to the Italian Google investigation, as the DMA requires these gatekeepers to obtain consent before processing users' personal data for advertising purposes or combining data collected across services – the AGCM's investigation appears to be focusing on the latter area.
“[T]”Google's request for consent to link to its services could amount to a misleading and aggressive business practice,” the AGCM said in a press release.
“Indeed, it appears to be accompanied by insufficient, incomplete and misleading information, which may affect people's choices about whether and to what extent they should give consent.”
It's interesting to see what the regulator does, as it's typically the European Commission that takes the lead on enforcement against these gatekeepers. But the EC's ongoing investigation into Google under the DMA, announced in March, doesn't focus on whether it has obtained consent to linking user data. The EC said the DMA investigation is about self-preferential use in Google Search and anti-steering in Google Play.
Italian authorities appear to be seizing the opportunity to address concerns that have not yet been addressed by the European Commission.
EU and inter-member state competition enforcement generally aims to avoid duplicative efforts, but in this case Italian regulators may be filling the gap.
A closer look at Google's consent flow
In a press release, the AGCM said it was concerned that Google doesn't provide users with the information they need to make a free and informed choice when asking for their consent. And even when Google does provide information, it said it is “insufficient and inaccurate.” Specifically, the AGCM suspects that Google has not been transparent about the “real-world consequences” for users if they consent to account linking.
Moreover, regulators suspect that Google has not been open about the whole picture. They are concerned about the level of information Google provides about “the types and number of Google services for which 'combinations' or 'cross-use' of personal data may occur, and the possibility of tailoring (and therefore limiting) consent to only some of the services.”
The DMA said consent to linking accounts for advertising purposes must comply with standards set out in another pan-EU law, the General Data Protection Regulation (GDPR), which stipulates that consent must be “freely given, specific, informed and unambiguous.”
The GDPR also sets out conditions on how online interfaces can request written consent, requiring such requests to be “presented in a form that is easy to understand and accessible, using clear and plain language and in a manner that clearly distinguishes it from other matters.”
While GDPR enforcement is typically driven by data protection authorities, the DMA's reference and adoption of the data protection authorities' consent standards has led to scrutiny of Google's consent flow by Italy's competition and consumer watchdog.
“Linked Google services” settings menu for Google account holders. Image credit: Screenshot by Natasha Lomas/TechCrunch
As well as being concerned about the information Google provides to users, the AGCM is also concerned about how Google asks users for consent, suggesting that the “technologies and methods” Google uses to ask for consent could also be problematic.
The agency suspects that Google's consent flow “may affect the freedom of choice of ordinary consumers,” so that users are “induced to make commercial decisions that they would not otherwise make by consenting to the combination and mutual use of their personal data across the services offered.” In other words, more simply, Google may be trying to manipulate people into agreeing to account linking.
Manipulative, so-called “dark pattern” design has been an unfortunate feature of online choice flows in all kinds of consumer services for many years, but increased regulation of digital platforms and services in the EU may finally see user-hostile tactics being challenged.
In addition to the DMA referencing GDPR standards on consent, allowing more enforcement authorities to scrutinise choice flows, the European Union’s Digital Services Act (DSA) completely bans the use of designs that use deception or other deceptive inducements to distort or undermine users’ ability to make free choices.
Last week, the EU confirmed its initial preliminary findings that X's (formerly Twitter) blue tick system was in breach of the DSA's rules on deceptive design when it said it suspected the system was an illegal dark pattern.