The Competition and Markets Authority (“CMA”) has today (18 December 2019) given the tech sector an early Christmas present by publishing its interim report on its market study, commenced earlier this year, into online platforms and digital advertising. It will take until well after the last turkey sandwich has been eaten to grapple with all of the issues raised by the report, given the main document alone runs to almost 300 pages and is accompanied by 13 detailed appendices. However, some initial observations may be made already about the potential implications for a broader range of players than just the tech giants of Google and Facebook.
What is the CMA market study?
The CMA’s study is part of its wider strategy for digital markets and was launched in July 2019. Since then it has been gathering data from a wide range of sources. Under the framework of the Enterprise Act 2002 (“EA 02”) under which this study has been undertaken, the CMA has the powers to refer the market for an in-depth market investigation reference (“MIR”) at the end of this process where it (i) has reasonable grounds to suspect a feature of a market in the UK prevents, restricts or distorts competition and (ii) making such a reference appears to be an appropriate and proportionate response. Following completion of such in-depth process and where appropriate findings are made, the CMA has extensive powers under the EA 02 to make binding orders to address the concerns identified.
The CMA's provisional findings
In this case, the CMA’s provisional view is that there are reasonable grounds to suspect that there are features of markets – the open display advertising market, general search and search advertising markets and social media and display advertising markets – which distort competition. The concerns primarily relate to Facebook and Google and many of the proposed remedies relate to these companies which are described as platforms with Strategic Market Status.
Potential implications
However some of CMA’s proposals may have broader implications, either directly or perhaps indirectly. The CMA expressly recognises that many of the issues highlighted arise at the threshold between consumer, competition and data protection law and require engagement between the different regulators responsible for these areas. There is likely to be significant scope for influence between these particularly in light of the CMA’s comment that “cooperation is particularly important at the current time, when the interpretation and practical application of GDPR is still evolving.”
For example, the CMA is proposing a rule that all platforms should be required to give consumers an option to use their services without requiring in return the use of consumers’ data for personalised advertising. Arguably, this could worsen the web browsing experience of consumers if they are repeatedly shown inappropriate adverts and it could be detrimental to the sales of firms reliant on personalised advertising to generate business as well as potentially the website operators that sell the advertising space and intermediaries involved in the real time bidding of the same. The CMA is also proposing an ex ante obligation on platforms to design content and privacy policies in a way that facilitates consumer choice. This may necessitate a re-think by business owners about the functionality of their platforms without data tracking tools. In addition, updates may need to be made to privacy policies to set out the changes as to when personal data will be collected and how it will be used. Just-in-time cookie notices may also need to be updated to specifically provide consumers with the possibility of opting-in or out of the use of the cookies and similar technologies used to facilitate personalised advertising. These are proposed as remedies to improve transparency and give greater control over data. The CMA describes these as “significant changes” which would require “careful consideration.”
Next steps
The CMA does not, however, propose to make an MIR in order to take forwards these matters, despite the concerns it has identified and the powers it has at its disposal. Instead it proposes to make recommendations to government. It would therefore be left to government to decide whether to take forwards such proposals and on what timescales to do so. It will be interesting to see the extent to which the ICO might, as suggested above, be influenced by the CMA’s proposals in the interim.
Responses to the consultation on these areas, including the substantive concerns, remedies and the proposal not to make an MIR, are sought by 12 February 2020. The final report, taking account of responses to the consultation, is due in the summer of next year.
Further information
Please contact a member of the the Technology Law team if you would like to discuss these issues further.
Latest blogs & news
Top five takeaways from the Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 (the “DUAA”), which received Royal Assent on 19 June 2025, introduces targeted reforms to the UK data protection legal framework — particularly the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
A game changer for data processors? The ICO issues a significant fine against a processor
The recent cyberattacks on major UK retailers have put cybersecurity back in the spotlight. But a more significant development for data protection practitioners has been flying under the radar: the Information Commissioner’s Office (ICO) has issued a notable fine directly against a data processor for breaching UK GDPR security obligations - an important shift in enforcement focus.
Key takeaways: What recent consumer law reforms mean for service providers
On 6 April 2025, the first wave of consumer protection provisions under the Digital Markets, Competition and Consumers Act 2024 (“DMCC Act”) came into force, marking the most significant overhaul of UK consumer protection law in over a decade.
Boosting cybersecurity: New Software Security Code of Practice for software vendors
In the wake of recent high-profile cyber-attacks on major retailers like Marks & Spencer and Co-op, the UK government has launched a new voluntary Code of Practice for software vendors at its flagship cyber security event, CyberUK 2025. This initiative sets a dynamic baseline for software security and resilience, aiming to help prevent such breaches in the future.
Ofcom’s new draft guidance for ‘a safer life online for women and girls’ as part of its OSA consultation process
The Office of Communications, commonly known as ‘Ofcom’ (the regulator for communication services) is calling on tech firms to make ‘the online world safer for women and girls’.
Reflections from an Exclusive Roundtable at The Ivy: Top 10 Takeaways on AI Regulation
Last week, I had the pleasure of hosting an insightful roundtable dinner at The Ivy in Covent Garden, London, bringing together thought leaders, industry experts, and business owners to discuss one of the most pressing topics of our time - AI regulation. Co-hosted by the brilliant Fred Becker, CAO of Unlikely AI, the conversation was rich with diverse perspectives, practical concerns and strategic insights.
EU Data Act: Are your SaaS contracts ready for September?
The EU Data Act is set to reshape the data landscape, and while its full impact will unfold over time, some key provisions are coming into effect this September that SaaS providers need to be aware of now. Specifically, we're talking about the rules around data switching, and how they'll likely require you to update your standard terms and existing customer agreements.
The UK-US Data Bridge: A Shift in Transatlantic Data Sharing
On 12 October 2023, the UK-US Data Bridge (the “Data Bridge”) came into force, transforming the way both nations handle the flow of information across their borders. In this blog we explore the position before and after the introduction of the Data Bridge, looking at the key implications, benefits and challenges associated with the transatlantic data-sharing initiative.
Is your online business caught by the Online Safety Act?
The Online Safety Bill recently received Royal Assent and became law in October this year (the “Act”), at which point the Office of Communications (“Ofcom”) was granted broad powers to regulate online service providers. Essential detail concerning the legislative framework within the Act will be disclosed in the course of consultation and stakeholder engagement concerning the secondary legislation, codes of practice and guidance which will underpin the Act.
SVB’s rescue is an unexpected credibility boost for the UK Science and Technology Framework
The rescue of SVB showed that the UK government not only acted decisively in relation to a critical sector for the UK economy, but in the process showed that its newest policy Framework can involve meaningful action as well as words
Software support helpdesk services – key contracting principles
In our recent blog, we explored why a Framework Agreement structure is typically the most appropriate customer contracting model for IT managed services providers (“MSPs”) and IT consultancies which offer a diverse product and service offering. Whilst our initial blog focussed on the purpose and terms of the Framework Agreement itself, that document is merely the starting point, given that a Work Order is also needed to document specific terms relating to each product or service offered by an MSP or IT consultancy. A typical service offering is a dedicated software support helpdesk, usually provided to support each of the software products offered by the MSP or IT consultancy to its customers. This blog considers a handful of the key issues to bear in mind when documenting the terms of a Work Order relating to the supply of a software support helpdesk service.
Framework Agreements: the customer contract model for technology service providers
Many businesses lack comprehensive in-house IT expertise and resources to fully implement and manage all of their IT infrastructure requirements. IT managed services providers (“MSPs”) and IT consultancies plug the gaps by typically offering a diverse range of IT services and products to lighten the burden on their customers’ in-house IT teams (or to even remove the need to have an in-house IT team).
Data: A New Direction - Unleashing the transformational power AI?
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.
The new cookie conundrum
Potential reforms to UK data privacy laws will change the way that cookies work on websites - businesses need to prepare now.
Lifecycle of a tech startup series: Preparing to raise investment
In the last instalment we talked about the ways in which the founders of KNow Wear Limited could protect the intellectual property in their business. Since then, the business has been progressing well and our founders have been working on developing a prototype.
Lifecycle of a tech startup series: Intellectual Property
In our last instalment our founders, Sarah and Chris, considered the basics in establishing their tech startup and they incorporated a company under the registered name ‘KNow Wear Limited’.
How the tech sector can make the most of the UK’s new immigration rules
Many companies in the tech sector will be aware of the new immigration system and Skilled Worker category opening in a couple of weeks on 1 December. For those companies without a sponsor licence, they will need to apply for one in order to recruit both non-EU and EU citizens. EU citizens resident in the UK before 11pm on 31 December 2020 can apply to the EU Settlement Scheme.
Lifecycle of a tech startup series: The basics
Welcome back to the blog series covering the lifecycle of a tech startup, from a legal perspective.
Lifecycle of a tech startup series: Case study
Alex (tech), Andy (tech), Emer (investments) and I (investments) work alongside startups and founders day to day and thought it might to helpful to some of you out there to bring together our expertise on the legal issues that tend to arise and how we deal with them.
AI and Algorithmic Decision-Making in the Public Sector and Criminal Justice System
In recent years there has been lively discussion about artificial intelligence revolutionising the way we work and live our lives. In its policy paper on the AI Sector Deal, the UK government predicted that the development of AI technology could have the same dramatic impact on society as the invention of the printing press.
You may also be interested in:
We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.
You may also be interested in:
Blog
Data protection for your business after a no-deal Brexit
Blog
How to respond to a subject access request: a step by step guide for organisations
Emily Carter
Share insightLinkedIn X Facebook Email to a friend Print