UK CMA and ICO cooperation on digital markets


The synergies between compliance with competition law and compliance with data protection are becoming increasingly apparent, especially as the UK Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) recently released their blueprint for working together in digital markets.

Why the need for cooperation?

Personal data has long been considered the oil that powers the digital economy, and it is this interface that led to the ICO-CMA joint statement. For the digital economy to function optimally, digital markets must be competitive and consumer and data protection rights must be respected so that people can exercise meaningful control over their data and how it is used. A more competitive digital economy will lead to greater protection of personal rights. This concept is at the heart of the collaboration between ICO and CMA.

How will the collaboration work in practice?

The ICO and the CMA have identified three main categories of synergies between competition and data protection goals and indicated that many regulatory interventions in digital markets can be designed to support both goals:

  • User choice and control – Sensible user choice and control is important for both strong data protection and effective competition. If users have a real choice about the service or product they prefer (including choosing and controlling their data, how it is processed and for what purpose) it will improve both privacy policies and effective competition.
  • Privacy standards and regulations – Well-designed data protection and privacy regulations can both promote effective competition and improve data protection. Competitive pressures can be used to drive innovations that protect and support users, such as the development of privacy-friendly technologies.
  • Data interventions to promote competition – Interventions to provide or restrict access to data can be an important tool in promoting competition in digital markets.

Two examples of the collaboration between the CMA and the ICO and the interface between data protection and competition are the CMA’s most recent investigation into Google’s privacy sandbox and the ICO’s investigations into real-time bids in the AdTech industry.


Earlier this year, the CMA opened an investigation into Google’s proposals to disable cookies and other third-party features in its Chrome browser (known as the “Privacy Sandbox” proposals) and complaints that Google’s proposed replacement technology would put online publishers at a disadvantage would and ultimately, consumers. To ensure that legitimate privacy concerns about the move are addressed (Google believes the replacement technology would protect consumer privacy more effectively), the CMA and ICO have to consider the proposals and evaluate the effectiveness of alternatives. closely collaborated third-party cookies.

Google has now offered legally binding commitments that will significantly involve both the CMA and the ICO in the future development of Google’s privacy sandbox proposals. This is a significant example of the partnership between the CMA and ICO and of the close connection between competition and data protection interests.


The ICO has conducted a series of audits that focus on the processing of personal data by data management platforms in the real-time bidding industry. The ICO will also review the role of data brokers in the system. In conducting its investigations, the ICO intends to maintain a positive dialogue with the CMA on any competitive issues that may arise.

What does this mean for companies?

Not much in everyday life. However, the chances are that if you as a company are identified for a breach of competition law, for example, you may find that if the CMA has special privacy concerns, the ICO will bring in what you are looking for An investigation of your behavior on the competitive front will also be an investigation of your privacy compliance. The collaboration is another reminder of the need for Boards to keep an eye on their regulatory compliance mandates everywhere.

The joint declaration is supported by a Memorandum of Understanding that defines how the CMA and the ICO will work together in practice in the future.