fbpx
Google FLoC

Google FLoC: A Third-Party Cookie Alternative

Published on June 10, 2021

Google recently began testing Federated Learning of Cohorts (FLoC) – an experimental tracking feature. Google FloC is the latest, privacy-preserving alternative put forward by the tech giant in place of third-party cookies.

To refresh your memory, Google announced that it will phase out third-party tracking cookies by 2022. Google joined the likes of Safari and Firefox in blocking third-party cookies on its Chrome web browser.

In March 2021, the tech giant announced that it is rolling out a developer trial of FLoC as part of the Privacy Sandbox initiative. Privacy Sandbox is a proposed set of web browser APIs designed to protect user privacy while delivering efficiency and value to advertisers. It aims to give advertisers the ability to deliver, target and measure campaigns without the use of third-party cookies in Chrome. One of the Sandbox proposals relevant for ad buyers is FLoC.

So what exactly is Google FLoC and how does it work? Here’s a primer.

What is Google FLoC?

Google has been looking at ways for advertisers to continue targeting users once third-party cookies are gone. So, it came up with FLoC — a method for browsers to enable interest-based advertising. In Google’s words, it enables “interest-based advertising on the web” without letting advertisers know the user’s identity. FLoC will create profiles on groups of users or “cohorts” that eliminates the need to track individual user activity.

Google has announced that it will start FLoC testing in Q2. The trial is currently deployed on a “small percentage” of Chrome users in Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand, the Philippines, and the U.S. If you take into account Google Chrome’s 2.65 billion users, even a small fraction of trial users could be a huge number. The trial is likely to continue till July 2021, and may eventually affect as many as 5% of Chrome users worldwide.

FLoC trial also affects websites. According to Google, “websites that don’t opt-out will be included in the FLoC calculation if Chrome detects that they load ads-related resources”. Some websites have opposed being automatically included in a technology trial without notice or consent. Publishers like The Markup and The Guardian have opted out of FLoC.

How can users opt-out of FLoC?

To find out if Google Chrome has silently activated FLoC on your account, head to the EFF’s FLoC tracking site. It will show you if Google has activated FLoC on your browser or not. If you are part of the FLoC trial and you wish to opt-out, you can disable third-party cookies through Google Chrome’s settings.

Website owners can opt-out of FLoC by sending a Permissions-Policy HTTP response header: Permissions-Policy: interest-cohort=(). 

Users can also install the DuckDuckGo Chrome extension.  It is a privacy-friendly extension with an enhanced tracker blocking feature that will block FLoC interactions on websites. 

Users who don’t want to change settings or download extensions can simply use a different browser including Chromium-based browsers like Microsoft Edge and Brave that have not enabled FLoC.

How does FLoC work?

Chrome browsers will use machine learning and algorithms (the federated learning part) and place users in interest-based cohorts with thousands of other “like-minded” people. According to the FLoC proposal on GitHub, the new tracker will look at the URLs of sites that the user visited and the content of those pages, among other factors. Each group or cohort will receive a label or a FLoC ID, which will capture information about users’ habits and interests. 

The cohorts will have nondescript anonymized names i.e. each user’s browsing history is kept private. Instead of publishers or advertisers being able to track users as they browse one website after another, a user’s browser history is held by FLoC and isn’t shared with anybody, not even Google.

Advertisers will have access to only the name of the user’s cohort through a Javascript API. This way, individual user data is kept locally in the browser, and the browser only exposes the cohort ID to the advertisers. Google has proposed that it will wait until there are “thousands” in a cohort to ensure that user identity is protected.

Image via we.dev/floc

Cohorts cannot be used for advertising if it has a history of visiting sites with sensitive topics at a high rate, such as personal hardships, identity and belief, sexual interest and access to opportunities.

Chrome will also update the cohorts over time. Users will get assigned to new cohorts every week, based on their browsing data from the previous week. Google’s preliminary analysis suggests that FLoC will give advertisers “at least 95% of the conversions per dollar spent when compared to cookie-based advertising.”

For a detailed understanding of how FLoC works, refer here.

Reactions to Google FLoC

Google FLoC proposals and the trials have been met with their fair share of heat from privacy advocates and the tech industry. Electronic Frontier Foundation (EFF) which analyzed Google’s published materials and Chromium’s source code on FLoC, heavily criticized the trial and the technology behind it. EEF also recently called FLoC “a terrible idea” and published a piece about the biggest concerns with FLoC

As per a report by The Verge, none of the major web browsers like Opera, Microsoft, Mozilla, and Apple has publicly agreed on the technology. Meanwhile, web browsers like DuckDuckGo, Brave, and Vivaldi have voiced against FLoC. DuckDuckGo questioned Google regarding some of its privacy concerns:

“While FLoC is purported to be more private because it is a group, combined with your IP address (which also gets automatically sent to websites) you can continue to be tracked easily as an individual”.

Brave said that they have disabled FLoC and voiced its displeasure with Google:

“It is disappointing to see Google, instead of taking the present opportunity to help design and build a user-first, privacy-first Web, proposing and immediately shipping in Chrome a set of smaller, ad-tech-conserving changes, which explicitly prioritize maintaining the structure of the Web advertising ecosystem as Google sees it”.

Vivaldi stated that their browser won’t support Google’s FLoC in strong terms, calling it “nasty” and that it “harms user privacy.” The browser maker noted: 

“Google will continue to build profiles, and track users, in the absence of third-party cookies and local storage. It presents FLoC as part of a set of so-called “privacy” technologies, but let’s remove the pretence here; FLoC is a privacy-invasive tracking technology.”

Tech giant Oracle lambasted Google about their lack of intent regarding privacy:

“Consumers will be dynamically and instantaneously assigned (by algorithm) to different FLoCs based on their profiles and ad content. And as consumers are placed in more and more FLoCs, they rapidly generate a list of FLoCs that uniquely describes…one individual. This is Google’s new Privacy Sandbox. Yes, it’s FLoCed up”.

FLoC also hasn’t gone down well with WordPress contributors who proposed to “treat FLoC like a security concern”. While the final word is not out, FLoC continues to be debated. 

Blocking FLoC appears to be garnering support from the core developer group as well as the general developer community.

Privacy concerns of FLoC

A major concern is that Google rolled out its trials without any clear disclosure of the same. Google Chrome users had no choice regarding the FLoC trial, they received no notification nor was their consent taken. As noted earlier, users have no option to specifically opt-out, other than blocking all third-party cookies to leave the trial.

This is also the reason why FLoC trials are not available in Europe, where the General Data Protection Regulation (GDPR) and ePrivacy Directive are in place. Simply put, FLoC is not GDPR compliant

Another key concern noted by many is whether FLoC is anonymous. Grouping users into cohorts may disguise individual users within a crowd, but that may not be enough to protect their privacy. Most privacy advocates argue that, by grouping users based on their browsing, Google can glean a deeper understanding of user data and still may be able to individually identify users.

Google claims that FLoCs will not share sensitive pieces of information with advertisers – such as a user’s medical history. However, what is defined as sensitive and what is not, Google decides. Further, as EFF pointed out, the algorithm can create cohorts that reflect sensitive characteristics such as visits to websites related to substance abuse, financial hardship etc that could enable advertisers to discriminate against users.

Google itself addressed some of the privacy concerns and prospective scenarios of abuse.  It noted that websites that collect personal data (such as email address) can record and reveal the user’s cohort. Also, as FloC is updated over time, multiple FLoC samples can reveal more information about a user’s browsing history. Similarly, if cohorts can be used for tracking, then multiple cohort samples of a user can be used to re-identify them.

TLDR on Google FLoC

  • FLoC is Google’s answer to third-party cookies and is based on machine learning
  • It is a privacy-focused solution that aims to deliver relevant ads by clustering a large group of users with similar interests
  • User accounts are anonymised, grouped into interests, and is processed locally i.e. on-device 
  • Advertisers won’t be able to determine which user they can target specifically but can direct relevant ads based on the interests of each group (cohort)
  • Google is running a developer origin trial of FLoC as of March 30, 2021, for chrome users in India, Australia, Canada, Japan, Brazil, Mexico, Philippines, New Zealand and the US
  • The FLoC trial is not rolled out in Europe, where regulations like the GDPR and ePrivacy Directive are in place
  • Browsers like DuckDuckGo, Brave, Vivaldi and Microsoft Edge have disabled FLoC on their browsers
  • Privacy advocates and industry experts have raised objections to the privacy implications of FLoC, including lack of voluntary opt-in for the trials

While Google FLoC intends to replace third-party cookies, it will not be an easy task to find a balance between the ever-growing demands for data privacy and the need for businesses to drive traffic via targeted advertising. But, the fact remains that cookies are here to stay and privacy laws like the GDPR, CCPA will strengthen privacy for internet users.

And that’s why businesses should streamline their efforts to protect user privacy with a cookie consent solution such as CookieYes.

With CookieYes, you can scan your website for cookies, add a fully customizable cookie consent banner and make it available in 28 languages. You can also access a record of users’ consents and their cookie preferences in a consent log to demonstrate your compliance. The free privacy policy generator allows you to create a Privacy Policy exclusively for your business, all in a few clicks.

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.