Google Will Use ‘FLoC’ for Ad Targeting Once 3rd-Party Cookies Are Dead

Signaling a major shift to its ads-driven business model, Google
on Wednesday unequivocally stated it would not build alternate
identifiers or tools to track users across multiple websites once
it begins phasing out third-party tracking cookies from its Chrome
browser by early 2022.

“Instead, our web products will be powered by privacy-preserving
APIs which prevent individual tracking while still delivering
results for advertisers and publishers,” said^[1]
David Temkin, Google’s director of product management for ads
privacy and trust.

“Advances in aggregation, anonymization, on-device processing
and other privacy-preserving technologies offer a clear path to
replacing individual identifiers.”

The changes, which could potentially reshape the advertising
landscape, are expected only to cover websites visited via Chrome
and do not extend to mobile apps.

At the same time, Google acknowledged that other companies might
find alternative ways to track individual users. “We realize this
means other providers may offer a level of user identity for ad
tracking across the web that we will not,” Temkin said. “We don’t
believe these solutions will meet rising consumer expectations for
privacy, nor will they stand up to rapidly evolving regulatory
restrictions.”

Over the years, third-party cookies have become the mainstay
driving digital ad business, but mounting concerns about data
privacy infringement have led major browser vendors such as Apple,
Mozilla, Brave, and Microsoft to introduce countermeasures to pull
the plug on invasive tracking technology, in turn forcing Google to
respond with similar privacy-first solutions or risk losing
customer trust.

FLoC and FLEDGE for Privacy-Preserving Ad Targeting

For its part, the search giant — in an attempt to balance its
twin roles as a web browser developer and owner of the world’s
largest advertising platform — early last year announced plans to
eliminate third-party cookies in Chrome in favor of a new framework^[2]
called the “Privacy Sandbox^[3],” which aims to protect
anonymity while still delivering targeted ads without resorting to
more opaque techniques like fingerprinting.

To that effect, Google has proposed^[4]
a continually evolving collection of bird-themed ad targeting and
measurement methods aimed at supplanting third-party cookies, chief
among them being Federated Learning of Cohorts (FLoC^[5]) and TURTLEDOVE^[6], which it hopes will
emerge the standards for serving ads on the web.

Leveraging a technique called on-device machine learning, FLoC
essentially aims to classify online users into groups based on
similar browsing behaviors, with each user’s browser sharing what’s
called a “cohort ID” to websites and marketers, who can then target
users with ads based on the groups they belong to.

In other words, the data gathered locally from the browser is
never shared and never leaves the device. By using this
interest-based advertising approach, the idea is to hide users “in
the crowd,” thereby keeping a person’s browsing history private and
offering protections from individualized tracking and
profiling.

TURTLEDOVE (and its extension called “FLEDGE^[7]“), on the other hand,
suggests a new method for advertisers and ad tech companies to
target an ad to an audience they had previously built without
revealing other information about a users’ browsing habits or ad
interests.

Google is set to test FLoC-based cohorts publicly later this
month, starting with Chrome 89, before extending the trials with
advertisers in Google Ads in the second quarter.

Concerns About Control, Privacy, and Trust

While these privacy-preserving plans mean less personal data is
sent to third-parties, questions are being raised about how users
will be grouped together and what guardrails are being put in place
to avoid unlawful discrimination^[8]
against certain groups based on sensitive attributes^[9]
such as ethnicity, religion, gender, or sexual orientation.

Outlining that the change in underlying infrastructure involves
sharing new information with advertisers, the Electronic Frontier
Foundation (EFF) equated FLoC to a “behavioral credit score^[10],” calling it a
“terrible idea” that creates new privacy risks, including the
likelihood of websites to uniquely fingerprint FLoC users and
access more personal information than required to serve relevant
ads.

“If you visit a site for medical information, you might trust it
with information about your health, but there’s no reason it needs
to know what your politics are,” EFF’s Bennett Cyphers said^[11]. “Likewise, if you
visit a retail website, it shouldn’t need to know whether you’ve
recently read up on treatment for depression. FLoC erodes this
separation of contexts, and instead presents the same behavioral
summary to everyone you interact with.”

Also of note is the scope and potential implications of Privacy
Sandbox.

With Chrome’s widespread market share^[12] of over 60% across
desktop and mobile devices, Google’s attempts to replace the cookie
have been met with skepticism and pushbacks, not to mention
attracting regulatory scrutiny^[13] earlier this year over
worries that “the proposals could cause advertising spend to become
even more concentrated on Google’s ecosystem at the expense of its
competitors.”

The initiative has also been called out for being under Google’s
control and fears that it may only serve to tighten the company’s
grip on the advertising industry and the web as a whole, which
critics say^[14] will “force more
marketers into their walled garden and will spell the end of the
independent and Open Web.”

In response, Google noted it has taken into account the feedback
about browser-centric control by incorporating what it calls a
“trusted server” in FLEDGE to store information about an ad
campaign’s bids and budgets.

All said and done, third-party cookies aren’t the only means to
deliver ads on the web. Companies that collect first-party data,
counting Facebook and Google, can still be able to serve
personalized ads, as ad tech firms that are embracing a DNS
technique called CNAME cloaking^[15] to pass off third-party
tracking code as coming from a first-party.

“Keeping the internet open and accessible for everyone requires
all of us to do more to protect privacy — and that means an end to
not only third-party cookies, but also any technology used for
tracking individual people as they browse the web,” Google said,
adding it remains “committed to preserving a vibrant and open
ecosystem where people can access a broad range of ad-supported
content with confidence that their privacy and choices are
respected.”