Market Spotlight — Why EU Regulators Are Wary Of Cohort Targeting: A Closer Look At FLoC Trial’s Hiccup

By Aqilliz  


LinkedIn LogoTwitter LogoFacebook Logo

The clock is ticking for the digital advertising industry as we grapple with new ad targeting standards and the push to adopt more privacy-first solutions. As Google prepares to withdraw support for third-party cookies from its Chrome browser by next year, it has begun running trials on an alternative solution which they’re calling Federated Learning of Cohorts (FLoC). This is packaged with other tools into the Privacy Sandbox, which has already been rolled out in the Chrome browser.

Touted to make tracking less privacy-invasive, the FLoC application programming interface (API) aims to give advertisers a way of targeting ads without exposing details on individual users or following them around the web as cookies do. Instead, it relies on grouping people with similar interests together — such as baseball fans, working mothers, student travellers, and so on. However, since the trials began, many regulators and organisations have raised concerns that while the technology will avoid the privacy risks of third-party cookies, it could potentially amplify other issues related to behavioural advertising, including discriminatory and predatory targeting.

Due to concerns that the initiative may currently be in breach of the EU’s General Data Protection Regulation (GDPR) and ePrivacy legislation, Google has held off any trials of FLoCs within the region until it is compliant with Europe’s privacy laws. In this blog post, we’ll examine the questions that have been raised by regulators, as well as the potential privacy implications that may arise from the use of the technology.

The trouble with FLoC

First, let’s take a look at how it works. A browser with FLoC enabled would collect information about its user’s browsing habits, then use that information to assign its user to a “cohort” or group. Users with similar browsing habits would be grouped into the same cohort, and each user’s browser will share its cohort ID with websites and advertisers — this allows ads to be targeted to a pool of users rather than a specific individual.

Under the legal requirements of the GDPR, any processing of personal data is prohibited unless it is expressly allowed by law, or the data subject has provided consent. Currently, FLoC is built into the Chrome browser by default. The trouble with FLoC now seems to be around whether the browser placing a user in a cohort constitutes the use of personal data, and processing personal data to generate the cohort assignment without the proper consent could potentially be a violation of that law. In other words, Google needs to ensure that people are actively choosing to use FLoC with freely given consent, rather than having the system turned on by default in Chrome.

Unanswered questions and potential risks

A lot of uncertainty still remains around the specifics of FLoC and how it could allow conclusions to be made about people’s browsing behaviour. For instance, it’s unclear whether there will be any restrictions on who can access the cohort IDs, or exactly how many possible cohorts there will be. The more cohorts there are, the more specific they will be, which in turn provides more granular information about each user’s interests and a higher risk of fingerprinting.

Despite being part of Google’s Privacy Sandbox initiative, this kind of profiling still shares a significant amount of behavioural information from your browsing history. Cohort ID could potentially be combined with other personally identifiable information such as IP address or first-party data that websites already have, resulting in even more detailed datasets which are not at all anonymised. A person’s cohort might even connect them to a sensitive demographic such as sexual orientation or political affiliation — in some places, such information could put their personal safety at risk. Since cohorts are updated weekly, if a website has its own unique identifiers for a particular individual, it could potentially build up a list of the multiple different cohorts they may be assigned to over time.

This is something Google is promising to tackle, so at this point the industry will need to wait and see how the ongoing development of the APIs unfold — and how committed they are to improving privacy for web users. While it’s still a work in progress, it’s certainly a step in the right direction.

Keeping a close watch

At the end of the day, Google’s revenue is built on ads — despite FLoC being open-source, it is still owned and managed by Google. With the current lack of clarity into how exactly they are assigning cohorts or grouping users, the general concern among the AdTech community is that Google could potentially be positioning itself to become the ultimate data broker for the digital advertising space. This raised even more red flags among the regulators in the EU, who already had the big tech firm in their crosshairs. In January, the UK's Competition & Markets Authority launched an investigation into the Privacy Sandbox, amid concerns that it could undermine competition in the digital advertising sector.

The Information Commissioner’s Office, UK’s data protection regulator, is also reviewing the impact of the Privacy Sandbox on the advertising industry — as are regulators in Germany, France, and Belgium. Ireland’s Data Protection Commission has also been consulting with Google about the Privacy Sandbox plan.

Certainly, this year is proving to be a watershed moment for user privacy — never have internet users had so many options to protect their privacy and yet, that privacy has never been more under threat at the same time. Until Google manages to address the concerns of these regulators, more inquiry into these initiatives is likely to be expected. That said, by staying engaged with ecosystem partners and the community, Google can continue to explore more privacy-preserving alternatives in order to find the best solution to these issues.

In the end, FLoC should be taken as what it truly is: a valuable step forward and a promising starting point. As the industry works in tandem to equally develop promising alternatives, we can hope to see a myriad of solutions emerge that can benefit brands and users alike as we work to reshape the future of privacy on the web. Learn more about our solutions that could help to future-proof your marketing technology stack in a privacy-compliant digital world.

Sign up for our newsletter

By submitting your email, you agree to our Privacy Policy

Related Articles

See All