Cookies can be helpful business tools, but they often toe the data protection line dangerously. As a result of this tendency towards uncertainty, the EU has introduced a new cookie law to protect its users. This new policy will affect any US company that does online business with EU customers. What do website operators need to pay attention to when it comes to this new cookie law?
On January 25, 2021, Google provided a deep dive into its vision of a cookie-free, but ad-rich future for the web. In a blog post “Building a privacy-first future for web advertising” the search engine giant detailed how personalized advertising could work if third-party cookies are no longer supported. One important element of its Privacy Sandbox is the so-called Federated Learning of Cohorts (FLoC) method.
Find out what FLoC is and how this privacy-friendly alternative to generate and use individual user profiles could work.
- What is FLoC (Federated Learning of Cohorts)?
- Why is FLoC necessary for personalized ads?
- How does Federated Learning of Cohorts work?
- An example of FLoC functions
- FLoC and data security: a perfect match?
- Could website operators block FLoC?
What is FLoC (Federated Learning of Cohorts)?
Google announced that it would extend its Chrome browser by an API called Federated Learning of Cohorts (FLoC) on January 14, 2020. The goal of the interface is simple: users will receive personalized ads without a browser needing tracking cookies. This has important advantages for user privacy. The FLoC API is based on an algorithm that points the browser user to various cohorts. Members of a cohort, which can also be understood as audiences with certain interests, have similar browser behaviors in common. The cohort ID allows Google and ad partners to target relevant ads in a privacy-friendly manner. It conforms to both the ePrivacy regulations and the GDPR.
Cohorts as part of web analysis aren’t new. eCommerce has been using cohort analysis for years to gain a quick overview of consumer behavior.
Why is FLoC necessary for personalized ads?
Advertisements are an indispensable means to generate traffic for web projects for many small companies. They are an equally indispensable means of making money for many publishers. Users, on the other hand, prefer ads that are relevant and useful to them. Methods such as cookies or browser fingerprinting have long been the easiest and most targeted way to create the user profiles necessary. However, because they interfere with the privacy of browser users, they have attracted growing criticism. FLoC promises an alternative approach that could satisfy advertisers, publishers, and users alike while also guaranteeing data protection.
How does Federated Learning of Cohorts work?
The algorithm, the elementary component of the FLoC technology, is still in an experimental state. Its function can be described as follows: Based on browser history, it assigns a user a cohort ID that represents the user’s interests. The individual user cannot be recognized by this ID, because it is shared with at least x other Chrome users (the number of users is currently not specified). Based on the ID, publishers and advertisers can then target their ads to match varying interests.
Google bases the development and refinement of the algorithm on the following principles:
- Cohort IDs should prevent cross-site tracking, i.e., cross-website tracking of user behavior.
- A cohort represents users with similar browser behaviors.
- The algorithm should be based on unsupervised learning, i.e., learning independently without intervention.
- The algorithm must limit the use of “magic numbers”. In other words, it should be characterized by the simplest and clearest possible parameters.
- The calculation of a FLoC cohort should be easy and require little computational effort.
The principles ensure that the generation and management of interest groups remain transparent and easy to understand and cannot be influenced from the outside. In addition, they ensure the best possible data protection, since according to the FLoC principle, user data will continue to be collected and used, but the users are anonymized within their cohorts.
An example of FLoC functions
The way Google’s Federated Learning of Cohorts works is best described using a concrete example. The basic participants in our exemplary FLoC mind game are as follows:
- User 1: Browser user who is assigned to cohort 123; wants to purchase sneakers.
- User 2: Browser user who is also assigned to cohort 123; checks the news online.
- Advertiser: Online fashion store which uses ad platforms to place targeted ads for its products across websites.
- Publisher: News page featuring the latest news which uses ads including those of the Advertiser.
- Ad platform: Platform which provides tools and data for digital ad campaigns; mediates between Advertiser and Publisher.
Step 1: Cohort generation
In the first step, the browser or better the browser-based FLoC algorithm creates the various interest groups. Each cohort is given a unique ID.
Step 2: Assignment of the cohort identifier
Based on the browser history of User 1, the browser determines the appropriate cohort, which in this case carries the ID 123. The browser of User 2 also analyzes the usage history to assign the appropriate identifier. Although the history differs slightly from the usage history of User 1, it still has sufficient similarity to that of User 2 and so is assigned the FLoC ID 123.
Step 3: Visit to online store (Advertiser)
User 1 begins to search for sneakers online. They browse the online store of the Advertiser and search the products for suitable sneakers and related items. The advertiser gains access to the cohort ID of User 1 and shares this data on the user behavior of members of cohort 123 with collaborating ad platforms.
Step 4: Visit to news page (Publisher)
User 2 visits the news page of the Publisher while browsing for the latest news. This means they share their cohort ID with the Publisher. To display personalized ads to User 2, the Publisher accesses the same ad platform as the online store (Advertiser). As part of the request, the Publisher transmits the FLoC ID 123.
Step 5: Determination of appropriate, personalized ads (Ad platform)
The provider of the ad platform can now determine personalized ads for User 2. Thanks to Federated Learning of Cohorts, it has access to the following data:
- The cohort ID of User 2 (123), transferred by the Publisher
- Own data about interests of browser users in cohort 123
- Data provided by the Advertiser about product interests (sneakers) of users in cohort 123
FLoC and data security: a perfect match?
At first glance, Federated Learning of Cohorts seems to be the perfect solution for dividing browser users into interest groups without interfering too much with their privacy. And when it comes to the American market, Google does not seem to doubt that assumption. The preparations for the full implementation of FLoC in Chrome are in full swing in the USA. The first ads on the Google ad network Google Ads based on FLoC technology are to be displayed on a test basis as early as the second quarter of 2021.
In Europe, Google has put the Federated Learning of Cohorts tests on hold. The main problem is a lack of clarity about who would control the data and who would process it when creating cohorts. But considering Europe’s legal stance on data protection and privacy, it’s far from the only point of contention. The assigned cohort ID, which links users to an interest group, and all related information could be regarded as “personal data”. In addition, the processing of data that is collected and used to generate the cohorts could violate the GDPR if Google does not obtain user consent first.
In his role as Google Product Manager for Privacy Sandbox, Marshall Vale announced the following in March 2021:
“It’s the start. We are working to begin testing in Europe as soon as possible. We are 100% committed to the Privacy Sandbox in Europe.” – Marshall Vale, March 2021, Source: twitter.com/marshallvale/status/1374494962646020098.
However, persons responsible at Google remain confident that FLoC tests can begin soon in Europe as well.
Could website operators block FLoC?
Website operators will have the opportunity to subscribe or unsubscribe from Federated Learning of Cohorts. That means it is up to them whether a visit to their website or online store should be included in the creation of FLoC cohorts or not. This is an important point, especially for websites with sensitive topics. In addition, Google would like to establish a central protection authority that automatically deletes certain cohorts if they contain a high number of users visiting websites in sensitive categories. These categories include, for example, websites on financial hardship or mental health.
FLoC is blocked from a website when you embed the following permissions policy header:
If you have blocked FLoC technology in this way and want to allow it again at a later point in time, just remove the header entry.
In previous FLoC tests in Chrome, websites that did not opt out of the method were automatically included in the cohort calculation when Chrome detected that they were websites that loaded ad or ad-related resources.