Tracking & Privacy: From Browser Cookies to Google FLoC

Are you concern or just curious about the new FLoC algorithms by Google? Is FLoC better or worst than traditional 3rd party cookies? What would be the impact of FLoC technology on Digital Marketing? How about your privacy? With FLoC, will marketers still able to retarget you? Is FLoC active on my Chrome browser?

To answer all those questions I wrote this short article explaining the impact of FLoC on Digital Marketing and the main features of this new technology proposed by Google as a replacement for 3rd party cookies.

FLoC, the short explanation (12 slides)

FLoC, the long explanation

This topic is complex and comes with important implications for our privacy and for the daily work of Digital Marketers. I decided to include a longer version for those who want to get more details.

What is a 1st Party Cookie?

When you visit a website, like CNN.com, your browser allows the website to leave small pieces of information on your computer. These are called cookies. Some cookie will be automatically deleted at the end of your browsing session, while other will remain on your browser for a very long time. The website that creates the cookies can specify the lifespan of each cookie. As we know, we can always go to the browser settings and delete all the browser cookies or only the cookies associated to a specific website. For Internet users that are very concern about their privacy, browser offer the option to block all the cookies. Because cookies are an integral part of how many websites work, disabling cookies can compromise the user experience on many websites.

How Many Cookies Do I Have on My Browser?

For website highly interactive, the number of cookies can be significant. The number of cookies can be even higher for eCommerce websites. How many cookies are stored on our device after visiting a specific website? If you are using a web browser like Chrome, and there is a simple way to find out. From the 3-dots menu on the top right corner of your browser select “More Tools…“. From the new panel select the “Application” tab, and from the left vertical menu select “Cookies” and then the website URL you would like to investigate. This is what I see on my browser when I check the cookies from cnn.com. There are more than 100 cookies!

Browser cookie are limited in size, maximum 4K bytes, but not in number. It is important to understand that every time we go back to a website we already visited, our browser will send back a copy of cookies it has in memory that associated to that URL.

What is a 3rd Party Cookie?

Third-party cookies are cookies that are set by a website other than the one you are currently on. To understand what that means we need to explain what an <iframe> is. Iframes are a special type of HTML tags that allow the embedding of a web page inside another webpage. The original; intent was to allow the creation of web widgets. But today iframe are used mostly to track visitors to a website and to let 3rd party to drop cookies on your browser. For example, when I visit a CNN page, my browser will render the HTML content of that page, including the content of the <iframe> tags. One the iframes is likely including a page from Google or Facebook. These iframes are so small that as visitors we will not see them, but they are going to pen the door to 3rd party cookies. The bad news is that there are ways to achieve similar results simply by embedding a simple images like the notorious Facebook Pixel.

What is Google FLoC? Federated Learning of Cohorts

Back in January 2020 Google announced a plan to drop support for 3rd-party cookies in Chrome within 2 years. The plan was to develop a new technology able to power targeting and remarketing campaigns with a more respectful and sensitive approach to privacy. The new technology to replace 3rd-party cookies is FLoC or Federated Learning of Cohorts.

How FLoC works?

The goal of FLoC is to support the trackability of each user’s behavior without violating any privacy rule. The approach is new: instead of creating and sharing a detail profile of user by storing 3rd-party cookies, Google is proposing to group together similar users in what they call a cohort. When a user visits a website, the website will not be allow to create any 3rd party. Instead the website will receive a list of the cohorts the user belongs to. let see an example from Google documentation.

Let’s take a look at the typical FLoC process:

  • Google (algorithmically) defines a list of cohorts and makes them available to all browsers
  • Your browser loads the definition of cohorts browser and automatically assign you to a specific cohort based on your browsing history. 
  • Users with similar browsing history will be assigned by different browsers to the same cohorts.
  • A cohort must have a minimal size (number of members) in order to protect users’ privacy.
  • When you visit any website, the website will automatically receive a list your cohort codes, regardless of your decision of opting in or out of their cookies.
  • Your browser, in assigning you to a cohort, will use information about all your visits, regardless of your decision of blocking the cookies for certain websites.
  • The website can decide to target you with specific ads based on the cohorts you belong to. E.g., since you visited a few websites about convertible cars, your browser has added you to the “convertible cars” cohort. When you visit a website, let say CNN.com, CNN will know that you are into convertible cars and can show you ads for that specific product’s category. Differently from 3rd-party cookies, CNN (or the Ads platform working with CNN) will not know which specific “convertible cars” you visited, they will only know that you are good target for that specific kind of products.

Am I FLoCed? Is Google tracking my online activities with FLoC?

Google already started beta testing FLoC on 0.5% of Google Chrome browser (in a few selected countries: Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand, Philippines and the U.S) starting with a list of about 33K different cohorts, or behavioral groups. Users in the beta test are assigned to a list of cohorts using the data from the domains they have visited within the preceding week.

Users selected for the FLoC beta test are not being notifies by Google. There is a simple way to find out if you have been selected as Guinea pig by Google. EEF, the Electronic Frontier Foundation, created an online page “Am I FloCed?” you can visit to verify if you are part of the FLoC experiment.

If you have been selected by Google to be part of the FLoC beta test, the only way to opt-out top to disable 3rd-party cookies or to switch to a different browser. If you are a website owner you can ask google to exclude your website from the FLoC tracking by including the following HTTP response header:

Permissions-Policy: interest-cohort=()

What are the main concerns with FLoC?

FLoC technology still in a development phase so it is early to make absolute statements about it, but according to several experts and organization there are a few serious concerns about this technology:

  • FLoC tracks and collects a lot of information that’s usually not collected by 3rd-party cookies.
  • Large organizations such as Google can predict a lot about you and your future behavior just looking at your list of cohorts. The cohort IDs contains almost everything you do on the web. Leveraging the list of cohorts you belong to, those large and powerful organizations can infer and predict your interests, demographics, past behavior, etc.
  • There is significant possibility that FLoC can enable browser fingerprinting. Browser Fingerprinting is the practice of collecting small and discrete pieces of information from the user’s browsing activity to create a unique and identifiable profile for the browser. According to some expert, FLoC will powers the browser fingerprinting to the next level.
  • When we login into a website using Google authentication (oAuth 2.0) there’s a risk that the organizations can tie the information collect through our Google profile to our FLoC IDs. Reverse engineering can reveal the information on the cohort ID and the information collected through the login to give a detailed digital footprint.

Will FLoC track sensitive categories, like sexual interests, identity and beliefs?

Goggle is committed to protect sensitive information from FLoC tracking. According to Google Advertising Policies, advertisers can’t use sensitive interest categories to target ads to users or to promote advertisers’ products or services. The sensitive categories are:

  • Personal hardships: ads should not exploit the difficulties or struggles of users. FLoC will not include or track categories related to personal hardships.
  • Identity and belief: categories related to identity and belief are not tracked because they could be used to stigmatize an individual.
  • Sexual interests: sexual experiences and interests are inherently private and therefore excluded from tracking.
  • Access to opportunities: to protect users impacted by societal biases, FLoC doesn’t allow some categories of products or services to be targeted to specific audiences.

What will be the impact of FLoC on Digital Marketing?

According to Google initial tests advertisers will see at least 95% of the conversions per dollar spent when compared to cookie-based advertising. According to the first results coming from the beta testing of FLoC targeting will still be fairly precise.

Dig deeper

If you want to dig deeper into the FLoC algorithm, I would recommend a technical white paper Google published on October 2021 before the start of the FLoC algorithm beta testing and titled “Evaluation of the Cohort Algorithms for the FLoC API“. Later, in January 2021, Google shared some more FLoC detail with a blog post, “Building a privacy-first future for web advertising” published on their “Ads & Commerce Blog“. In that occasion they announced their intention to start experimenting FLoC with a beta beginning Q2 2021.

FLoC is now (June 2021) officially in beta test on a randomly selected group of users approximately equal to 0.5% of the US Google users.