What the FLoC? Google’s new adtech ‘breaches GDPR’

google_broken2Google has admitted that its new adtech system that replaces third-party cookies will not be tested in Europe due to fears that the scheme is currently in breach of both GDPR and ePrivacy legislation.

The tech giant confirmed it was scrapping third-party cookies as far back as 2018 and launched its Privacy Sandbox initiative in 2020 to “develop a set of open standards to fundamentally enhance privacy on the web”.

The plan is to funnel advertisers to the Sandbox, which uses APIs and machine learning to collect anonymised data on users within the Chrome browser and groups them into sets of users with similar attributes based on their browsing behaviour, called Federated Learning Cohorts (FLoCs).

Once the FLoC has been created, it will be shared with websites and advertisers. However, many critics claim that while the technology will avoid the privacy risks of third-party cookies, it will create new ones. They say FLoCs may also exacerbate many of the worst non-privacy problems with behavioural ads, including discrimination and predatory targeting.

Even so, during a meeting of the Improving Web Advertising Business Group (IWABG) at the World Wide Web Consortium this week, Google engineer Michael Kleber conceded that FLoCs might not be compatible with European privacy law.

He said: “For countries in Europe, we will not be turning on origin trials [of FLoC] for users in European Economic Area countries.”

Specifically, Google will not carry out FLoC testing in Europe due to concerns over which entity will serve as the data controller and which will serve as the data processor in the creation of cohorts.

But Google Chrome product manager Marshall Vale tweeted a few hours later: “We are starting this FLoC origin trial for users in the US and select other countries, and we expect to make FLoC available for testing worldwide at a later date.”

Vale added that FLoC testing in the US is only “the start. We are working to begin testing in Europe as soon as possible. We are 100% committed to the Privacy Sandbox in Europe”.

James Rosewell, CEO and co-founder of device detection company 51Degrees and a member of the IWABG, told AdExchanger: “We don’t know if this means ‘Privacy Sandbox’ will be delayed in Europe, including the retirement of third-party cookies – Google should provide urgent official clarification.”

“It appears as if Google has focused on the engineering and math, but not the important legal basis for Privacy Sandbox. This indicates privacy-by-design principles have not been applied to Privacy Sandbox… I find that ironic.”

Last April, Google bowed to pressure to delay the Chrome update, although the tech giant insisted it was only a temporary reprieve due to the Covid-19 outbreak.

However, in January UK’s Competition & Markets Authority launched an investigation into the Privacy Sandbox, amid concerns that it could “undermine the ability of publishers to generate revenue”, and “undermine competition in digital advertising”.

Related stories
Data firms in demand as brands look to replace cookies
Brands build first-party data at last as cookies crumble
Brands all talk, no action on first-party data adoption
Why first-party data is the gift that keeps on giving
Brands eye first-party data as the penny finally drops
How to unlock the power of first-party customer data
eBay ditches cookies for new programmatic ad platform
Google’s third-party cookies get a stay of execution
Life after the cookie monster: What you need to know

Print Friendly