Google FLoC Testing: Not Yet in Europe

Google’s Privacy Sandbox Trials: A Cautious Rollout

Earlier this month, Google initiated trials of “Privacy Sandbox,” its proposed alternative to tracking cookies, as it prepares to phase out third-party cookie support in the Chrome browser. This system aims to reshape the web’s architecture by shifting from individual ad targeting to ads targeted at groups of users – known as Federated Learning of Cohorts, or FLoCs.

Significant Questions Remain

Numerous substantial questions surround this plan. A primary concern is whether grouping individuals into algorithmically determined interest-based categories, based on their browsing history, will genuinely mitigate the harms associated with behavioral advertising.

If the focus is on preventing online ads that discriminate against protected groups or exploit vulnerable individuals – such as those with gambling addictions – FLoCs may inadvertently perpetuate similar abusive practices. The Electronic Frontier Foundation (EFF), for instance, has labeled FLoCs a “terrible idea,” warning it could amplify discrimination and predatory targeting.

Advertisers are also questioning whether FLoCs will deliver comparable revenue as Google suggests.

Competition and Antitrust Concerns

Competition concerns are also closely scrutinizing Google’s Privacy Sandbox, currently under investigation by U.K. antitrust regulators and attracting attention from the U.S. Department of Justice.

Adtech companies express worry that this shift will further solidify Google’s control over them, restricting their access to user data while Google continues to track its own users – leveraging first-party data alongside a new competitive advantage.

Antitrust arguments are strategically employed by the adtech industry to counter potential privacy protections. However, regulators are sufficiently concerned about Google’s power dynamics regarding the phasing out of tracking cookies to warrant closer examination.

The Question of Privacy

Google’s branding of “Privacy Sandbox” suggests a commitment to protecting user privacy.

This initiative responds to the growing value placed on personal data protection, following years of data breach and misuse scandals.

The tracking industry, often referred to as the “data industrial complex,” faces a damaged reputation due to incidents like Kremlin-fueled voter manipulation and widespread user dissatisfaction with ad tracking. This is evident in the increasing adoption of tracker- and ad-blockers, and the proactive anti-tracking measures implemented by other web browsers.

Limited European Testing

Given Google’s desire for the Privacy Sandbox to be perceived as pro-privacy, it’s noteworthy that it is not currently conducting origin tests of FLoCs in Europe, where the world’s most stringent privacy laws are in effect.

During a meeting of the Improving Web Advertising Business Group at the World Wide Web Consortium, a Google engineer stated that origin trials would not be activated for users in the European Economic Area (EEA). Google plans to expand testing internationally, including the U.K. and EEA, at a later date.

Google is actively engaging with independent authorities, including privacy regulators and the U.K.’s Competition and Markets Authority, to identify the best approach for online privacy.

Consent and Legal Concerns

A key issue is Google’s decision to auto-enroll sites in the FLoC origin trials, rather than requiring manual sign-ups with a consent flow. This raises legal concerns in Europe, where the ePrivacy Directive and the General Data Protection Regulation (GDPR) mandate consent for processing personal data.

Google plans to release initial controls in Chrome 90 in April, offering a simple on/off switch for the Privacy Sandbox, with plans for further expansion as proposals progress.

The reason for auto-enrolling sites, beyond avoiding friction and limiting the test pool, remains unclear.

Google states that sites already containing ads will be supported during the origin trial to determine FLoC assignment, and that the final implementation will only draw on sites that opt-in.

Data Leaks and Fingerprinting

Google’s Privacy Sandbox tests have revealed potential data leaks, specifically regarding incognito browsing mode, which could be exploited for user fingerprinting. This contradicts the claimed privacy benefits.

Security and privacy researcher Dr. Lukasz Olejnik identified that the detection of incognito mode constitutes an information leak, allowing differentiation between browsing modes.

Google acknowledges that countering fingerprinting is a key goal of the Privacy Sandbox and is developing technology to protect users from covert tracking techniques.

Navigating European Regulations

It’s uncertain whether Google needs to obtain user consent to legally conduct the tests in Europe. While other legal bases exist, careful analysis is required. Google’s decision to postpone testing in Europe suggests a desire to avoid legal risks.

The ePrivacy Directive, unlike the harmonized GDPR, lacks a centralized complaint mechanism, potentially exposing Google to investigations from multiple EU Data Protection Authorities (DPAs). France’s CNIL recently fined Google $120 million for dropping tracking cookies without consent, highlighting the risks of non-compliance.

Certain types of personal data are considered “special category data” under EU law, requiring explicit consent for processing, adding further complexity to testing.

Future Plans and Ongoing Consultation

Google has not provided a timeline for when tests will begin in Europe or specified other test locations besides the U.S.

Google stated it cannot currently offer further details on questions including how consent will be handled once FLoCs are deployed, or whether individual consent will be necessary for cohort-based targeting.

The lack of regional tests raises questions about the suitability of Privacy Sandbox for European users, as noted by The New York Times’ Robin Berjon.

Google will likely need to test FLoCs in Europe to ensure its adtech is viable for advertisers who are already expressing concerns about competition and revenue risks.

Ireland’s Data Protection Commission (DPC), Google’s lead data supervisor in the region, confirmed it has been consulting with Google about the Privacy Sandbox plan and will examine detailed plans when presented.

The DPC is currently investigating Google’s business practices under GDPR, including adtech and location data processing.

However, Google was previously fined $57 million by France’s CNIL for insufficient clarity regarding data processing practices for Android users, underscoring the importance of EU data protection compliance.