Third-party cookies are often used by advertisers to track users’ activities across websites to show them relevant ads. While these cookies are beneficial for websites due to the advertising revenue they generate, these cookies are often criticized for the lack of privacy they provide users and the amount of data they collect. The data these cookies provide can be used to build a significant profile of an individual without their consent or knowledge. In addition, this data is often sold without the user’s explicit knowledge and consent to various companies for marketing or other purposes. Issues with third-party cookies afflict even reputable news organizations, who create privacy risks through their advertising on controversial articles while simultaneously reporting on privacy violations by government agencies such as the NSA. Fortunately, the European Union has required since 2019 that users must give their informed consent to non-essential cookies and users are assumed to have opted out unless they opt in. Websites must provide this consent option through banners displayed at the top or the bottom of a page which over time have grown to include additional disclosure information. A European court has determined that an already checked box is insufficient consent and the user must check the box themselves. Privacy laws similar to those passed in the EU have also been passed in Canada and Brazil. Unfortunately, these banner alerts are often not effective because users simply click past the alerts without reading the website’s cookie policy, which can be many pages long. In some cases, users view these alerts more as pop-ups and a nuisance rather than as informative or important, so they are ignored.
As an alternative to this legal remedy, Apple’s Safari browser and Mozilla’s Firefox currently block third-party cookies as of 2017 and 2019, respectively. In January 2020, Google followed suit and announced their intention of fully phasing out third-party cookies within Google Chrome by 2022 noting users’ greater demands for control and transparency. This announcement follows the “Privacy Sandbox” initiative that Google started in 2019 that outlined Google’s intentions to balance the privacy concerns of users with the concerns of websites that would be harmed if they were left without an alternative form of advertising if cookies were to be eliminated entirely. On March 3,, 2021, Google announced that after third-party cookies are phased out, Google would not replace these cookies with alternative identifiers to serve as trackers. Instead, Google will use Federated Learning of Cohorts (FLoC) which would aggregate individuals of similar interests into cohort groups under an algorithm. Each cohort group would receive targeted advertising specific to their interests. This prevents the use of individual identifiers by keeping browsing history of individual users within the browser and away from third parties. Browsing history is typically used by third-party cookies to determine what ads to show so keeping this information private undermines third-party cookies and renders them ineffective. Moreover, such a policy would be in compliance with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) which requires that large businesses, under California law, must disclose if personally identifiable information will be sold or shared with third parties, something that these cookies primarily do. Similar laws are being considered in other state legislatures. Furthermore, Google claims that FLoC is 95% effective compared to the use of third-party cookies for advertising purposes.
However, Google’s proposal is not without its detractors. Since Google controls over two-thirds of the web browser market as of December 2020, Google could increase its own power significantly in the advertising market because it would still retain its own power to use trackers like browsing history with Chrome. This allows Google to stifle competition as third-party advertisers would be subject to the restrictions Google sets, but Google would not be restricted as a first-party data collector. There is also a concern that the cohort groups could be constructed in a way that fails to hide individuals sufficiently because smaller cohort groups are inherently better than large groups for Google since the targeted advertising could be more specific and arguably more effective for smaller groups. In a smaller group, it would be easier for an individual user to be discerned by advertisers, rendering much of the improved privacy protections, moot. Furthermore, Facebook when using similar designed groups in the past, has run into issues with advertisers being able to characterize individuals by “sensitive” categories such as race, politics or religion. The Electronic Frontier Foundation (EFF) opposes FLoC entirely and points out other concerns that could arise such as browser fingerprinting, the practice of gathering various pieces of information from an individual’s browser so that the browser can be uniquely identified in the future. Additionally, they point out that audits of the system would have a difficult time determining whether advertisers were using inappropriate categories. In many cases, advertisers could claim plausible deniability by arguing that they are merely targeting a cohort group and not specific individuals.
While FLoC may be the new advertising targeting method of the future that avoids the privacy concerns of third-party cookies, it could still raise other concerns that should be carefully studied before being fully implemented next year. It would be useless to the average user to replace one privacy concern with another in the quest for a more private web.
* Josh Zhao is an Executive Editor on the Michigan Technology Law Review.