Federated Learning of Cohorts (FLoC) is a type of web tracking through federated learning. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising. Google began testing the technology in the Chrome browser in March 2021 as a replacement for third-party cookies, which it plans to stop supporting in Chrome by early 2023. FLoC is being developed as a part of Google's Privacy Sandbox initiative, which includes several other advertising-related technologies with bird-themed names.: 48
As of April 2021[update], every major browser aside from Google Chrome that is based on Google's open-source Chromium platform has declined to implement FLoC. The technology has been criticized on privacy grounds by groups including the Electronic Frontier Foundation and DuckDuckGo, and has been described as anti-competitive; it has generated an antitrust response in multiple countries as well as questions about General Data Protection Regulation compliance.
The Federated Learning of Cohorts algorithm analyzes users' online activity within the browser, and generates a "cohort ID" using the SimHash algorithm to group a given user with other users who access similar content.: 9 Each cohort contains several thousand users in order to make identifying individual users more difficult, and cohorts are updated weekly. Websites are then able to access the cohort ID using an API: 9 and determine what advertisements to serve. Google does not label cohorts based on interest beyond grouping users and assigning an ID, so advertisers need to determine the user types of each cohort on their own.: 47
The process used to generate cohorts without sending user browsing data outside the device is similar to the method behind Google's predictive keyboard.: 46
Google began testing FLoC in the Chrome browser in March 2021 as a replacement for third-party cookies, which Google plans to stop supporting in Chrome by mid-2023. (Initially Google announced plans to remove third-party cookies by late 2021, then postponed it to early 2022, and then to 2023 due to delay of FLoC technology.) The initial trial turned on FLoC for 0.5% of Chrome users across 10 countries: the United States, Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand and the Philippines. Users were automatically placed in the trial and were not notified, but could opt out by turning off third-party cookies. The initial trial did not include users in the United Kingdom or the European Economic Area due to concerns about legality under the area's privacy regulations.
Google claimed in January 2021 that FLoC was at least 95% effective compared to tracking using third-party cookies, but AdExchanger reported that some people in the advertising technology industry expressed skepticism about the claim and the methodology behind it. As every website that opts into FLoC will have the same access about which cohort the user belongs to, the technology's developers say this democratises access to some information about a user's general browser history, in contrast to the status quo, where websites have to use tracking techniques.
The Electronic Frontier Foundation has criticized FLoC, with one EFF researcher calling the testing of the technology in Chrome "a concrete breach of user trust in service of a technology that should not exist" in a post on the organization's blog. The EFF also created a website which allows Chrome users to check whether FLoC is being tested in their browsers. The EFF criticized the fact that every site will be able to access data about a user, without having to track them across the web first. Additionally on the EFF blog, Cory Doctorow praised Chrome's planned removal of third-party cookies, but added that "[just] because FLoC is billed as pro-privacy and also criticized as anti-competitive, it doesn’t mean that privacy and competition aren’t compatible", stating that Google is "appointing itself the gatekeeper who decides when we’re spied on while skimming from advertisers with nowhere else to go."
On April 10, 2021, the CEO of DuckDuckGo released a statement telling people not to use Google Chrome, stating that Chrome users can be included in FLoC without choosing to be and that no other browser vendor has expressed interest in using the tracking method. The statement said that "there is no such thing as a behavioural tracking mechanism imposed without consent that respects people’s privacy" and that Google should make FLoC "explicitly opt-in" and "free of dark patterns". DuckDuckGo also announced that its website will not collect FLoC IDs or use them to target ads, and updated its Chrome extension to block websites from interacting with FLoC.
Brave, a web browser built on the Chromium platform, criticized FLoC in a blog post on April 12, 2021, and announced that it would be disabled in the Brave browser and not accessed by the Brave website. The blog post, co-written by the company's CEO Brendan Eich, described Google's efforts to replace third-party cookies as "Titanic-level deckchair-shuffling" and "a step backward from more fundamental, privacy-and-user focused changes the Web needs."
Tech and media news site The Verge noted that not all possible repercussions of FLoC for ad tech are known, and that its structure could benefit or harm smaller ad tech companies, noting specifically that larger ad tech companies may be better equipped to "parse what FLoCs mean and what ads to target against them."
On April 18, 2021, a WordPress development team proposal suggested disabling FLoC by default on WordPress websites over possible privacy issues. The proposal stated that "WordPress powers approximately 41% of the web."
On April 27, 2021, GitHub disabled FLoC on their websites, including
github.com and GitHub Pages domain
github.io by introducing HTTP header
Permissions-Policy: interest-cohort=(). However, GitHub Pages websites with custom domains are not affected.
In June, 2021, Amazon disabled FLoC on all websites of its companies, including its online store
amazon.com, Whole Foods, Zappos, and Woot. Specialists speculated that Amazon staff might have decided to block FLoC not out of concern for user privacy, but rather as a strategic move to keep user data away from Google.
Every major browser based on Google's open-source Chromium platform (other than Google Chrome) had declined to implement FLoC, including Microsoft Edge, Vivaldi, Brave, and Opera.
Mozilla, the creators of the Firefox browser, expressed concerns that FLoC can be used as an additional fingerprinting vector. Furthermore, they stated that a user's FLoC group can be tracked during multiple visits and correlated via different means and, based on a user's membership in multiple FLoC cohorts, a website might be able to infer information about the user which FLoC aimed to keep private. Since a FLoC cohort is shared across websites, its ID might be abused as an alternative to a unique cookie in third-party contexts.
In March 2021, 15 attorneys general of U.S. states and Puerto Rico amended an antitrust complaint filed in December; the updated complaint says that Google Chrome's phase-out of third-party cookies in 2022 will "disable the primary cookie-tracking technology almost all non-Google publishers currently use to track users and target ads. Then [...] Chrome, will offer [...] new and alternative tracking mechanisms [...] dubbed Privacy Sandbox. Overall, the changes are anticompetitive".
In June 2021, EU antitrust regulators launched a formal investigation to assess whether Google violated competition rules, with a focus on display advertising, notably whether it restricts access to user data by third parties while reserving it for its own use. Among the things that will be investigated is Google's plan to prohibit the placement of third-party cookies and replace them with the Privacy Sandbox set of tools.
As of April 2021[update], Google was not testing FLoC in the United Kingdom or the European Economic Area due to concerns about compliance with the General Data Protection Regulation and the ePrivacy Directive.
Johannes Caspar, the Data Protection Commissioner of Hamburg, Germany, told Wired UK that FLoC "leads to several questions concerning the legal requirements of the GDPR," explaining that FLoC "could be seen as an act of processing personal data" which requires "freely given consent and clear and transparent information about these operations." A spokesperson of the French National Commission on Informatics and Liberty said that the FLoC system would require "specific, informed and unambiguous consent".