Google will not make FLoC-based cohorts available for testing in countries where GDPR and the ePrivacy Directive are in effect.
In other words, no FLoCs in Europe. At least for now.
During a meeting of the Improving Web Advertising Business Group (IWABG) at the World Wide Web Consortium on Tuesday, Michael Kleber, a Google engineer, acknowledged that FLoCs might not be compatible with European privacy law.
“For countries in Europe, we will not be turning on origin trials [of FLoC] for users in EEA [European Economic Area] countries,” Kleber said.
Specifically, Google will not proceed with FLoC testing in Europe due to concerns over which entity will serve as the data controller and which will serve as the data processor in the creation of cohorts.
Kleber seemed pretty definitive in his statement. Several hours after the meeting, however, came a follow-up tweet from Marshall Vale, a Chrome product manager, who wrote, “We are starting this FLoC origin trial for users in the US and select other countries, and we expect to make FLoC available for testing worldwide at a later date.”
Vale then tweeted again shortly thereafter, stating that FLoC testing in the US is only “the start. We are working to begin testing in Europe as soon as possible. We are 100% committed to the Privacy Sandbox in Europe.”
Even so, GDPR and ePrivacy pose challenges without clear answers.
It’s possible, for example, that when a web browser places someone in a cohort and associates them with a FLoC ID, that could count as personal data under the law. And processing personal data to generate the cohort assignment without the proper consent could also be a violation.
The plan had been for Chrome to begin origin trials of FLoC this month. Origin trials allow developers to safely experiment with web features before more generalized testing. Advertiser testing of FLoCs within Google Ads is set to kick off in Q2.
It’s unclear what impact excluding EEA countries from early testing will have on the future of cohort-based advertising – or third-party cookies, for that matter – in Europe or other geographic regions with related privacy laws.
“We don’t know if this means ‘Privacy Sandbox’ will be delayed in Europe, including the retirement of third-party cookies – Google should provide urgent official clarification,” said James Rosewell, CEO and co-founder of device detection company 51Degrees and a member of the IWABG. “It appears as if Google has focused on the engineering and math, but not the important legal basis for ‘Privacy Sandbox.’ This indicates privacy-by-design principles have not been applied to ‘Privacy Sandbox’ … I find that ironic.”
What is clear, though, is that this seems to be the first time anyone outside of Google is hearing about that Europe won’t be included.
I can’t believe this is *the first time* I’ve heard anyone mention that FLoC won’t run its origin tests in the EEA?!?
— Aram Zucker-Scharff (@Chronotope) March 23, 2021
Story updated at 6:05 p.m. on 3/23/21 to reflect the reference to Marshall Vale’s tweets.