Consumer expectations about online privacy are increasing. The third-party cookie technology long used to track individual users across the web are falling out of favor, requiring the advertising industry to rethink how it understands user behavior online. Representatives from the Chrome browser team declared in early 2020 that Chrome would no longer support third-party cookies in approximately two years.
Since then, representatives from the Chrome browser team proposed a technology called Federated Learning of Cohorts (FLoC), designed to preserve user privacy by tracking groups of users that behave similarly instead of tracking individuals. However some privacy proponents argue that FLoC may not go far enough in protecting individuals’ privacy and have encouraged websites to prevent FLoC from collecting data on their users by sending the HTTP header Permissions-Policy: interest-cohort=(). The web application security community OWASP has even included this guidance in its HTTP Header Cheat Sheet.
How are website owners across the web reacting? By searching for the HTTP header Permissions-Policy: interest-cohort=() on websites across the web it’s possible to know which sites are opting out of FLoC, preventing their users’ behavior from being included in this Google advertising technology. The website crawler.ninja posts a list that is updated daily of websites which prevent FLoC from capturing user behavior. In the data collected on November 22, 2021, we find:
- 23,011 websites have opted out of FLoC, including:
- Amazon.com
- Wikipedia.org
- Github.com
- 738 Government websites around the world opting out of FLoC:
- 275 US government websites such as house.gov, fbi.gov, and nih.gov
- 149 United Kingdom government websites including www.gov.uk
- 388 Educational websites including:
- Princeton.edu
- Yale.edu
While many agree third party cookies go too far in tracking individuals online and something less invasive is called for, the data above confirm that there is also concern over FLoC, a suggested privacy improvement to succeed third party cookie tracking. Businesses should prepare for FLoC by dedicating resources to preparing for an increasingly privacy conscious business environment, consider what their privacy stance is with regard to FLoC and its successors and if they also decide to not allow their users’ data to be used by FLoC, send the opt-out HTTP header for their web applications using secure configuration management. We expect this to space to evolve rapidly as large organizations and marketers find the balance between online privacy and advertising.
