FLoC and data privacy in the world of targeted ads – ET CISO
https://etimg.etb2bimg.com/thumb/msid-82208111,imgsize-379570,width-1200,height=765,overlay-etciso/news/floc-and-data-privacy-in-the-world-of-targeted-ads.jpg
By Anupam shukla
A 70s adage about television advertising goes something like “if you are not paying for the product, then you ARE the product!”. Pithy as the quote may be, it contains a world of meaning and relevance, especially for today.
We cannot deny that today we have access to an impressive array of software and application suits for free. We are able to communicate, instantly exchange files and documents, accurately navigate the world and perform multitudes of other tasks on the internet, while only paying nominally fordata. This is possible only because most websites offering these free services are also offering you a free cookie!
These cookies – little packets of information stored on your computer by the websites you visit, have been a staple of web advertising for past two decades. There have been many attempts at replacing the tracking cookies or reducing their intrusiveness, with varying degrees of success. For example, data privacy laws like EU’s GDPR and Brazil’s LGPD now require websites to grant users a right to provide their informed, explicit andunambiguous consent to which cookies can be activated while visiting such website, in a more granular manner. Some even insist on an “opt-in” instead of an “opt-out” model. You would have seen this result in the new, more detailed, cookie pop-ups on websites.The issue however is that the targeted advertisements simply work. They are unsurprisingly more effective in pushing sales. So, in order to continue receiving features for free, users were initially willing to forgo some intrusions into their privacy (this is different from the nuisance ads which some freemiumapps/websites run to incentivize you to subscribe to their services).
The entire ecosystem of advertisers, publishers and AdTech companies operatedon this foundation. However, as privacy concerns become more and more important and data breaches become more and more prevalent, companies and organizations have been trying to come up with alternatives to replace third-party cookies with a new suite of technologies. One of the alternatives being pushed as a new standard by Google is named FLoC.
FLoC, which stands for Federated Learning of Cohorts, is a new mechanism being devised by Google for interest-based ad selection without sharing the browsing behaviour of individual users with websites. In very simple terms, what FLoC plans to do is, instead of having individual user’s information being passed to an advertiser through third party cookies, an algorithm will analyse the browsing pattern of a bunch of users and allocate them into specific groups called “cohorts”.
Then, depending on the nature of advertisements which an advertiser wants to run, the AdTech company, will identify the best possible cohort to push the ads to. This effectively replaces individual tracking by the advertisers using third party cookies, with a collective or group tracking pursuant to a category based approach (effectively hiding individual users in a crowd and thus keeping them somewhat anonymous).
While a step in the right direction, promising acertain degree of privacy for the individual users and allowing for some anonymisation of data, FLoC is still not free from risks or downsides. While FLoC may promise a degree of anonymity (Google’s Privacy Sandbox uses k-anonymity) there will always be an insistence from advertisers to have the cohort size be small enough to have targeted ads be most effective.
Further, FLoC algorithms may also allow for categorization and grouping of people on internet which may have a potential for misuse. While your individual cohort ID will be used to identify your cohort and will not be shared with advertisers directly, it still will be a repository of your web activity on such browser. There are efforts being made by Google to secure the FLoC ID, however, recent high profile data breaches from Facebook and LinkedIn should make one wary. There are also potential risks associated with quasi anonymisation approach being adopted by Google for ad tracking e.g. cross content identification or browser fingerprinting.
FLoC appears to be internet’s reaction to the new data privacy legislations which are insisting on explicit cookie consents. If most users either opt out or choose not to opt in, to share data for targeted ads, it might significantly affect ad revenues. FLoC appears to be an attempt at striking a middle ground between rampant user tracking through cookies and absolute user control over what data is shared. Google has recently launched a trial for FLoC which reportedly covers more than 10 million chrome users, including in those in India.
The author is Counsel at Pioneer Legal