Google developed FLoC (Federated Learning of Cohorts) as an end-run around 3rd party cookies, but it turns out many consider them to just be Cookies v2 (now built into your browser).
Certainly in Europe, privacy regulators are not planning to let Google replace cookies with FLoC without a similar level of scrutiny. Wired reports that websites implementing FLoC may require exactly the same cookie consent banner as we have now due to GDPR.
Johannes Caspar, the data protection commissioner for Hamburg, Germany, says FLoC cohorts could “allow conclusions” to be made about people’s browsing behaviour.
“The FLoC technology leads to several questions concerning the legal requirements of the GDPR,” said Caspar. “Implementing users into the FLoCs could be seen as an act of processing personal data. And this requires freely given consent and clear and transparent information about these operations.”
That consent is already missing from Google’s initial trial, with tens of millions of users enrolled in the trial without their knowledge or a simple way of opting out. This is why Google is not testing the technology at all in Europe.
French regulators are equally concerned. A spokesperson for the Commission nationale de l’informatique et des libertés, or CNIL, France’s data regulator, says it is being “particularly attentive” to tech that might replace cookies, as it may require access to information already stored on people’s devices. The CNIL is clear that such a system would require “specific, informed and unambiguous consent.”
Google is aware of the EU’s concerns, with Marshall Vale, a Chrome product manager at Google saying:
“EU privacy law sets high standards for user transparency and control, and that’s what we envision for FLoC. We know that the input of data protection authorities is key to getting this right, which is why we have begun early stage conversations about the technology and our plans.”