Google’s current FLoC tests aren’t GDPR compliant

Questions about whether a browser assigning users into cohorts counts as a use of personal data, without consent, may be a privacy violation.

Chat with SearchBot

FLoC, Google’s alternative to third-party cookies, will not be tested in Europe, according to a report by AdExchanger. FLoC is set to open to advertiser testing beginning in Q2 of this year, but countries that fall under GDPR and the ePrivacy Directive will not participate.

“During a meeting of the Improving Web Advertising Business Group (IWABG) at the World Wide Web Consortium on Tuesday, Michael Kleber, a Google engineer, acknowledged that FLoCs might not be compatible with European privacy law,” wrote Allison Schiff. “Google will not proceed with FLoC testing in Europe due to concerns over which entity will serve as the data controller and which will serve as the data processor in the creation of cohorts.”

Questions on privacy in FLoC. The question seems to be around whether a web browser placing a user in a cohort counts as a use of personal data under the privacy laws. “Processing personal data to generate the cohort assignment without the proper consent could also be a violation,” says Schiff.

Screen Shot 2021 03 23 At 4.11.51 PM
Google tells Techcrunch they plan to test FLoC in the UK at a later date.

“We are starting this FLoC origin trial for users in the US and select other countries, and we expect to make FLoC available for testing worldwide at a later date,” a Google spokesperson told us.

Chrome spokesperson Marshall Vale said in a tweet Google is “working to begin testing in Europe as soon as possible.”

Screen Shot 2021 03 23 At 7.52.06 PM

Why we care. A common concern for advertisers regarding FLoC is the notion that the browser collects user data, sorts it into cohorts, and then Google uses those cohorts for advertiser targeting. Often cited as the “black box,” PPC marketers are skeptical that the tech company is actually protecting user data. In essence, Google becomes the arbiter of privacy, which doesn’t comply with wide-sweeping privacy and data-collection legislation in Europe.

We’ll have to keep an eye on how this plays out as testing begins in the U.S. The main questions we have include what’s next for FLoC abroad? Will Google be forced to hold off on testing for an official privacy ruling? And, if so, what happens if it’s not in their favor? GDPR has already had a large effect on privacy and compliance in the U.S. and abroad, and this may leave European advertisers in limbo as to what will replace third-party cookies.

This article will be updated as we collect more information.


Opinions expressed in this article are those of the guest author and not necessarily Search Engine Land. Staff authors are listed here.


About the author

Carolyn Lyden
Contributor
Carolyn Lyden served as the Director of Search Content for Search Engine Land and SMX. With expertise in SEO, content marketing, local search, and analytics, she focuses on making marketers' jobs easier with important news and educational content.

Get the must-read newsletter for search marketers.