Google’s Privacy Sandbox—We’re all FLoCed

By Ken Glueck, Executive Vice President, OracleMarch 7, 2021

To hear Google tell it, consumer privacy is now so important that it has decided to stop tracking and targeting individuals across the internet. Examined closely, Google’s announcement does nothing to protect consumers while advancing its campaign of anticompetitive conduct. Google positions its recent efforts as privacy-enhancing so long as we all agree to play in Google’s new Privacy Sandbox called Federated Learning of Cohorts (FLoC). No, really, that’s what they are calling it. 

Let’s start with a plain-English description of this new sandbox, to the extent possible. Google says it will eliminate the use of third-party “cookies” in its Chrome browser. It will replace those “cookies” with a new algorithm that analyzes individual consumer’s types, habits, and preferences and places them into FLoCs, which are groups of individuals which will all receive the same ads. These “cohorts” are individuals that share common characteristics such as college-educated, charcuterie-loving golfers, who frequently visit the Hamptons and shop at Nordstrom. Let’s just say this FLoC won’t get ads for payday loans. 

Now, even though Google claims it will no longer permit cookies and “will not build alternate identifiers,” it will not apply those new rules to itself. Google will certainly know enough to constantly place individuals into ever-changing groups. On Android devices alone, Google maintains over a dozen unique identifiers. So consumers will be tracked as individuals but marketed to as a group, and as part of multiple different groups. And these groups will change based on the ads being served. Consumers will be dynamically and instantaneously assigned (by algorithm) to different FLoCs based on their profiles and ad content. And as consumers are placed in more and more FLoCs, they rapidly generate a list of FLoCs that uniquely describes…one individual. This is Google’s new Privacy Sandbox. Yes, it’s FLoCed up.

You see, the core problem is Google very much wants to dominate digital advertising—which generates 90 percent of its revenues – but it also desperately wants to be included with the social norm that increasingly values and protects privacy. Stated differently, Google is running a brothel but wants to join the choir.

Maybe we need to take a step back. In the pre-smartphone era (2007), Google acquired DoubleClick and has been the dominant purveyor of “third-party cookies” ever since. To the extent “third-party cookies” are a problem, they are a problem of Google’s own making. So, what’s changed? Well, unlike 2007, Google now dominates global ads. The Google Chrome browser now sits with 65 percent global market share and Google Android is in excess of 70 percent market share. With dominance over both the browser and the mobile OS, Google no longer needs cookies.

What Google doesn’t really say is that effectively none of Google’s own privacy invasive practices are changing. Chrome will still monitor every web site and action a logged-in consumer takes on the web. Android will still collect your precise geolocation, your movements, and your app usage, while surreptitiously mapping every Wi-Fi base station and Bluetooth beacon on the planet. Google search will still catalogue every desire and query no matter how intimate, while the array of Google’s own first-party analytic and advertising cookies will collect more data than the now banned third-party cookies ever would have. 

The FLoCers must be ROFLing (I know, very uncool) all over Mountain View because what they have just done – unilaterally—is wiped out the competition for consumer data and any semblance of competition in online advertising, without actually enhancing privacy.

Google’s sandbox is little more than an attempt at using privacy as a pretext to solidify its dominance. It creates anticompetitive rules for everyone to abide by, except for Google. Third parties—some people call them competitors—will be in the dark, but first parties—that would be Google—will have a 20/20 view into every consumer’s likes, desires, and location, to sell ads.

Google’s playbook is actually admirable. 

First, Google acquires DoubleClick, rapidly kills off the competition for third-party data collection and becomes dominant in internet ads. Oh, and forget about any promises made at the time of acquisition regarding combining data between DoubleClick and Search. As of 2016, Google takes consumers’ formerly anonymous browsing data and links it with all the other personally identifiable data they have.

Then Google kicks everyone out of its sandbox under the pretext of privacy. So the company most responsible for creating the surveillance economy all of a sudden wants us to believe it values consumer privacy. But, of course, this new sandbox does not apply to Chrome, Android, Search, or YouTube.

Google then tries out the “everybody else is doing it” argument and points to the fact that Safari and Firefox eliminated third-party cookies a couple of years ago. But Safari and Firefox are not dominant in browsers or dominant in global advertising. So, it can be true that the Safari and Firefox decisions were privacy enhancing, while the Chrome decision is competition killing.

Google then leans hard on this concept of first party/third party. They just keep saying it fast enough and nobody slows them down and calls them out. Let’s do that now: 

  • Google can use Search, Chrome, and Android to collect all the data it wants, run that data through its AI black box, and target ads because Google considers itself a “first party.” When someone creates a Google account and then uses Chrome to access the internet, Google uses that account sign-in to assume for itself first-party status.
  • Also, when a consumer activates a new Android phone, they agree to give Google first-party permissions. 
  • Often times, when a consumer clicks “agree” on a pop-up that appears on a non-Google web site, buried in those terms of service could be language giving Google’s advertising and analytic cookies additional first-party privileges.

But to the typical consumer, the first party is not the web browser they are using, but the web site they are visiting. Think of it this way. When I call my dad using Verizon, I assume my dad and I are the only people in the conversation. The two of us are the first parties. I did not call my dad and Verizon; there aren’t three of us on the call. But under Google’s rules, Verizon is a first party to the call, and they should be able to advertise to us based on the restaurants or movies—or health or financial issues—we discussed on our call.

So let’s follow the phone call analogy to the web. Let’s say I sit down and “call” the New York Times using my Chrome web browser—HTTP instead of my phone. Here, the consumer considers the New York Times a first party—just like when I call my dad. The New York Times also considers the consumer its first party (i.e. customer). It’s ridiculous to consider Google a first party to this interaction just because I am using Chrome, even if the New York Times hires Google to place ads or track analytics on its website. Google, just as Verizon, is just a service provider. Google could ask consumers for opt-in consent to be treated as a first party, but consumers are as likely to do that as they are to consent to Verizon listening in to their phone calls. So, Google just anoints itself a first party anyway. After all, it’s Google’s sandbox.

Of course, if Google were genuine in its privacy conversion, then it would apply its rules uniformly and apply those same rules to itself. It would stop tracking individuals browsing on Chrome and on Android. It would offer consumers opt-in control over their data. It would stop sharing data across its platforms. And it would stop tracking individuals across devices. But, of course, they won’t.

Google just wants consumers and advertisers to sit down and play in Google’s new “Privacy Sandbox” using Google’s rules and terms dictated by Google. Some might call that a Privacy Quicksandbox, but we won’t.

Google is right. Consumers are FLoCed.

About Oracle

The Oracle Cloud offers a complete suite of integrated applications for Sales, Service, Marketing, Human Resources, Finance, Supply Chain and Manufacturing, plus Highly Automated and Secure Generation 2 Infrastructure featuring the Oracle Autonomous Database. For more information about Oracle (NYSE: ORCL), please visit us at


Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.