Analyst Chat
Analyst Chat #115: From Third-Party Cookies to FLoC to Google Topics API
Online tracking is a highly visible privacy issue that a lot of people care about. Third-party cookies are most notorious for being used in cross-site tracking, retargeting, and ad-serving. Annie Bailey and Matthias sit down to discuss the most recently proposed approach called „Topics API“.
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Senior Analyst and Lead Advisor with KuppingerCole Analysts. My guest today is a Senior Analyst for KuppingerCole as well. Annie Bailey. Hi. Good to see you.
Hi. Good to be back.
Great to have you back. And back is the right term because we are back at a topic that we covered way back when there was no video in that podcast. When we talked about the end of the third party cookie and an initiative, a concept created by Google that was called FLoC. And we looked at that, yeah, at that time and what that meant for privacy, for ad surfing, for business on the Web in general. So if we start with that topic and we wrap up because we want to continue the story here, what are third-party cookies and why do we want to get rid of them still?
Yeah. So this idea of third-party cookies, of course, comes from the idea of cookies, which began as a functional aspect to interacting on the web. So you can think of it most easily and e-commerce situations where you need to have a shopping cart and the decisions that follow you from screen to screen. So a cookie allows that to happen. And these do have legitimate purposes for this functionality for analytics. And third party cookies sometimes also enable this, but also really get a bad rep for enabling cross-site tracking, for retargeting of personalized ads, and for actually serving those ads. And so there are several privacy issues with the overuse of third-party cookies and the third very pervasive tracking, which happens with that. And so back in March of 2021, Google did announce that they would be phasing out the support for third-party cookies on their browser on Chrome. And yeah, this is where we stood back then. And that's still, for the most part, the status quo. Google's still looking at phasing out those cookies. And we're back to talk about it.
Right. So why would a company which heavily relies on its business model on ad serving, on understanding their users, why would Google want to do this at all? Why do they want to do that?
Yeah, that's an interesting question. I perhaps take a pretty skeptical or cynical look at this, but I see it as a great publicity stunt, you know. Third-party cookies, they're very much in the public eye. And it's a concept that people can easily get their feathers ruffled about it and demand change. So this is something that Google does have influence over. Their search engine and YouTube are just two monstrous examples of how much dominance they have in the space for individuals to be searching and then be interacting with cookies. What the interesting thing is, is they have more than enough space to host their own first-party cookies. And most of their revenue would come from that. The revenue which comes from third-party cookies is relatively small, is likely microscopic. And they're in the position to then redesign the replacement of third-party cookies. So they can probably maintain that revenue that would have been lost by third-party cookies.
All right. So when we think back to the last episode that we did around that topic, there was this first proposal around which was called FLoC. And I have looked to look it up, federated learning of cohorts, and we looked at the privacy implications of that. And since then, this has been rejected, I assume, and there was a new proposal. But if you can give a short overview of these two alternatives, what did they look like, and what was the idea behind that to make it more privacy friendly? Maybe?
Mm-hmm. Yeah. So the concept was to enable interest-based advertising instead of tracking. And its goal was then to not track but observe the recent browsing history of users and then to group them into cohorts based on similar interests. These new, new cohorts would be assigned weekly, would be very current, but it would be using cumulative browser history. So as time goes on, it becomes only more and more accurate. There were some or there were many complaints from privacy advocates about this, especially that it would become only ever more accurate and not work with identifiers for individuals. But over time, the fear and the prediction was that these cohorts would be good enough to very accurately identify an individual which then puts their privacy at a very large risk.
Right. So but what is then the new approach that they're proposing as of now?
So the new approach can sound very similar. It's called Topics API based, where the browser again learns about the user based on their browsing behavior. But this is done in a three-week chunk. And from this, it would assign a user to a topic. And now differing from FLoC, their previous solution, the topics are predefined. So this is not a group which is becoming only ever more and more accurate based on characteristics, but it's things like travel or running or technology. So there are things that are less specific and this is then kept at a less specific level because when a site supports this topic API for ad serving, the browser would then pull three topics that that user has been placed in at random from their top five. And then the website would share these topics with advertisers for ad serving. And yeah, this is the new proposal. It's planning to become available out of their privacy sandbox in Q4 of 2022.
Right. So you've mentioned it already. It can sound very similar to FLoC. So we are still assigning users to a kind of group, a kind of topic. Well, so why is it supposed to be better? Where are the differences?
Yeah. So the similarities are in that; the user browsing history is still observed and the decision of how to categorize that user is still based on their recent browsing history. The differences come in how specific that topic is, hence the name or if it's more general... excuse me, that the topic is much more general rather than the very specialized cohorts. They're really customized and ever being shaped to the individuals who were placed in there. So you can think of it as, as cohorts looking at characteristics of tendencies of ideas of sensibilities rather than a topic which is just itself, a topic, theoretically you shouldn't be able to cross identify an individual just by the different topics that they're in. If only the top three topics are being shared with a website, it's going to be things like travel and cooking and perhaps you're shopping for a new car. Then yeah, who knows, a Porsche. So with that information should be much less likely to identify an individual based on their topic. Another difference between FLoC and topics is the fact that they're cumulative versus non-cumulative grouping. What you mean by that is that FLoC tended to be a cumulative decision based on the entire browsing history. And so that would take in the sensibilities over time as a person branched from one interest to another. This would span the different shopping seasons for different holidays, different seasons, different needs, different ideas that come over time, different reactions to current events. So you can see that a cumulative view of a person really does give a much more holistic view and therefore much more personalized. It's very useful to advertisement or advertisers for giving a personalized experience, but that is encroaching on the privacy of those users. When we move to a non-cumulative decision to place a user under a topic, it's of a very short period, relatively three weeks. And so this cut off that long-term view of who a person is based on their browsing history. And we've heard hints of this and we'll see what it looks like when topics is released. But users should have the ability to see what topics they are associated with and even to remove topics permanently so that they cannot be associated with certain topics. So that is... that promise of user control is a really interesting advancement here. It could go even farther. To my opinion, it would be really useful and much a different take on privacy if users would be able to indicate topics that they actually would like to see advertisements for. You know, if you happen to be in the market for new tennis shoes at an individual user. Wouldn't it be great if all of a sudden you could start to see deals and offers on the thing which you are interested in? So if they're out there and they hear us, perhaps they'll think about adding that functionality.
Right. So talking about privacy, I think from what you've described and what this concept contains, I think it could be an improvement when it comes to the privacy implications of this mechanism compared to FLoC and compared to the third-party cookie. If I'm reduced to say three topics, and that is based on my browsing history for the last three weeks. What does that mean for privacy on the one hand, and what does that mean for those who are doing business based upon this limited information?
Yeah. So on a privacy aspect, this is a step forward. It's going to be much less likely to re-identify a user just based on their topics. And that will always be changing and again, changing at a general level, not continuously improving in their specificity. The question is, is what happens to the ad providers and those who are then depending on this topic API to deliver personalized ad experiences or any other functionality. Because this does keep the information at a very generalized level. And you could take it a couple of different ways. You could call it obfuscating and obscuring, rather or you could call it just overly simplified views of individual people. And it's hard to deliver that personalized experience to an overly simplified person. So in a sense, likely ad observers and the ad industry is going to have a difficult time with this, which could only solidify Google's position as a monopoly over this space since their main revenue area is very well protected. So they may be weeding out the competition here with this
Right. If you look at these topics and you've mentioned that they are very generic, very general if we look at those. Nevertheless, I think that would be an option to have topics that cover sexuality, political views, maybe gender, race, any kind of this. Does that not also lay open too much, disclose too much information about the person when it comes to making sure that, I don't want to know the advertiser, to know anything about that?
Yeah. So from where we stand today, topics will exclude these sensitive categories of gender, of race. But the question is, how far is that extended? You know, what is going to be determined as a sensitive category, and will not some be left out? You know, there's hope that with these user controls, an individual would then be able to look through and adjust and make sure that they're not disclosing information that they don't want anybody to know. But this combination of topics may still indicate, you know if you have if we're sticking completely to stereotypes. But if your topics are in, you know, children, makeup, and health food, then perhaps it's clear what your gender is, even though you haven't communicated it. And so the use of this and the way that this information may be combined to then not go to the extreme of cohorts, but to create cohorts at a more generalized level, that's still information which can be used. So this may end up with spinoff attempts to profile individuals.
And I think that over time, there could be a collection of information because the browser ID won't change. And if you add these different types of topics over time, you might want to get to a more complete picture of a person. One thing that strikes me is, that it's again Google that is providing this next approach for solving the third-party cookie challenge. Is Google the only player that is big enough to change this market? Why Google?
Well, Google is an incredibly strong player here and since most people end up using Google as a search engine, although others exist, they tend to make the news on this with larger splashes than perhaps others. But they are, of course, not the first. And in fact, they could be considered lagging in taking a position on third-party cookies. Firefox did this in 2019, Safari from Apple, iOS took a stand on this in 2020. So if Google has only started this in 2021 it's a very reactionary position. They did react to the pushback from the privacy community regarding FLoC. So on the question, if Google is the only one who's big enough to change the market, perhaps you're entering more of a conversation now that the optimistic look at this is that there could be an effect and a voice loud enough that Google would hear on this. So we'll see. There are ways that this could be improved overall, we mentioned just briefly earlier on these user controls. Wouldn't it be nice for a user to indicate what they would like to see instead of just passively saying, no, I don't want to be identified with that topic? You know, if we could move a bit more towards really communicating a user's intention and seeing a reaction from the Internet back to that would be a really, really interesting direction to go. But it looks like we have to wait a little bit longer for that
Right. And we will have, of course, a continued look at this development, because last year we were also kind of critical towards the privacy implications of FLoC way back then already. And that has been then stopped and no longer been pursued. Now we have these topics and let's wait and see when they come out for the general public and whether they are adopted by other browser vendors as well, and whether this is a concept that is more privacy-friendly. So we will have a look at that and continue this evaluation. For the time being, Annie, that was really interesting to learn more about this new privacy-related and tracking-related information regarding what other browser vendors already have driven these ad serving organizations, too by saying, Okay, we do no longer accept by default the use of third-party cookies. So that has changed and that has driven organizations like Google to find new solutions. Let's wait and see whether they will stand the test of real-life for ad serving. Any final thoughts before we close down?
My final thought would be, Let's wait and see. These are early days for topics and we need to see, as you rightly say, who adopts this and who decides that it has no place in their ecosystem as publishers may choose to do. WordPress had decided FLoC was not welcome and they would not be accepting that API. So we'll see who adopts and who doesn't.
Right. So maybe next year at the same time, the next approach. So looking forward anyway to talk to you soon again regarding your topics. And thank you very much for being my guest today.
Thanks for having me.
Thank you. And bye-bye.
Hi. Good to be back.
Great to have you back. And back is the right term because we are back at a topic that we covered way back when there was no video in that podcast. When we talked about the end of the third party cookie and an initiative, a concept created by Google that was called FLoC. And we looked at that, yeah, at that time and what that meant for privacy, for ad surfing, for business on the Web in general. So if we start with that topic and we wrap up because we want to continue the story here, what are third-party cookies and why do we want to get rid of them still?
Yeah. So this idea of third-party cookies, of course, comes from the idea of cookies, which began as a functional aspect to interacting on the web. So you can think of it most easily and e-commerce situations where you need to have a shopping cart and the decisions that follow you from screen to screen. So a cookie allows that to happen. And these do have legitimate purposes for this functionality for analytics. And third party cookies sometimes also enable this, but also really get a bad rep for enabling cross-site tracking, for retargeting of personalized ads, and for actually serving those ads. And so there are several privacy issues with the overuse of third-party cookies and the third very pervasive tracking, which happens with that. And so back in March of 2021, Google did announce that they would be phasing out the support for third-party cookies on their browser on Chrome. And yeah, this is where we stood back then. And that's still, for the most part, the status quo. Google's still looking at phasing out those cookies. And we're back to talk about it.
Right. So why would a company which heavily relies on its business model on ad serving, on understanding their users, why would Google want to do this at all? Why do they want to do that?
Yeah, that's an interesting question. I perhaps take a pretty skeptical or cynical look at this, but I see it as a great publicity stunt, you know. Third-party cookies, they're very much in the public eye. And it's a concept that people can easily get their feathers ruffled about it and demand change. So this is something that Google does have influence over. Their search engine and YouTube are just two monstrous examples of how much dominance they have in the space for individuals to be searching and then be interacting with cookies. What the interesting thing is, is they have more than enough space to host their own first-party cookies. And most of their revenue would come from that. The revenue which comes from third-party cookies is relatively small, is likely microscopic. And they're in the position to then redesign the replacement of third-party cookies. So they can probably maintain that revenue that would have been lost by third-party cookies.
All right. So when we think back to the last episode that we did around that topic, there was this first proposal around which was called FLoC. And I have looked to look it up, federated learning of cohorts, and we looked at the privacy implications of that. And since then, this has been rejected, I assume, and there was a new proposal. But if you can give a short overview of these two alternatives, what did they look like, and what was the idea behind that to make it more privacy friendly? Maybe?
Mm-hmm. Yeah. So the concept was to enable interest-based advertising instead of tracking. And its goal was then to not track but observe the recent browsing history of users and then to group them into cohorts based on similar interests. These new, new cohorts would be assigned weekly, would be very current, but it would be using cumulative browser history. So as time goes on, it becomes only more and more accurate. There were some or there were many complaints from privacy advocates about this, especially that it would become only ever more accurate and not work with identifiers for individuals. But over time, the fear and the prediction was that these cohorts would be good enough to very accurately identify an individual which then puts their privacy at a very large risk.
Right. So but what is then the new approach that they're proposing as of now?
So the new approach can sound very similar. It's called Topics API based, where the browser again learns about the user based on their browsing behavior. But this is done in a three-week chunk. And from this, it would assign a user to a topic. And now differing from FLoC, their previous solution, the topics are predefined. So this is not a group which is becoming only ever more and more accurate based on characteristics, but it's things like travel or running or technology. So there are things that are less specific and this is then kept at a less specific level because when a site supports this topic API for ad serving, the browser would then pull three topics that that user has been placed in at random from their top five. And then the website would share these topics with advertisers for ad serving. And yeah, this is the new proposal. It's planning to become available out of their privacy sandbox in Q4 of 2022.
Right. So you've mentioned it already. It can sound very similar to FLoC. So we are still assigning users to a kind of group, a kind of topic. Well, so why is it supposed to be better? Where are the differences?
Yeah. So the similarities are in that; the user browsing history is still observed and the decision of how to categorize that user is still based on their recent browsing history. The differences come in how specific that topic is, hence the name or if it's more general... excuse me, that the topic is much more general rather than the very specialized cohorts. They're really customized and ever being shaped to the individuals who were placed in there. So you can think of it as, as cohorts looking at characteristics of tendencies of ideas of sensibilities rather than a topic which is just itself, a topic, theoretically you shouldn't be able to cross identify an individual just by the different topics that they're in. If only the top three topics are being shared with a website, it's going to be things like travel and cooking and perhaps you're shopping for a new car. Then yeah, who knows, a Porsche. So with that information should be much less likely to identify an individual based on their topic. Another difference between FLoC and topics is the fact that they're cumulative versus non-cumulative grouping. What you mean by that is that FLoC tended to be a cumulative decision based on the entire browsing history. And so that would take in the sensibilities over time as a person branched from one interest to another. This would span the different shopping seasons for different holidays, different seasons, different needs, different ideas that come over time, different reactions to current events. So you can see that a cumulative view of a person really does give a much more holistic view and therefore much more personalized. It's very useful to advertisement or advertisers for giving a personalized experience, but that is encroaching on the privacy of those users. When we move to a non-cumulative decision to place a user under a topic, it's of a very short period, relatively three weeks. And so this cut off that long-term view of who a person is based on their browsing history. And we've heard hints of this and we'll see what it looks like when topics is released. But users should have the ability to see what topics they are associated with and even to remove topics permanently so that they cannot be associated with certain topics. So that is... that promise of user control is a really interesting advancement here. It could go even farther. To my opinion, it would be really useful and much a different take on privacy if users would be able to indicate topics that they actually would like to see advertisements for. You know, if you happen to be in the market for new tennis shoes at an individual user. Wouldn't it be great if all of a sudden you could start to see deals and offers on the thing which you are interested in? So if they're out there and they hear us, perhaps they'll think about adding that functionality.
Right. So talking about privacy, I think from what you've described and what this concept contains, I think it could be an improvement when it comes to the privacy implications of this mechanism compared to FLoC and compared to the third-party cookie. If I'm reduced to say three topics, and that is based on my browsing history for the last three weeks. What does that mean for privacy on the one hand, and what does that mean for those who are doing business based upon this limited information?
Yeah. So on a privacy aspect, this is a step forward. It's going to be much less likely to re-identify a user just based on their topics. And that will always be changing and again, changing at a general level, not continuously improving in their specificity. The question is, is what happens to the ad providers and those who are then depending on this topic API to deliver personalized ad experiences or any other functionality. Because this does keep the information at a very generalized level. And you could take it a couple of different ways. You could call it obfuscating and obscuring, rather or you could call it just overly simplified views of individual people. And it's hard to deliver that personalized experience to an overly simplified person. So in a sense, likely ad observers and the ad industry is going to have a difficult time with this, which could only solidify Google's position as a monopoly over this space since their main revenue area is very well protected. So they may be weeding out the competition here with this
Right. If you look at these topics and you've mentioned that they are very generic, very general if we look at those. Nevertheless, I think that would be an option to have topics that cover sexuality, political views, maybe gender, race, any kind of this. Does that not also lay open too much, disclose too much information about the person when it comes to making sure that, I don't want to know the advertiser, to know anything about that?
Yeah. So from where we stand today, topics will exclude these sensitive categories of gender, of race. But the question is, how far is that extended? You know, what is going to be determined as a sensitive category, and will not some be left out? You know, there's hope that with these user controls, an individual would then be able to look through and adjust and make sure that they're not disclosing information that they don't want anybody to know. But this combination of topics may still indicate, you know if you have if we're sticking completely to stereotypes. But if your topics are in, you know, children, makeup, and health food, then perhaps it's clear what your gender is, even though you haven't communicated it. And so the use of this and the way that this information may be combined to then not go to the extreme of cohorts, but to create cohorts at a more generalized level, that's still information which can be used. So this may end up with spinoff attempts to profile individuals.
And I think that over time, there could be a collection of information because the browser ID won't change. And if you add these different types of topics over time, you might want to get to a more complete picture of a person. One thing that strikes me is, that it's again Google that is providing this next approach for solving the third-party cookie challenge. Is Google the only player that is big enough to change this market? Why Google?
Well, Google is an incredibly strong player here and since most people end up using Google as a search engine, although others exist, they tend to make the news on this with larger splashes than perhaps others. But they are, of course, not the first. And in fact, they could be considered lagging in taking a position on third-party cookies. Firefox did this in 2019, Safari from Apple, iOS took a stand on this in 2020. So if Google has only started this in 2021 it's a very reactionary position. They did react to the pushback from the privacy community regarding FLoC. So on the question, if Google is the only one who's big enough to change the market, perhaps you're entering more of a conversation now that the optimistic look at this is that there could be an effect and a voice loud enough that Google would hear on this. So we'll see. There are ways that this could be improved overall, we mentioned just briefly earlier on these user controls. Wouldn't it be nice for a user to indicate what they would like to see instead of just passively saying, no, I don't want to be identified with that topic? You know, if we could move a bit more towards really communicating a user's intention and seeing a reaction from the Internet back to that would be a really, really interesting direction to go. But it looks like we have to wait a little bit longer for that
Right. And we will have, of course, a continued look at this development, because last year we were also kind of critical towards the privacy implications of FLoC way back then already. And that has been then stopped and no longer been pursued. Now we have these topics and let's wait and see when they come out for the general public and whether they are adopted by other browser vendors as well, and whether this is a concept that is more privacy-friendly. So we will have a look at that and continue this evaluation. For the time being, Annie, that was really interesting to learn more about this new privacy-related and tracking-related information regarding what other browser vendors already have driven these ad serving organizations, too by saying, Okay, we do no longer accept by default the use of third-party cookies. So that has changed and that has driven organizations like Google to find new solutions. Let's wait and see whether they will stand the test of real-life for ad serving. Any final thoughts before we close down?
My final thought would be, Let's wait and see. These are early days for topics and we need to see, as you rightly say, who adopts this and who decides that it has no place in their ecosystem as publishers may choose to do. WordPress had decided FLoC was not welcome and they would not be accepting that API. So we'll see who adopts and who doesn't.
Right. So maybe next year at the same time, the next approach. So looking forward anyway to talk to you soon again regarding your topics. And thank you very much for being my guest today.
Thanks for having me.
Thank you. And bye-bye.
Video Links
Stay Connected
Related Videos
How can we help you