Google’s FLoC Experiment: How the First Privacy Sandbox Cohort-Tracking Proposal Collapsed
Federated Learning of Cohorts — FLoC — was Google’s first concrete answer to a question the company had been circling for years: how do you keep behavioral advertising functioning once third-party cookies go away, without simply rebuilding individual tracking through a different technical mechanism? Chrome began running FLoC as an origin trial in March 2021, assigning real users to algorithmically-generated interest cohorts based on their browsing history. Within months, the proposal was effectively dead, rejected by competing browser vendors, criticized by privacy researchers and regulators, and eventually withdrawn by Google itself in favor of a different approach. Understanding why is a useful lens on what “privacy-preserving advertising” actually requires versus what it’s easy to claim.
What FLoC Was Supposed to Do
The core idea, at least as pitched, was genuinely different from cookie-based tracking. Instead of an advertiser or ad network following an individual browser across sites via a persistent identifier, Chrome itself would run a clustering algorithm locally, on-device, analyzing a user’s browsing history and assigning that browser to one of thousands of cohorts — groups of users algorithmically judged to have similar browsing interests. Sites and advertisers would see only a cohort ID, not an individual identifier, and in theory could target ads at a cohort’s inferred interests without ever identifying or tracking the individual browser within it.
Google’s stated privacy argument was that this represented a real improvement over the status quo: no individual-level tracking, no persistent cross-site identifier tied to a single browser, and a cohort ID shared by thousands of similar users rather than a unique fingerprint for one. The origin trial, run across a subset of Chrome users starting in select regions, was meant to test both the technical mechanism and its real-world advertising effectiveness before any consideration of a broader default rollout.
How the Clustering Actually Worked
The technical mechanism deserves a plain explanation, since a lot of the public debate happened at a level of abstraction that obscured what was actually being computed. Chrome’s FLoC implementation ran a clustering algorithm, based on a technique Google described as a variant of SimHash, locally on the user’s device. The algorithm analyzed the domains a browser had visited over a trailing window — roughly a week, in the origin trial’s configuration — and produced a compact numerical summary of that browsing pattern. Browsers whose visited-domain patterns produced similar summaries were assigned the same cohort ID, out of a defined universe of several thousand possible cohorts.
Critically, the actual browsing history itself never left the device — only the resulting cohort ID was exposed to sites and advertisers. This was the core of Google’s privacy argument: no server anywhere ever received a list of the sites a specific user had visited, only a group label shared by thousands of other browsers with statistically similar patterns. The origin trial ran this calculation for real Chrome users in several countries, including the United States, starting in a subset of regions before any consideration of global rollout, specifically so Google could measure the advertising effectiveness of cohort-based targeting against real ad campaigns before deciding whether the mechanism was viable as third-party cookies’ actual replacement.
Why Other Browser Vendors Rejected It Almost Immediately
The rejection from competing browser vendors was fast and largely unequivocal. Mozilla’s position, articulated by Firefox’s engineering and policy teams shortly after the origin trial began, was that FLoC represented a fundamentally different threat model than third-party cookies, not a strictly better one — and that the difference mattered more than Google’s framing suggested.
The core objection: a cohort ID, even shared by thousands of users, is still a browser-generated behavioral signal broadcast to every site a user visits, without an opt-in step, based on browsing history the user never explicitly agreed to have algorithmically summarized and exposed. Critics pointed out several specific problems. First, cohort assignment could function as a fingerprinting signal in combination with other browser characteristics — a cohort ID combined with even a few other identifying signals could narrow down an individual browser meaningfully, undermining the “just a group, not an individual” framing. Second, cohort membership itself could leak sensitive inferences: a cohort correlated with browsing patterns associated with a health condition, a financial circumstance, a sexual orientation, or a religious affiliation would broadcast that inferred characteristic to every site the user visited, which is arguably a more exposed default than cookie-based tracking, where at least the tracking entity had to actively build a profile rather than receiving a ready-made categorical signal automatically.
Brave and Vivaldi went further than objecting in principle — both browsers shipped code to actively block FLoC’s cohort-calculation mechanism from running at all for their users, treating the feature as something to defend against rather than merely decline to adopt. WordPress, which powers a very large share of the web’s sites, added code allowing site operators to opt their sites out of FLoC cohort calculation via an HTTP response header, a move that gave a huge number of ordinary websites a mechanism to exclude their traffic from feeding the cohort algorithm even while running Chrome.
The Regulatory and Antitrust Dimension
FLoC’s timing put it directly in the path of an active antitrust and regulatory scrutiny of Google’s advertising business, and that context shaped how the proposal was received well beyond the pure privacy-engineering debate. The UK’s Competition and Markets Authority, already investigating Google’s planned deprecation of third-party cookies over concerns it could entrench Google’s own advertising dominance, treated FLoC and the broader Privacy Sandbox initiative as directly relevant to that investigation — since a replacement mechanism controlled entirely by the browser vendor that also runs the dominant ad exchange raises obvious self-preferencing concerns distinct from the underlying privacy question.
The Electronic Frontier Foundation published detailed public criticism arguing FLoC solved Google’s problem — legal and reputational pressure over third-party cookies — without solving users’ actual problem, which was being tracked and profiled without meaningful consent in the first place. The framing stuck: FLoC became widely characterized in privacy advocacy circles as a mechanism that preserved behavioral advertising’s core function while changing its plumbing, rather than a genuine move toward user control.
What Killed It
No single event ended FLoC. It was the accumulation of near-universal rejection from competing browser vendors, sustained criticism from privacy researchers who identified concrete technical weaknesses in the cohort-fingerprinting risk, active blocking by some browsers, opt-out adoption by a meaningful slice of the web’s site operators, and continued regulatory scrutiny that made the “trust us, this is better” pitch increasingly untenable politically as well as technically. By early 2022, Google had shifted its Privacy Sandbox roadmap away from FLoC entirely, replacing it with a successor proposal — the Topics API — built around narrower, shorter-lived interest categories with more limited scope than FLoC’s broader cohort model, in explicit response to the specific criticisms FLoC had accumulated.
What the Episode Actually Demonstrates
The FLoC collapse is worth understanding as more than a footnote, because it illustrates a pattern relevant to every “privacy-preserving alternative to tracking” proposal that follows it, including the ones that came after. A mechanism run entirely by the dominant browser vendor, opted-in by default without meaningful user consent, evaluated primarily by that same vendor’s own advertising business unit — even with a genuinely well-intentioned privacy engineering team behind it — will face structural skepticism that a purely technical fix cannot resolve on its own. The privacy properties of a system matter, but so does who controls it, who benefits from it, and whether the people affected by it had any real say in whether it ran on their browser at all.
For a deeper look at how the broader third-party cookie deprecation effort that FLoC was meant to support has evolved since, our SameSite cookie default coverage traces the earlier, less contentious step in the same general direction — restricting ambient cross-site cookie behavior by default rather than replacing it with a new tracking primitive. And our look at why the Do Not Track header failed covers the earlier, opposite failure mode: a mechanism nobody was obligated to honor, rather than one people were opted into without being asked.
FAQ
Was FLoC actually more private than third-party cookies? It’s genuinely contested. FLoC did eliminate individual-level persistent identifiers in favor of shared cohort IDs, which is a real technical difference. But critics demonstrated that cohort IDs combined with other browser signals could still narrow down individuals, and that cohort membership itself could leak sensitive behavioral inferences to every site visited by default — tradeoffs that made “more private” a much less settled claim than Google’s initial framing suggested.
Did all browsers reject FLoC, or just some? Firefox, Brave, Vivaldi, and several other non-Chromium and Chromium-based browsers either declined to implement it or actively blocked the cohort-calculation mechanism. Chrome was effectively alone among major browsers in running the origin trial and pursuing the mechanism toward a broader rollout before ultimately abandoning it.
Could website operators opt out of FLoC? Yes. Google added a response-header opt-out mechanism allowing individual sites to exclude their traffic from a visitor’s cohort calculation, and WordPress added built-in support for setting that header, which a large share of the web’s sites used to opt out.
What replaced FLoC in Google’s Privacy Sandbox roadmap? The Topics API, introduced as FLoC’s successor, uses a narrower model: a small number of coarse-grained interest topics assigned per browsing session, drawn from a curated taxonomy, rather than FLoC’s broader behavioral clustering approach — a design explicitly shaped by the specific criticisms FLoC accumulated.
Is Privacy Sandbox as a whole dead because FLoC failed? No. FLoC was one specific proposal within the broader Privacy Sandbox initiative, which includes several other APIs addressing different advertising and tracking use cases. FLoC’s rejection changed the roadmap and the specific mechanism used for interest-based targeting, but it did not end the broader initiative.


