WordPress Proposal to Block FLoC User Tracking

WordPress Proposal to Block FLoC User Tracking

As Chrome drops 3rd party cookie tracking due to privacy concerns, WordPress is poised to consider blocking its replacement called FLoC.

Discover what this means for bloggers who run ads on their site, and the ad targeting industry.

The End of All 3rd Party Cookie Tracking is Near

If you run ads on your site then you already know that Chrome will soon join Firefox and Safari in dropping 3rd party cookie tracking.

3rd party cookies allow advertisers to not only gather anonymous data about the site visitor, but it also allows them to track where that visitor goes next online. This way they can build a demographic and interest persona so that advertisers can show targeted ads on each site that person visits.

Due to privacy concerns, both Firefox and Safari dropped 3rd party cookie tracking back in late 2019.

Why Chrome was the Last to Comply

One of the reasons Chrome is lagging behind the other browsers so much is that they have a dog in this race – namely Google AdSense ads.

While Google promised that they would not build an independent 3rd party cookie tracker when they dropped it from the Chrome browsers, that is just about what they have done with their new Privacy Sandbox which is a suite of tools comprised of 5 APIs that offer cookie-less user data.

Basically, it is supposed to do a better job of anonymising site visitors into a “crowd” of other similar users.

Those crowds are called cohorts.

FLoC stands for Federated Learning of Cohorts and it is Google’s primary machine learning tool involved with how the new Privacy Sandbox works. 

As the Electronic Frontier Foundation explains it:

“FLoC is meant to be a new way to make your browser do the profiling that third-party trackers used to do themselves: in this case, boiling down your recent browsing activity into a behavioral label, and then sharing it with websites and advertisers.” 

Is FloC a Problem?

There has been industry pushback about FLoC since the day Google announced in January 2021.

And some folks at WordPress even see this alternative form of tracking as a security threat.

They consider lumping tracked visitors into these cohort groups will lead to discrimination at its most base form.

WordPress Proposal to Block FLoC Tracking 

On April 18, 2021, a new Proposal was published on the Make WordPress Core site to have WordPress block FLoC from tracking by default

Since Google is already testing FLoC, and because 3rd party cookie tracking will end in Chrome in May, WP wants to roll this out as a security release asap instead of waiting for the next major release of 5.8 in July.

Carike, the originator of this proposal, says:

“WordPress powers approximately 41% of the web – and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code.”

While WP dev support is strongly in favor of this change, as evidenced by the comments on the proposal, at least a few devs are aware that there is already a FLoC blocking plugin to handle this issue and blocking FLoC will take more than just 4 lines of code.

HTTPS Security Headers Mess

If your HTTPS was done correctly, then the links in your database were actually converted to HTTPS and you have 5 HTTPS security headers.

If you used a plugin or other free trickery via your host, then your HTTPS was not done fully.

READ: Top 10 Reasons NOT to Use Free HTTPS for details. 

And please don’t confuse a free SSL certificate with free HTTPS. They are 2 different things.

READ: The 7 Top Myths About Free HTTPS Conversion for details.

Blocking FLoC tracking has to take into consideration how the HTTPS security header for the Permissions Policy may already be implemented on some sites.

This is not one of the 5 HTTPS security headers I recommend at this time, nor is it required by any browsers nor in Core Web Vitals.

So, it’s not likely that most bloggers will have it.

But, for WP to include such a thing in core, they have to take into consideration that there are enterprise-level sites that will have a custom Permission Policy header set.

Backport and Option Issues

Any security feature added to WP core must also be backported to previous WP versions.

This particular feature will be difficult to backport.

Plus, if it is turned on by default, it could break some sites, further eroding trust in auto updates for minor security releases.

Many devs suggest that even if this code is rolled into WP core, that it should be an option, with a toggle to turn it on/off.

To Track or Not to Track; That is the Question

The fact is, browsers and advertisers have been tracking site surfers for years without their consent.

Only because of recent lawsuits has this type of privacy concern come to light.

Google reports that their new FLoC algorithm works 95% as well as 3rd party cookie tracking.

That should give everyone pause at just how powerful this thing is.

Do you like being tracked online?

I’m betting you might say NO!

But, when you Google something, and it shows you that thing “near me” are you happy that browsers know where you are so it can show you that result? (FYI, all the browser knows is your IP address and what city that serves.)

Opt-in tracking happens on every social media platform you use like Facebook and Pinterest too, and because that’s part of their ToS (Terms of Service), you are going to see targeted ads there. As bad as you may think that is, imagine what seeing a whole page full of ads that you have zero interest in would be like.

What are Ad Agencies Doing?

Most of them aren’t saying. 

But of the ones who are more transparent, like Mediavine, they have decided to use FLoC. In fact, Mediavine started FLoC testing already. 

Both Mediavine and AdThrive are also experimenting with 1st party, opt-in cookie tracking too.

More to Come

This is a developing story and I’m keeping close watch on it.

Be sure to read Tips Tuesday every week for ongoing reports and updates.