blog: Don Marti


FLoC opt out

13 February 2021

Updated 22 Apr 2022: Added header for "new FLoC"

Updated 15 Apr 2021. Added some links to related articles, added mention of test in progress.

Updated 28 Feb 2021. Removed meta tag material, added link. We still do not know how to opt out of FLoC without setting an HTTP response header.

I'm not going to cover all the problems with having web browsers label their users with "cohorts" here. Really briefly, the Google Chrome browser might start using a system called "Federated Learning of Cohorts" (FLoC) to partly replace some of the data practices that are currently done using third-party tracking cookies.

There is a test of FLoC now running that is opt-in, but the core FLoC proposal is still opt out. It looks as if, in order to protect Google Chrome users on your site, you will have to change the site configuration a little.

New opt out

The opt out for the new FLoC, Topics API is:

Permissions-Policy: browsing-topics=()

Opt out method 1: HTTP header in the site config

The header you need is Permissions-Policy, and looks like this:

Permissions-Policy: interest-cohort=(), browsing-topics=()

In order to set that in Apache2 on Debian, I made a file called /etc/apache2/conf-available/floc.conf with the line:

Header always set Permissions-Policy: interest-cohort=(), browsing-topics=()

and then ran:

a2enconf floc.conf
apachectl graceful

I'm going to do this on all the sites where I have access to the web server config and can easily add a header.

You can also add the header in the appropriate .htaccess file.

For WordPress

There is a new WordPress plugin to add the opt-out header: Opt-out of FLoC on your WordPress website – Roy Tanck

Opt out method 2: for sites that can't set HTTP headers

Work in progress. The HTTP header is still the only way to opt out, since a meta tag won't work. (Discussion on the WICG/floc repository on GitHub.)


In the future, to check that it worked, I should be able to use the Permissions API. An example of a Permissions API query that works is this one, for how to check the Geolocation API permission:

// Check for Geolocation API permissions
    .then(function(permissionStatus) {
        console.log('geolocation permission state is ', permissionStatus.state);

Right now when I do the a query for the name interest-cohort, I'm getting The provided value 'interest-cohort' is not a valid enum value of type PermissionName. but I'm sure that they'll get this fixed up before FLoC gets turned on in regular people's browsers. Anyway, will update as I get to test more.

Well that was interesting

I mess around with this kind of thing on a Saturday morning because I'm interested in web privacy, but seriously, opting out of half-thought-out site audience data exfiltration schemes should not have to be something that people with normal web sites have to worry about. Not everybody has a free Saturday morning to work on their personal site, and not every company has a massive open-plan office with armies of developers to throw at projects they need to do just to stay in the same place.

New York State Lawmakers Reintroduce CCPA-Like Data Privacy Legislation

On the Dangers of Stochastic Parrots:Can Language Models Be Too Big?

Why a tweet from California’s AG about a global privacy tool has companies scrambling

‘This is what monopolies do’: Nine slams Google News Showcase launch

This is the Democrats’ plan to limit Section 230

Google’s Cookie Replacement Means Nothing Has Changed

Google workers across the globe announce international union alliance to hold Alphabet accountable

Scott Galloway: Why 2021 will be a year of reckoning for Big Tech

Here's What Google Didn't Say In Its Promises About Our Privacy