First Party Sets: Did Google go to the wrong party?

Google announced First Party Sets (FPS) as a supposedly privacy-focused alternative to third party cookies (3PS). FPS, however, only allows domains owned by the same organisation, for example, Disney.com and Espn.com, or Google.com and Youtube.com, to share data as they would have done with third party cookies. The proposal is therefore clearly discriminatory, favouring large companies (like Google) with multiple domains.  

FPS does very little to help organisations share data in the web browser with their supply chain partners, including publishers and advertisers. FPS requires an enforcement authority to decide if domains are owned by the same organisation, risking publishers being shut down with no recourse if the enforcement entity rules against them. Given complex corporate ownership, and the lack of clarity around the enforcement entity, this is a real risk. [1]

MOW understands that publishers wish to control which third parties and advertisers they work with. They do not want to eliminate all third parties, however. 

FPS is a significant proposal because it removes publisher and advertiser choices. Advertisers are third parties, both in relation to users and publishers. Minimising inter-domain exchanges and disabling third parties is therefore clearly to their detriment. 

MOW produced a video animation clearly highlighting the issue, which is linked here

Publishers and advertisers interested in value or return on investment are right to be wary of FPS. The UK CMA is currently assessing Google’s commitments to the CMA, which includes FPS. Publishers should thus engage with the CMA to state concerns and to ensure that they can still access a range of vendors and get paid for content on a competitive basis.

Stakeholder response to Google’s initial proposals has been overwhelmingly negative with two major complaints. [2] Firstly, that FPS would be less effective than current technologies which use third party cookies, reducing publishers’ advertising income. Google acknowledges this in the FPS proposal as a ‘necessary trade-off between gains like performance or interoperability’ and user privacy and security. The argument that this is ‘necessary’ is incomplete, and perhaps deliberately masks the crucial point that not all data uses are the same. There is a world of difference between using data to optimise a holiday advert and sensitive uses like medical or criminal records.  

In the innocuous cases, there is nothing to lose, and much to gain, from cross-site optimisation (e.g., showing the advert across various websites with a frequency cap). The proposal simply assumes away these helpful use cases, while failing to engage with the definition of safeguards, limiting competition and harming the user experience. 

To MOW, FPS feels like a poor attempt to appease the largest organisations that contribute the most to Google’s revenues and gain their support for Privacy Sandbox. 

From a publisher’s perspective the key issues are as follows: 

  • Data exchanges with third parties are crucial to publishers’ income. Cookie elimination has been found to reduce advertising revenue. [3] Such threat to third party functionality is likely to be very damaging and no equivalent successor technology has yet been shown to work. Google and the CMA are aware of this. Considering that the majority of the traditional press depends on ad revenue, the proposed changes do not just pose a threat to industry but also to the continued plurality of the media.  
  • Accountability in the supply chain. FPS does nothing to provide the evidence regulators, other industry participants, and people need to reduce the risk of online harms. FPS simply stops all data from flowing. [4]

For publishers, FPS would severely limit their capacity to earn income, whilst failing to address supply chain concern to which there are many competing solutions that do allow an audit trail. SWAN or OneKey, for instance, allow for a transparent audit trail of data processing.  

Moreover, contrary to Google’s claims, there is no demonstrated improvement in user security or privacy. The deafening silence in Google’s reporting to the CMA is a failure to engage with what privacy means and why the FPS proposal is an improvement. Instead, there is just an assertion that privacy improves from reducing the entities that can handle data. This is highly suspect; privacy depends on context, and there are many safeguards which can be used to ensure that privacy risks are minimised.  

Indeed, Google won their court action with Lloyd by arguing that the presence of third party cookies did not represent a breach of the law. [5] This underlines the crux of the objection: third party functionalities are hugely valuable to publishers, advertisers, and, by extension, consumers, but are also, crucially, low risk when proper safeguards are in place. Blocking or phasing out third party functionality benefits only gatekeeper platforms. 

The second issue with FPS is one of reduced competition.  Allowing data exchange only within domains owned by one organisation arbitrarily favours conglomerates. In a partitioned post-cookie world, Google and other large tech providers would gain significant competitive advantages. Though their own capacity to collect and exchange user data might be marginally reduced, relative to smaller players their access would still be considerable, because of the other data collection sources they own. Google deliberately dodges this issue and its uneven ramifications for publishers and advertisers.  The FPS proposal describes information exchange “between unrelated sites for ad-targeting or conversion measurement” as a “non-goal”. Yet, it fails to mention that advertising is very much within the scope of the proposal.  

This was underlined by the W3C standards making body’s Technical Architectural Group (TAG) (which concluded that FPS adds undue and unjustified complexity): it is ‘clear, since the scope includes cookies, and cookies are heavily used by advertising networks that the scope is at least related to advertising’. [6] The CMA also noted ‘concerns’ about the impact of FPS in its latest monitoring report. The CMA stated that ‘several aspects of the proposal we consider could benefit from further consideration,’ even after Google had tweaked them to allow a thimbleful of additional data handling. 

The response from stakeholders has not, however, been simply to criticise and point Google back in the direction of the drawing board. Alternatives to FPS have been proposed, which would allow GDPR-compliant data handling. One solution, GDPR Validated Sets, puts forward the simple position that ad systems would verify GDPR compliance. [7] This would allow data to interoperate provided that the relevant legal safeguards are in place, notably to use limitation and consent to common data processing agreements where relevant. Needless to say, aligning domains in such a manner would be preferable to cutting off widespread innocuous data handling and depriving publishers and consumers of ad-funded content, for no evidenced reason.

[1] MOW does welcome the fact that at least at times Google are prepared to consider organisational measures, or non-engineering solutions, in their proposals. MOW is also concerned about Google, and the W3C if a standard were to emerge, trying to recreate the notaries or the Extended Validation SSL certificate which does much are already widely used to verify identity.

[2] See in CMA’s update report (July 2022) https://assets.publishing.service.gov.uk/media/62e1662ee90e07142da0176f/CMA_update_report_-_Google_Privacy_Sandbox.pdf 

[3] See in Garrett Johnson’s study titled “Consumer Privacy Choice in Online Advertising: Who opts out and at what cost to industry?”, which found that cookie elimination through opt-out protocols reduced advertising revenue by 52%. Garrett Johnson is a professor in digital markets at the University of Boston. 


See also p.249 of the UK CMA Mobile Ecosystems Market Study (10 June 2022). The UK CMA found that there was as much as a 71% marginal decrease in CPM when Apple introduced ITP audient tailoring restrictions on Safari: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1096277/Mobile_ecosystems_final_report_-_full_draft_-_FINAL__.pdf 

[4] As AOP and ISBA’s Programmatic Supply Chain Transparency Study made apparent, information about effectiveness is the true priority issue for publishers. See at https://www.isba.org.uk/knowledge/programmatic-supply-chain-transparency-study 

[5] Lloyd v Google: Supreme Court unanimously rejects claimant’s representative action (pinsentmasons.com) 

[6] As the TAG review of FPS put it, the ‘proposal adds a complex configuration layer to the web’ and at this time ‘there is not sufficient evidence for the need of this technology to warrant the additional complexity’: 


[7] See proposal here: Convert “First Party Sets” to “GDPR Validated Sets” by jwrosewell · Pull Request #86 · WICG/first-party-sets · GitHub 

Header image courtesy of creative commons (licensed for free under the creative commons license).