That would be a good option for Cloudflare to give site operators.

[ ] Add `Permissions-Policy: interest-cohort=()` header.

They should look at the way the wind is blowing and enable this by default for all domains.

edit: in a previous version of this comment I said that Cloudflare should use this mechanism to "kill FLoC in the crib", which is quoted in southerntofu's reply.

I find it worrying that a huge company is pushing an opt-out privacy-hostile feature (you have to send a header so that hopefully they will disable it, if they are in good faith) and the best we can do to fight it is to ask another huge corporation to "kill it in the crib".

Maybe its finally time we stopped using these corporations and their products once and for all and started empowering our own communities instead?

I agree, here is my public statement on the matter.

https://www.remarkbox.com/remarkbox-is-now-pay-what-you-can....

DNT was dead partially due to Microsoft enabled it for IE by default.

Respectfully, I don’t think your category of “we” is as universal as you think. Privacy-focused people can and largely do use browsers which simply refuse to send this kind of potentially sensitive information; for the rest of us, this new feature is substantially less privacy-hostile than what it’s replacing.

This is definitely worse than the fingerprinting being replaced, because whereas the old methods were inadvertently using browser traits unrelated to user behavior for tracking, this is an intentional feature for user tracking related intentionally to user interests.

It's a replacement for third-party cookies, not fingerprinting.

So not only do users need to actually opt-out but site owners have to opt-out too?

Has anyone stopped to consider where laws and regulations should come in to say that tracking like this is far too invasive?

You don’t have to, what happens between a user and their browser is theoretically none of your business. But if you care about your users’ privacy, I see no reason not to send this header as there’s no defined value for you as a business (unless you plan to somehow try to retarget users who’ve visited your site based on guessing which cohort that potentially refers to).

> So not only do users need to actually opt-out but site owners have to opt-out too?

By setting this on the site level, your users won't have to opt-out. You are doing it for them (all of them).

If you don't, then the browser can always ignore it also. But that would only affect that individual user.

Weird question: What if a user actually wants to opt-in but the site has opted-out? Should user opt-in override site opt-out?

The user opts in to being placed into a cohort. The site opts out of providing information to Google to let them generate cohorts based on the site. There’s no overlap.

The reason why FLOC was invented, is to a oid lawmakers getting involved.

I recently implemented all these do not track headers that exist in my companies applications. I hope more devs consider doing the same. You can still get valuable analytics without tying identifying information to every request

So do I literally just put...

Header set Permissions-Policy: interest-cohort=()

...into my site's .htaccess and that's it, job done?

For your site. If you don't serve ads that rely on Google-FLoC rankings, then you won't see any impact. Otherwise you'd see a financial hit.

If your users go to another site, and they don't have client-side FLoC-blocking in Chrome, your settings obviously won't do anything for them.

So it's a nice step for your users, but is limited.

Apache:

    Header always set Permissions_policy "interest-cohort=()"

nginx:

    add_header Permissions_policy "interest-cohort=()" always;