First Party Sets

From Bitnami MediaWiki
Revision as of 13:38, 22 June 2021 by Jkoran (talk | contribs)
Jump to navigation Jump to search


Google's First Party Sets proposal enables different sites (or origins) controlled by the same organization to declare themselves to people as being allowed to share personal data.[1]

Google's proposal allows two exceptions to their general rule to block cross-origin data transfers, when the receiving origin is:

  1. Registered under the same top-level domain (e.g., and as owns the sending origin.
  2. Owned by the same organization (e.g., and as owns the sending origin.

Google defines "control" solely as 51% ownership of each domain by the same parent organization.


By relying on organizational ownership as the sole mechanism of trust, this advantages vertically-integrated organizations over those that rely on supply-chain partners. (See below W3C's critique due to this impact.) This runs counter to the general goal on the web of supporting decentralization.

Moreover, in contrast, privacy regulations support other mechanisms to support appropriate control and safeguard of people's personal data, such as by contract (including Standard Contractual Clauses). Instead of incentivizing centralized ownership of domains, privacy regulations focus on reducing the privacy risks to people via relying on pseudonymous identifiers, rather than people's identity, whenever possible.[2]


First-Party Sets began Origin Trial in M89.[3][4]

Regulator Perspectives

The UK CMA noted (5.32-33, 6.62) that should Google impair publishers' ability to work with supply chain vendors of their choice through interference with interoperable data, then Google's own extensive data collection would give Google a "significant data advantage over others." The CMA noted that without addressing this data advantage, then "Privacy Sandbox Proposals (notably First Party Sets" would "distort competition in digital advertising markets."[5]

Perspectives of Trade Body and Advocacy Groups

In April 2021, The W3C Technical Architecture Group (TAG) criticized First Party Sets as "harmful to the web."[6] The TAG recognized that Google's proposal benefit "only powerful, large entities"[7] rather than actually improve “transparency, choice and control over how their data is used.”[8]

Mozilla has also criticized Google's distinction that corporate ownership ought to be an acceptable "privacy" boundary.[9]

Open Questions

  • How much awareness among the general public is required for different domains to be allowed to share personal data?
  • Must users be made aware of the ownership linkages prior to any personal data sharing?
  • How much control should people have to keep their identity distinct from the various sites within such a "first party set"?
  • How should cross-publisher data sharing permissions be granted, administered and audited?
  • Which risks to people will these changes reduce or eliminate?