First Party Sets
Google's proposal allows two exceptions to their general rule to block cross-origin data transfers, when the receiving origin is:
- Registered under the same top-level domain (e.g., news.yahoo.com and sports.yahoo.com) as owns the sending origin.
- Owned by the same organization (e.g., google.com and youbtube.com) as owns the sending origin.
Google defines "control" solely as 51% ownership of each domain by the same parent organization.
By relying on organizational ownership as the sole mechanism of trust, this advantages vertically-integrated organizations over those that rely on supply-chain partners. (See below W3C's critique due to this impact.) This runs counter to the general goal on the web of supporting decentralization.
Moreover, in contrast, privacy regulations support other mechanisms to support appropriate control and safeguard of people's personal data, such as by contract (including Standard Contractual Clauses). Instead of incentivizing centralized ownership of domains, privacy regulations focus on reducing the privacy risks to people via relying on pseudonymous identifiers, rather than people's identity, whenever possible.
The UK CMA noted (5.32-33, 6.62) that should Google impair publishers' ability to work with supply chain vendors of their choice through interference with interoperable data, then Google's own extensive data collection would give Google a "significant data advantage over others." The CMA noted that without addressing this data advantage, then "Privacy Sandbox Proposals (notably First Party Sets" would "distort competition in digital advertising markets."
Perspectives of Trade Body and Advocacy Groups
In April 2021, The W3C Technical Architecture Group (TAG) criticized First Party Sets as "harmful to the web." The TAG recognized that Google's proposal benefit "only powerful, large entities" rather than actually improve “transparency, choice and control over how their data is used.”
Mozilla has also criticized Google's distinction that corporate ownership ought to be an acceptable "privacy" boundary.
- How much awareness among the general public is required for different domains to be allowed to share personal data?
- Must users be made aware of the ownership linkages prior to any personal data sharing?
- How much control should people have to keep their identity distinct from the various sites within such a "first party set"?
- How should cross-publisher data sharing permissions be granted, administered and audited?
- Which risks to people will these changes reduce or eliminate?