diff --git a/CHANGELOG.md b/CHANGELOG.md
index 48098b6be..458443ba3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,9 @@ release channel, you can take advantage of these new features and fixes.
   running user inside the Docker containers, to match the one you use in your host operating system.
   Set `AZURACAST_PUID` and `AZURACAST_PGID` in `.env` accordingly; both default to 1000.
 
+- All up-to-date AzuraCast installations will opt users out of Google's new advertisement tracking system, FLoC. Learn
+  more about this and why we disabled it [here](https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea).
+
 ## Bug Fixes
 
 - Fixed a bug where files that included certain special non-ASCII characters would never be read or processed.
diff --git a/src/Middleware/EnforceSecurity.php b/src/Middleware/EnforceSecurity.php
index 731a4b122..ed39f3548 100644
--- a/src/Middleware/EnforceSecurity.php
+++ b/src/Middleware/EnforceSecurity.php
@@ -51,6 +51,15 @@ class EnforceSecurity implements MiddlewareInterface
             $response = $response->withHeader('Strict-Transport-Security', 'max-age=3600');
         }
 
+        // Opt out of FLoC
+        $permissionsPolicies = [
+            'autoplay=*', // Explicitly allow autoplay
+            'fullscreen=*', // Explicitly allow fullscreen
+            'interest-cohort=()', // Disable FLoC tracking
+        ];
+
+        $response = $response->withHeader('Permissions-Policy', implode(', ', $permissionsPolicies));
+
         // Deny crawling on any pages that don't explicitly allow it.
         $robotsHeader = $response->getHeaderLine('X-Robots-Tag');
         if ('' === $robotsHeader) {