Anyone who remembers Do Not Track – the initiative designed to enable browser users to regain their privacy on the web – knows it was a bug. Not only did websites ignore it, but it arguably made people less private because it made them stand out. Now the privacy advocates are back with a new specification and this time they brought the lawyers with them.
Under the hood, the specification known as Global Privacy Control works in much the same way as Do Not Track. A small HTTP header informs websites that a visitor does not want their data to be sold. The big difference this time around is the adoption of the Consumer Privacy Act in California and possibly the General Data Protection Regulation in Europe, which give consumers far-reaching rights over the use of their private information.
Currently, California residents who do not want websites to sell their data must register their choice with each website, often with each visit. It's annoying and time consuming. However, California law specifically provides for "user-activated global privacy controls like a browser plug-in or privacy setting" that signal the choice. This is the task of the global data protection control (GPG).
"The aim of this effort is to define a mechanism that can initially meet the CCPA's requirements for 'global data protection control'," said Ashkan Soltani, the data protection researcher who led the initiative. But he said GPC "is extensible to apply to other privacy laws like GDRP if policy makers deem it appropriate to exercise those rights in those jurisdictions."
Just brave (for now)
So far, the manufacturer of the Brave browser is the only developer who has committed to implementing the control. Brave said Wednesday that the control is already being tested in nightly or beta releases of desktop and Android versions, and that an iOS implementation is expected once the proposal gets closer to the standard. Once implemented in the version, the control is "enabled by default and not configurable".
Firefox developer Mozilla has meanwhile expressed more cautious support. The browser manufacturer has not specified that the control mechanism will be integrated into the browser. In a statement on the GPC announcement, Selena Deckelmann, VP of Firefox Desktop said: “Mozilla is excited to support the Global Privacy Control initiative. People's data rights must be recognized and respected. This is a step in the right direction. We look forward to working with the rest of the web standards community to bring this protection to everyone. "
Other GPC supporters include the New York Times, Washington Post, Financial Times, Automattic (WordPress.com & Tumblr), Glitch, DuckDuckGo, Brave, Mozilla, Disconnect, Abine, Digital Content Next, Consumer Reports and the Electronic Frontier Foundation.
In addition to using an unreleased version of Brave that supports GPC, users can also activate the control using one of these browser extensions. Without either of these mechanisms, a red dot and the words "GPC Signal Not Detected" will appear at the top of the GPC website. Once a GPC supported browser or plugin is used, the top of the site will look like this:
With Do Not Track's failure still being memorable, there is no guarantee that GPC will perform better, especially against advertisers who desire to collect and sell valuable user data. One thing that GPC may have in its favor is the assistance of lawyers. Among them is California Attorney General Xavier Becerra.
CA DOJ is encouraged to see the technology community develop a global privacy oversight to promote CCPA and consumer rights. #DataPrivacy #CCPA
– Xavier Becerra (@AGBecerra) October 7, 2020
"This proposed standard is a first step towards meaningful global data protection control that makes it simple and easy for consumers to exercise their data protection rights online," he wrote. "CA DOJ is encouraged to see the technology community develop a global privacy control to promote CCPA and consumer rights."