Anyone who remembers Do Not Track—the initiative that was supposed to allow browser users to reclaim their privacy on the Web—knows it was a failure. Not only did websites ignore it, using it arguably made people less private because it made them stick out. Now, privacy advocates are back with a new specification, and this time they’ve brought the lawyers.
Under the hood, the specification, known as Global Privacy Control, works pretty much the same way Do Not Track did. A small HTTP header informs sites that a visitor doesn’t want their data sold. The big difference this time is the enactment of the Consumer Privacy Act in California and, possibly, the General Data Protection Regulation in Europe, both of which give consumers broad rights over how their private information can be used.
At the moment, California residents who don’t want websites to sell their data must register their choice with each site, often each time they visit it. That’s annoying and time-consuming. But the California law specifically contemplates “user-enabled global privacy controls, such as a browser plug-in or privacy setting,” that signal the choice. That’s what the Global Privacy Control—or GPG—does.
“It’s the goal of this effort to help define a mechanism that could satisfy, initially, CCPA’s requirement for a ‘global privacy control,’” Ashkan Soltani, the privacy researcher who helped lead the initiative, said. But he said GPC “is extensible to apply to other privacy laws, such as GDRP, should policymakers deem it adequate for exercising those rights in those jurisdictions.”
Only Brave (for now)
So far, the maker of the Brave browser is the only developer that has committed to implementing the control. Brave said on Wednesday that the control is already in trial in nightly or beta builds of desktop and Android versions and that an iOS implementation is expected once the proposal gets closer to being a standard. Once implemented in the release, the control will be “on by default and unconfigurable.”
Firefox developer Mozilla, meanwhile, has expressed more tentative support. The browser maker hasn’t indicated it will build the control mechanism into the browser. In a statement accompanying the GPC announcement, Selena Deckelmann, the VP of Firefox Desktop, said: “Mozilla is pleased to support the Global Privacy Control initiative. People’s data rights must be recognized and respected, and this is a step in the right direction. We look forward to working with the rest of the web standards community to bring these protections to everyone.”
Other supporters of GPC include The New York Times, The Washington Post, Financial Times, Automattic (WordPress.com & Tumblr), Glitch, DuckDuckGo, Brave, Mozilla, Disconnect, Abine, Digital Content Next, Consumer Reports, and the Electronic Frontier Foundation.
Besides using a non-release version of Brave that supports GPC, people can also turn on the control by using one of these browser extensions. Without one of these mechanisms, the top of the GPC website will display a red dot and the words “GPC signal not detected.” Once a GPC-supported browser or plugin is used, the top of the site will look like this:
With the failure of Do Not Track still memorable, there’s no guarantee that GPC will fare any better, particularly as it goes up against advertisers that covet the collection and selling of valuable user data. One thing GPC may have in its favor is the support of lawyers. Among them is California Attorney General Xavier Becerra.
— Xavier Becerra (@AGBecerra) October 7, 2020
“This proposed standard is a first step towards a meaningful global privacy control that will make it simple and easy for consumers to exercise their privacy rights online,” he wrote. “CA DOJ is encouraged to see the technology community developing a global privacy control in furtherance of the CCPA and consumer privacy rights.”