Whenever you visit a website, it sets off a chain of modules that are programmed to make the most out of your data. In many cases, that means your personal information is put up for sale and sold to advertisers, marketing firms, and data brokers. Last year alone, U.S companies spent nearly $12 billion on acquiring such third-party audience data.
California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA) — which went into effect at the beginning of this year — wants to crack down on this practice by offering Californians the right to opt out of the sale of their data. Businesses under this jurisdiction are also legally required to have an option on their websites that allows visitors to easily exercise this do-not-sell request and those that don’t can face fines and official inquiries.
But of course, no one wants to deal with another button or pop-up each time they visit a website. That’s where the Global Privacy Control (GPC) initiative comes in.
A not-for-sale sign on your private data
The Global Privacy Control, developed by a group of privacy-focused companies and researchers, is a technical standard that will act as a global setting so that you can opt out of the sale of your data everywhere on the internet with a flip of a common switch. This tool will come built into your browser and send a signal to CCPA-compliant websites telling them you don’t want your personal information on sale.
The GPC, which is in beta at the moment, is not yet enforced under the CCPA law. But in recent testimony, California Attorney General Xavier Becerra has detailed a provision in this law that would eventually facilitate a global opt-out switch like the Global Privacy Control. Later, in a tweet and in a statement to Digital Trends, Becerra further acknowledged and expressed support for the Global Privacy Control.
This proposed standard is a first step towards a meaningful global privacy control that will make it simple and easy for consumers to exercise their privacy rights online.
#DataPrivacy is the future, and I am heartened to see a wave of innovation in this space.— Xavier Becerra (@AGBecerra) October 7, 2020
“We believe getting privacy online should be simple and accessible to everyone, period,” Peter Dolanjski, director of products at DuckDuckGo, one of the early backers of the Global Privacy Control, told Digital Trends. “Global Privacy Control adds an additional layer of privacy protection which is simple to enable and intended to be backed by legal enforcement, starting with the CCPA and expanding to other jurisdictions over time.”
Succeeding where Do Not Track failed
“Legally” is indeed the key word here. For years, privacy advocates have been waging a war against internet and data companies to secure fundamental security rights and push back against invasive online practices that commercialize people’s private information. Without a law to back them up, however, most of these efforts have fallen through the cracks or only achieved low-impact results.
The decade-old Do Not Track specification is the epitome of this. Since it was never made mandatory by law, it didn’t actually do anything in reality and businesses simply ignored it and continued to track users as they pleased. Eventually, many tech companies like Apple just gave up and even removed the Do Not Track option from their services.
Even if Do Not Track had passed, it never had the technological infrastructure it needed to be truly effective. Let’s be real: How often do we bother to read the General Data Protection Regulation (GDPR) warnings and confirmations thrown at us by websites? In fact, a study by DataGrail revealed that since the CCPA went live on January 1, 2020, only 82 “do not sell” requests were sent for every million consumer records.
The Global Privacy Control theoretically suffers from none of these concerns. It already has a legal backbone in California, and it’s embraced by a notable cohort of organizations including Mozilla, Brave, the Electronic Frontier Foundation (EFF), Automattic (WordPress and Tumblr), The New York Times, and more.
As the GPC signal runs automatically in the background, people won’t have to hunt down and toggle an option themselves. In its beta release, the Global Privacy Control has been rolled out to a handful of platforms, and you can try it today on DuckDuckGo, Brave, Google Chrome (thanks to the EFF’s add-on, called Privacy Badger), and more.
Kelvin Coleman, the executive director of the National Cyber Security Alliance (NCSA), believes GPC’s legal buffers will help it legitimize its goals, as opposed to “Do Not Track” which was “rolled out in a vacuum.”
“With CCPA and GDPR existing as legal precedents, companies are forced to navigate a minefield of compliance issues and heavy fines if they’re not careful about how they handle user data. This creates more incentive to accept GPC in the long run,” Coleman said.
Not the silver bullet yet: The long, grueling road ahead
However, security researchers warn that it will take years before the Global Privacy Control materializes on a wide scale and, even then, it may not be the silver bullet for egregious online data abuses. More importantly, the GPC’s legal scope, assuming it’s bound in the CCPA, is limited to California. On top of that, it doesn’t apply to data shared with nonprofits, government agencies, and businesses that make less than $25 million in revenue.
Sebastian Zimmeck, one of the founding members of the GPC and a computer science professor at Wesleyan University, remains optimistic and argues that while California currently is a major use case, the technology behind it is law-agnostic and can be bent to have varied legal bindings depending on how other jurisdictions draft their privacy legislation in the future.
DuckDuckGo’s Dolanjski adds that the consortium is also talking to “various parties in the European Union” to integrate the Global Privacy Control with GDPR.
The European Data Protection Supervisor, GDPR’s official privacy watchdog, didn’t comment on whether it’s exploring GPC partnerships, but it said in a statement that it welcomes “privacy-oriented initiatives that may have a positive impact on a more sustainable digital economy and that promote competition in the field of technology in an era of growing digitization.”
Another shortcoming that could cripple the GPC’s success is that unless it’s activated on each one of your browsing sessions on all of your devices, it will have little effect on your online privacy. You see, the Global Privacy Control signal is beamed every time you visit a website. It’s not universally activated on your profile.
“Our information is at risk more than ever, and the GPC could be the steppingstone we need for enabling a future where privacy is a legal right, not a personal choice.”
So for instance, you can ask a particular site on your computer to not sell your data with GPC. But when you go to that site again on your phone, where GPC may not be available yet, the business is free to misuse your private information.
Peter Snyder, a senior privacy researcher at Brave, sees the GPC as a floor and hopes that responsible websites, companies, and advertisers will use it “as part of a multifaceted approach to make sure they are ethically and responsibly respecting users and user privacy” including automatically applying it to all sessions if the visitor has an account with them.
Then there’s the conflict question. What if the site already has your consent to sell your private information in its Privacy Policy?
How the GPC adapts to the cobweb of permissions and pop-ups websites requests remains to be seen once more participants get on board. But Zimmeck suggests this will depend on the law. The CCPA, for instance, dictates that businesses must respect the opt-out signal no matter what and, if needed, notify or reach out to the customer to resolve any specific disputes.
Despite its flaws, the Global Privacy Control appears promising and potentially the best shot yet at cutting back data misuse online. Our information is at risk more than ever, and the GPC could be the steppingstone we need for enabling a future where privacy is a legal right, not a personal choice.
“Until there’s a wider collective of participating publishers, businesses, and websites — coupled with sufficient legal enforcement — the GPC will continue to be an ideal with limited range,” said NCSA’s Coleman. “But that ideal shows real promise in the face of greater adoption.”
