It’s Time to Standardize the Global Privacy Control
CDT Policy Fellow Cami Goray also contributed to this post.
Think of the number of times your website browsing experience has been interrupted by a cookie banner request for your consent to tracking. If you’ve felt frustrated by the need to jump through hoops before the chance to even access a website, you are not alone. This barrage of decisions burdens users with cookie consent fatigue and feeds into feelings of digital resignation. You may already have the legal right to opt-out of the sharing and sale of your data, but it is both confusing and time-consuming to find the options you have on every website you visit and actually exercise those legal rights. Wouldn’t it be nice for your browser to know your preference and do the work of communicating with the websites you visit? That is the promise of the Global Privacy Control (GPC).
As more of our daily activities become digitally mediated, we need privacy tools that help us to manage our data holistically rather than fragment our controls. It is impossible to keep track of every piece of software and every company you interact with on the web. This is why the “global” in Global Privacy Control is so important. GPC provides a persistent solution for expressing choice, rather than forcing users to restate their preferences every time they visit a website or clear their browsing cookies.
What is the Global Privacy Control?
The Global Privacy Control (GPC) is a browser setting that allows a user to communicate their preference – and to exercise their legal rights where they have them – to opt out of sharing and selling of their personal information. This single method of opt-out gives internet users an easier way to control how their data is used for online behavioral advertising or whether their data is sold to data brokers. Today, multiple browsers, including Brave, DuckDuckGo and Mozilla’s Firefox, provide a GPC built-in setting. For other browsers, users can download a browser extension. Many websites advertise their support of the control already, and many more will do so in complying with privacy regulations. Residents of California, for example, can use GPC in their browsers today to automatically opt-out of sharing of their data when visiting publishers like the New York Times and Washington Post, or retail company websites like Nike or L.L. Bean. But in order to benefit more users and websites in more places, GPC needs to become a standard.
What is the Purpose of Standardization?
For GPC to work universally, web browsers need to communicate to websites in the same way, in a manner that all websites will understand. Web standards tell everyone what language (or code) to use, and how to respond to specific signals.
A standardized opt-out tool benefits web users as well as websites. It provides users with a more frictionless web experience, a better way to express their privacy preferences, and an option to exercise their legal rights. It also helps companies that need to comply with users’ legal requests, making those requests simpler to receive and process.
Standardized controls are attractive to policymakers, too, as they provide a tangible way for users to exercise their legal rights over their data in the growing number of jurisdictions that require it. In California, the California Consumer Privacy Act (CCPA) requires businesses to treat GPC signals as a valid request. Colorado includes GPC on its short list of candidates for opt-out mechanisms and identifies standardization as one criterion for approving such mechanisms. GPC is an answer to policymakers who need clarity for the opt-out mechanisms detailed in laws and regulations; it’s one thing to require an opt-out option by law, it’s another to translate the idea into a widely-available working technology. The standardization process enables vetting for the design, especially to ensure its interoperability across browsers,website environments, and jurisdictions around the world.
Why now? GPC v. Do Not Track
This is not the first time a tool has been proposed to support universal opt out of online tracking. GPC continues the legacy of the Do Not Track setting, which gained attention in the early 2010s. Similar to GPC, Do Not Track is a web header sent to websites to signal a user’s request not to be tracked. At first, it had the support of a variety of tech companies, standards bodies, and policymakers, and was endorsed by the FTC. For a variety of reasons, though, Do Not Track failed to see broad implementation. (CDT documented the obstacles to Do Not Track’s adoption in 2012, and again in 2014.)
A primary inhibitor to adoption of Do No Track was the lack of a legal or financial obligation for websites to honor users’ requests. In contrast, GPC is backed by the legal requirements of the CCPA and the European Union’s General Data Protection Regulation (GDPR). Other jurisdictions are likely to adopt similar provisions in the near future. Noncompliance carries real financial impact for companies: in 2022, the makeup giant Sephora paid a $1.2 million settlement to the state of California for failing to honor GPC opt-out requests. This case signaled that failure to honor GPC will have significant consequences.
As implementations of GPC are becoming widespread, standardization is needed now, to resolve remaining ambiguities and enable further, interoperable adoption. Standardization will provide a process to convene industry, civil society, government and academia to resolve remaining technical issues to communicate this signal. At the same time, CDT will continue to work with regulators in the US and around the world to define users’ rights and legal compliance for universal opt-out mechanisms.
How to Get Involved
Standardization is a long-term process that hinges on building consensus among multiple stakeholders within the relevant standards body—in this case, the World Wide Web Consortium (W3C). Because GPC falls outside the scope of the W3C’s existing Working Groups, creating this standard will require first approving a charter for a Privacy Working Group, which CDT and other W3C members are already working to do. The Privacy Working Group’s mission would be to advise groups developing standards on how to avoid and mitigate privacy issues with web technologies, and on how to standardize mechanisms that improve user privacy on the web. The Global Privacy Control is one such mechanism to start with, but there are many other tools that could improve privacy online in a usable way if they were standardized. Many other groups at W3C are also working on incubating and standardizing privacy-relevant features and would benefit from consultation with a dedicated Privacy Working Group.
We encourage W3C member organizations, including technology, advertising, and publishing companies, as well as universities, government agencies and civil society organizations, to support the Privacy Working Group charter. Participation is welcome in the existing Privacy Community Group (free for any interested organizations or members of the public) and will be for the Privacy Working Group (this requires deeper investment of time and often dues for organizations). CDT believes it is imperative that civil society organizations have a seat at the table for conversations about internet standards so that we can ensure these technologies are equitable, accessible, and serve human rights.
Finally, you are welcome to provide feedback via CDT. We are happy to talk and are eager to be a bridge between the interested public and the sometimes-arcane technical standards process. Please contact us on Mastodon or via email.