Remember ‘Do Not Track‘? The tracker-loving adtech industry hopes you don’t recall that decade+ doomed attempt to bake user-friendly privacy controls into browsers. But a coalition of privacy-forward tech companies, publishers and advocacy groups has taken the wraps off of a push to develop a new standard that gives Internet users a super simple way to put digital guardrails around their data.
The effort to bake in a new browser-level privacy signal to stop the sale of personal data — which has been christened: Global Privacy Standard (GPC) — is being led by the ex-CTO of the FTC, Ashkan Soltani, and privacy researcher Sebastian Zimmeck.
They’ve got early backing from The New York Times; The Washington Post; Financial Times; WordPress-owner Automattic; dev community Glitch; privacy search engine DuckDuckGo; anti-tracking browser Brave; Firefox maker Mozilla; tracker blocker Disconnect; privacy tool maker Abine; Digital Content Next; Consumer Reports; and digital rights group the Electronic Frontier Foundation.
Hello World!
Introducing Global Privacy Control: a simple way to let you exercise your privacy rights online.
Website: https://t.co/klgalzMToT
Press Release: https://t.co/iCecmhweRl
Full Spec: https://t.co/YXWP91Obhe pic.twitter.com/iZL4Jlh5cL
— Global Privacy Control (@globalprivctrl) October 7, 2020
“In the initial experimental phase, individuals can download browsers and extensions from Abine, Brave, Disconnect, DuckDuckGo, and EFF in order to communicate their ‘do not sell or share’ preference to participating publishers,” they write in a press release unveiling the effort.
“Additionally, we are committed to developing GPC into an open standard that many other organizations will support and are in the process of identifying the best venue for this proposal,” they add.
This ‘DNT’-esque initiative is, at least initially, being tailored toward California’s Consumer Privacy Act (CCPA) — which gives Internet users in the state the right to opt out of having their data sold on (with the potential for further strengthening if a November ballot measure, called Prop24, gets passed).
The law also requires businesses to respect user opt-out preferences via a signal from their browser — reviving the potential for a low friction, browser-level control which was what supporters of DNT always hoped it would be.
The aim for the group steering GPC is to develop a standard for a browser-level opt-out for the sale of personal data that businesses subject to CCPA would be legally compelled to respond to — assuming they succeed in getting the standard accepted as legally binding under California’s law.
“We look forward to working with AG Becerra to make GPC legally binding under CCPA,” they write on that.
We’ve reached out to AG Becerra’s office for a response on the launch. He has also just tweeted approvingly — calling the proposal “a first step towards a meaningful global privacy control that will make it simple and easy for consumers to exercise their privacy rights online”.
“CA DOJ is encouraged to see the technology community developing a global privacy control in furtherance of the CCPA and consumer privacy rights,” he added in a follow on tweet.
This proposed standard is a first step towards a meaningful global privacy control that will make it simple and easy for consumers to exercise their privacy rights online.
#DataPrivacy is the future, and I am heartened to see a wave of innovation in this space.— Archive – Attorney General Becerra (@AGBecerra) October 7, 2020
At the same time — and as GPC’s name implies — the ambition is to develop a standard that’s able to flex to mesh with privacy regimes elsewhere, such as Europe’s GDPR framework (which provides citizens with a suite of protective and access rights around their data, though not a carbon-copy CCPA opt-out for the sale of data).
“While they don’t specifically call for a GPC, I think there’s a potential for EU DPAs [data protection agencies] to consider a mechanism like this as a valid way for consumers to invoke their rights under GDPR, including the objection to sale,” Soltani tells TechCrunch. “Also the spec was designed to be extensible in case the laws vary slightly from CCPA — permitting users to object to specific uses in GDPR — or even the new rights that will come about if CPRA (Prop24) passes next month.”
One big and obvious question looming over this effort is why not simply revive DNT as a vehicle for expressing the CCPA opt-out signal?
They basicaly want to reintroduce the Do Not Track bit. Weird. If so, why not simply use DNT which has/had actual adoption? This leaves many questions. https://t.co/3kF41MLwzG pic.twitter.com/tjyPDHESPV
— Lukasz Olejnik (@lukOlejnik) October 7, 2020
Much effort and resource has been expended over the years to try to make DNT fly. Not entirely without success, given it was able to gain widespread backing from browser makers — falling apart from lack of compliance on the other side of the coin given the lack of legal compulsion.
However now, with robust legal regimes in place protecting people’s digital data (at least in Europe and California), you could argue there’s an opportunity to revive DNT and make it stick this time. (And, indeed, some EU parliamentarians have, in recent years, suggested Do Not Track settings could be used to express consent to processing as part of a planned reform of EU ePrivacy rules — likely with an eye on tidying up the consent pop-up clutter that’s been supercharged by GDPR compliance efforts.)
However the answer to why GPC, rather than DNT 2.0, seems to be partly related to all the baggage accumulated around Do Not Track — whose pithy call to action can still send insta-shudders down adtech exec spines. (Whereas ‘Global Privacy Control’ is certainly boring-sounding enough that it could have been dreamt up by an adtech lobbyist and may, therefore, put fewer industry noses out of joint.)
More seriously, the potential for using DNT to express opt-out signals was discussed by California lawmakers when they were drawing up CCPA, and industry feedback taken in — and the message they got back was that most businesses were ignoring it, which in turn led to a feeling that a revived DNT would just continue to be ignored.
Hence the law may demand a more precision instrument to carry the torch for user privacy, is the thinking.
Unfortunately the AG mostly rejected 'Do Not Track’ as a valid mechanism for a variety of reasons, including that it didn't clearly communicate the user's intent to 'opt-out of sale'.
Details in the CCPA FSOR here: https://t.co/lINdOiIj7J as well as Appendix-E. pic.twitter.com/uZHLEcZM20
— ashkan soltani (@ashk4n) October 7, 2020
We also understand the GPC effort had intended and expected to be able to use DNT as the opt out mechanism. But in the end, given the concern around compliance, they decided a CCPA-specific mechanism was needed to circumvent this problem of businesses tuning out the broader DNT signal.
“Getting privacy online should be simple and accessible to everyone, period,” said Gabriel Weinberg, CEO & founder of DuckDuckGo in a supporting statement. “Global Privacy Control (GPC) takes us one step closer to making this vision a reality by creating a simple universal setting for users to express their preference for privacy. DuckDuckGo is proud to be a founding member of this effort and starting today, the GPC will be launching in our mobile browser and desktop browser extensions, making the setting available to over ten million consumers.”
“Mozilla is pleased to support the Global Privacy Control initiative. People’s data rights must be recognized and respected, and this is a step in the right direction. We look forward to working with the rest of the web standards community to bring these protections to everyone,” added Selena Deckelmann, VP of Firefox Desktop.
The full spec of the proposed GPC standard can be found here.
Update: In another expression of support for the initiative, Senator Ron Wyden told us: “It’s past time to give consumers a real and enforceable way to stop companies from tracking and selling their data. My Mind Your Own Business Act would do just that, and this project shows it’s possible.”
Comment