When you visit a website, it triggers a series of modules that are programmed to make the most of your data. In many cases, this means your personal information will be put up for sale and sold to advertisers, marketing firms, and data brokers. In the last year alone, U.S. companies spent nearly $ 12 billion collecting such third-party audience data.
California’s comprehensive new data protection act, the California Consumer Privacy Act (CCPA), which went into effect earlier this year, aims to counter this practice by giving Californians the right to opt out of selling their data. Companies subject to this jurisdiction must have an option on their websites that allows visitors to easily complete this non-sale request, and companies that do not face fines and official requests.
But of course nobody wants to deal with a different button or popup every time they visit a website. This is where the Global Privacy Control (GPC) initiative comes into play.
A not for sale sign for your private information
Global Privacy Control, developed by a group of privacy-focused companies and researchers, is a technical standard that acts as a global environment so you can opt out of selling your data anywhere on the internet with a flip of common switch. This tool integrates with your browser and sends a signal to CCPA compliant websites letting you know that you do not want to put your personal information up for sale.
The GPC, which is currently in beta, is not yet enforced under the CCPA law. Most recently, California Attorney General Xavier Becerra detailed a provision in this law that would ultimately allow for a global opt-out change such as global privacy control. Later, in a tweet and statement on digital trends, Becerra paid tribute to global privacy scrutiny and expressed its support.
This proposed standard is a first step towards meaningful global data protection control that makes it simple and easy for consumers to exercise their data protection rights online.
#DataPrivacy is the future and I am excited to see a wave of innovation in this area.
– Xavier Becerra (@AGBecerra) October 7, 2020
“We believe that online privacy should be easy and accessible to everyone,” Peter Dolanjski, product director at DuckDuckGo, one of the early supporters of global privacy controls, told Digital Trends. “Global Privacy Control adds an extra layer of privacy that is easy to turn on and intended to be backed by legal enforcement, from the CCPA to expanding to other jurisdictions over time.”
Success that failed Do Not Track
“Legal” is indeed the key word here. For years, data protection officers have waged a war against internet and data companies to secure basic security rights and roll back invasive online practices that commercialize people’s private information. However, with no law to back them up, most of these efforts have fallen through the cracks or have produced little results.
The decades-old Do Not Track specification epitomizes this. Since it was never required by law, in reality it actually didn’t do anything, and companies just ignored it and pursued users at will. Eventually, many tech companies like Apple just gave up the “Don’t Track” option and even removed it from their services.
Even if Do Not Track passed, it never had the technological infrastructure it needed to be truly effective. Let’s face it: how often do we read the General Data Protection Regulation (GDPR) warnings and acknowledgments that websites send to us? In fact, a study by DataGrail found that since the CCPA went live on January 1, 2020, only 82 “don’t sell” requests have been sent per million consumer records.
Theoretically, global data protection control does not suffer from any of these problems. It already has a legal backbone in California and is welcomed by a notable group of organizations like Mozilla, Brave, the Electronic Frontier Foundation (EFF), Automattic (WordPress and Tumblr), the New York Times, and others.
Since the GPC signal runs automatically in the background, users do not have to search and toggle an option themselves. In the beta version, global data protection control was introduced on a handful of platforms. You can test them out today on DuckDuckGo, Brave, Google Chrome (thanks to the EFF add-on called Privacy Badger), and more.
Kelvin Coleman, the executive director of the National Cyber Security Alliance (NCSA), believes GPC’s legal buffers will help legitimize its goals, as opposed to “Do Not Track” which was “put in place in a vacuum” .
“With CCPA and GDPR in place as precedents, organizations are forced to find their way through a minefield of compliance issues and heavy fines if they fail to handle user data. This creates a greater incentive to adopt GPC in the long term, ”said Coleman.
Not yet the silver bullet: the long, arduous way ahead of us
However, security researchers warn that it will take years for global data protection controls to be implemented on a large scale, and even then it may not be the silver bullet for outrageous online data abuse. More importantly, the GPC’s legal scope, provided it is bound by the CCPA, is limited to California. Additionally, this does not apply to data shared with nonprofits, government agencies, and companies with sales less than $ 25 million.
Sebastian Zimmeck, one of the founding members of the GPC and a professor of computer science at Wesleyan University, remains optimistic, arguing that California is currently a major use case, but the technology behind it is legally independent and can rely on different legal boundaries depend on it how other jurisdictions will develop their privacy laws in the future.
Dolanjski from DuckDuckGo adds that the consortium is also talking to “various parties in the European Union” to integrate global data protection controls into the GDPR.
The European Data Protection Supervisor, the official data protection officer of the GDPR, did not comment on whether it was investigating GPC partnerships, but said in a statement that it “welcomes privacy-oriented initiatives that can have a positive impact on a more sustainable digital economy and that encourage competition in the field of technology in a time of increasing digitization. “
Another shortcoming that could affect the GPC’s success is that it will have little impact on your online privacy if it is not activated on all of your devices every time you browse sessions. As you can see, the global data protection control signal is sent every time you visit a website. It is not universally activated in your profile.
“Our information is at risk more than ever and the GPC could be the stepping stone we need to enable a future where privacy is a legal right rather than a personal choice.”
For example, you could ask a specific site on your computer not to sell your data using GPC. However, if you go to this website again on your phone, where GPC may not be available yet, the company could abuse your private information.
Peter Snyder, a senior privacy researcher at Brave, sees the GPC as the foundation and hopes that responsible websites, businesses and advertisers use it “as part of a diverse approach to ensure that they ethically and responsibly respect the privacy of users and users”. including automatic application to all sessions if the visitor has an account with them.
How the GPC adapts to the cobweb of permissions and popup websites remains to be seen as soon as more participants come on board. But Zimmeck suggests that this will depend on the law. For example, the CCPA requires companies to comply with the opt-out signal regardless of the situation and notify or contact the customer if necessary to resolve certain disputes.
Despite its shortcomings, global data protection controls seem promising and may be the best way to date to contain online data abuse. Our information is at risk more than ever, and the GPC could be the stepping stone we need to enable a future where privacy is a legal right rather than a personal choice.
“Until there is a wider collective of participating publishers, companies and websites – coupled with adequate legal enforcement – the GPC will continue to be a limited-reach ideal,” said Coleman of NCSA. “But this ideal is very promising in the face of greater acceptance.”