Global Privacy Control

A new Internet specification is heading our way, and it may be something to actually get excited about.

Many of us remember the fiasco that was the Do Not Track header. You can still set it, but websites can choose whether to honour it.

Our privacy has been improved somewhat by the European Union’s General Data Privacy Regulation (GDPR). We can at least opt out of some cookies, but it is on a site by site basis and we have to go into the website’s cookie settings menu to change from the default. Useful, but not perfect.

Importantly, GDPR is backed by government. Maybe not the Australian government, but any website that might receive visitors from the European Union needs to consider its possible obligations under the GDPR. Thus we see GDPR notices on all sorts of local websites.

Coming soon to an Internet browser near you: Global Privacy Control (GPC).

This is a draft Internet specification that aims to implement the intent of laws passed in several US states including California, Colorado and Connecticut (and Virginia, for those who prefer hanging out at the other end of the alphabet). The state legislation requires websites and their advertisers to honour a visitor’s expressed desire that their personal information not be shared or sold to third parties. So this goes beyond Do Not Track’s weaksauce ‘we might honour it or we might not’ - if a user sends the signal that they do not want their data shared or sold, then a website is in breach of laws in several US states if they do share or sell data.

As with GDPR, this legislation is likely to become pretty much global in its reach - at least on the English-speaking Internet - because there are some serious penalties involved if websites fail to allow their users to opt out of data sale and online tracking. The legislation might be from only a few US states, but California alone has the world’s fifth-largest economy if it is treated as a country. That is a big market to miss out on or to annoy.

Firefox has already implemented GPC flags in its About:Config page. (Warning: do not go there if you are not entirely certain what you are doing.) The setting is likely to become more user-friendly over the next several months. Other Chromium-based browsers, such as Brave and the DuckDuckGo browser, have also adopted the standard.

So when is this going to matter? At the moment websites can collect data and if called out on it they can say ‘oops, we’re sorry’ and everything is fine. This is called a ‘right to cure’, and ends in California on 1 January 2023. That is, from that date websites that do business in California or with California residents must have some way of allowing visitors to say ‘don’t sell or share my stuff’.

Okay, but we could still end up with something like the GDPR thing where we have to make our choice for every website, right? Uh - no. California’s regulations (paragraph 999.315 (c) on page 17 of the linked PDF) require that business must accept a signal from a web browser. And that is where the GPC specification comes into its own.

Maybe we will at last be able to rely upon our browsers telling websites not to track us, rather than using multiple plugins that still do not stop all methods of tracking.

I can see what Web sites will do to counter this GPC signal if they receive it from the browser., and it impacts on their money model.

If there is no legal reason in their operational jurisdiction, it will be ignored.

If there is a legal reason, they will present a page acknowledging the signal, but encourage you to click on something to proceed that will give the site a legal out that the user has consented despite their browser setting.

No consent, either no access, or degraded service. Maybe some paywall comes into play.

As the saying goes, if a service is free, then you and your information are the product. You don’t want your information used, then don’t expect a free service.

Indeed.

The California regulations explicitly anticipate that situation - and if a web site chooses to apply a “price or service difference” according to whether you sell yourself then it must clearly disclose it as well as provide other information.

So it could easily be that the result is similar to the cookie annoyance

• pester power - every time you visit the web site it will badger you to “consent” (opt in)
• some users will, in the face of a long screed of legally required information, just click “OK” to opt in but without really reading and understanding (like a typical EULA).

On the other hand, if the business currently collects, shares and sells but it is not part of their core business then the business might just decide that compliance is not worth the trouble and stop collecting, sharing and selling.

It isn’t clear how the California regulations would interact with “global privacy control”, or any action by the user to contradict the GPC, presumably because the regulations predate the GPC.

My preference would be: if your browser sends the GPC “bugger off” signal then the web site should not collect, share or sell anything and it should not badger me or inform me - but the web site is free to degrade its service to me.

However the OP does make note of the fact that

California alone has the world’s fifth-largest economy if it is treated as a country

and observe that

That is a big market to miss out on or to annoy.

Of course this whole thing only really relates to browsers or other things using HTTP. There is no means of providing the same control with other protocols and other protocols may or may not be extended to include similar functionality.

which is actually quite annoying.

Yes, GDPR could have been implemented better. Hopefully given that California’s regulations specifically provide that websites must recognise GPC, this will actually be user-friendly. One setting, then forget.

Just to be clear, the regulations state in part:

(c) If a business collects personal information from consumers online, the business shall treat
user-enabled global privacy controls, such as a browser plug-in or privacy setting, device
setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of
the sale of their personal information as a valid request submitted pursuant to Civil Code
section 1798.120 for that browser or device, or, if known, for the consumer.

(1) Any privacy control developed in accordance with these regulations shall clearly
communicate or signal that a consumer intends to opt-out of the sale of personal
information.

(2) If a global privacy control conflicts with a consumer’s existing business-specific
privacy setting or their participation in a business’s financial incentive program, the
business shall respect the global privacy control but may notify the consumer of the
conflict and give the consumer the choice to confirm the business-specific privacy
setting or participation in the financial incentive program.

My interpretation of this is that businesses must honour browser signals rather than demand interaction from the user.

Not sure how this legislation would apply to apps.

The regulations specifically talk about apps - but, as with a lot of the text, it is not obvious on a fast read how it would work in practice.

For example, it talks about the app’s “download page” but I would guess that most people don’t download apps directly from the provider via the provider’s web site. Instead the app would be downloaded via another app i.e. the “store” app provided by the operating system.

On another aspect of it … if I set the GPC to “bugger off” in my web browser, how does that interact with app client code that uses HTTP? If all the apps and the browser use a common HTTP API provided by the operating system then I really want to set GPC at the lowest level so that it will always be signalled.

It is also not clear what happens with apps that are no longer supported, or no longer supported on older platforms (indeed no longer compatible at all with older platforms i.e. upgrade is impossible). Of course the operating system can take matters into its own hands and simply wipe out any apps that are abandonware and non-compliant - provided that the operating system version is not itself abandonware.