A new Internet specification is heading our way, and it may be something to actually get excited about.
Many of us remember the fiasco that was the Do Not Track header. You can still set it, but websites can choose whether to honour it.
Our privacy has been improved somewhat by the European Union’s General Data Privacy Regulation (GDPR). We can at least opt out of some cookies, but it is on a site by site basis and we have to go into the website’s cookie settings menu to change from the default. Useful, but not perfect.
Importantly, GDPR is backed by government. Maybe not the Australian government, but any website that might receive visitors from the European Union needs to consider its possible obligations under the GDPR. Thus we see GDPR notices on all sorts of local websites.
Coming soon to an Internet browser near you: Global Privacy Control (GPC).
This is a draft Internet specification that aims to implement the intent of laws passed in several US states including California, Colorado and Connecticut (and Virginia, for those who prefer hanging out at the other end of the alphabet). The state legislation requires websites and their advertisers to honour a visitor’s expressed desire that their personal information not be shared or sold to third parties. So this goes beyond Do Not Track’s weaksauce ‘we might honour it or we might not’ - if a user sends the signal that they do not want their data shared or sold, then a website is in breach of laws in several US states if they do share or sell data.
As with GDPR, this legislation is likely to become pretty much global in its reach - at least on the English-speaking Internet - because there are some serious penalties involved if websites fail to allow their users to opt out of data sale and online tracking. The legislation might be from only a few US states, but California alone has the world’s fifth-largest economy if it is treated as a country. That is a big market to miss out on or to annoy.
Firefox has already implemented GPC flags in its About:Config page. (Warning: do not go there if you are not entirely certain what you are doing.) The setting is likely to become more user-friendly over the next several months. Other Chromium-based browsers, such as Brave and the DuckDuckGo browser, have also adopted the standard.
So when is this going to matter? At the moment websites can collect data and if called out on it they can say ‘oops, we’re sorry’ and everything is fine. This is called a ‘right to cure’, and ends in California on 1 January 2023. That is, from that date websites that do business in California or with California residents must have some way of allowing visitors to say ‘don’t sell or share my stuff’.
Okay, but we could still end up with something like the GDPR thing where we have to make our choice for every website, right? Uh - no. California’s regulations (paragraph 999.315 (c) on page 17 of the linked PDF) require that business must accept a signal from a web browser. And that is where the GPC specification comes into its own.
Maybe we will at last be able to rely upon our browsers telling websites not to track us, rather than using multiple plugins that still do not stop all methods of tracking.