Do not sell: More privacy control coming to browsers
Privacy-conscious internet surfers will soon have an additional weapon on their side.
You can’t see it working, but a special signal known as global privacy control tells every website you visit not to pass around your personal data behind your back.
Global privacy control is already tucked away in web browser Brave and browser add-on DuckDuckGo. Soon, the Firefox browser will be adding it. Chrome users, however, must continue to wait.
It’s a big deal because asking websites or apps not to share or sell your personal information involves hunting through company websites and submitting a “do not sell” request to each and every offender. If you live in California, you have some protection for your data under the California Consumer Privacy Act, and companies have to honor these requests. If you live elsewhere, you’re often out of luck. But tools like GPC lay the groundwork for easier management of personal data as more states consider passing data privacy legislation.
Firefox says it’s rolling out the global privacy control signal to its main product in the next two or three months, according to Chief Technology Officer Eric Rescorla. Firefox didn’t adopt the signal right away, instead waiting to see what sort of impact it would have to avoid making privacy promises that don’t hold water, Mr. Rescorla said. But the new privacy control has some teeth, its creators say, and it has the potential to make a real difference in your online privacy by opting you out of data sharing before it happens.
The move by Firefox comes after California Attorney General Rob Bonta made it clear in July that under the California privacy law, companies are expected to treat the signal as the same as any other do-not-sell
request from consumers. Mr. Bonta’s stance is significant as many companies have ignored the signal, making it a less-effective tool despite its reported 40 million users worldwide.
Enforcement is ongoing, a representative at Mr. Bonta’s office said, and companies are legally obligated to honor the signals sent by California consumers.
Growing pressure to get on board
Global privacy control is a browser setting that notifies businesses of your privacy preferences, such as whether you want your personal information to be sold or shared, by sending out a signal to each site you visit.
GPC is a collaborative effort by privacy-focused organizations and advocates, including the Electronic Frontier Foundation and Consumer Reports, and is a successor to the ill- fated “Do Not Track” signal — you may remember when it popped up in browsers in the 2010s, then fizzled when companies failed to honor it. But global privacy control has the law on its side — at least in California.
The CCPA allows California residents to outsource “do not sell” and other data requests to someone communicating with companies on their behalf, or an authorized agent. That authorized agent doesn’t have to be a person — it can also be a piece of technology. That’s where GPC comes in.
Widespread interest in data privacy has surged in recent years as shady corporate data practices come to light. Companies take your data and sell it, or “share” it in exchange for services, says Don Marti, vice president of ecosystem innovations at CafeMedia, an ad management company and early supporter of GPC.
“Back in the day people used to say, ‘Oh, I ordered something out of one catalogue and then I started getting 50 catalogues,’ ” Mr. Marti said. The same is true today when you order something from a website, he explained: Soon, dozens of other companies may have their hands on your data.
The type of data sharing that GPC addresses goes beyond the web, Mr. Marti said, so it should help cut down on junk mail, calls and faxes. It also theoretically stops big data companies like Facebook and Google from taking data gathered from one site and using it elsewhere, according to Jason Kint, CEO of Digital Content Next, a trade organization for digital content creators including The Washington Post that’s contributing to the development of GPC.
This isn’t to say that GPC is the privacy solution to rule them all, Firefox’s Mr. Rescorla said. The tool doesn’t prevent data sharing with official business partners providing services like fraud detection or site analytics. And right now, Californians are the only ones in the United States with assurance that GPC counts as an official opt-out request under their state’s privacy law. To find out whether a specific website honors GPC, you can type its web address into this search tool.
Whether Virginia and Colorado, the only other states that have passed comprehensive privacy legislation, make companies honor GPC remains to be seen. But signs that California officials will enforce GPC bodes well for the tool’s efficacy.
Mr. Kint said it’s “inevitable” that big- name browsers like Google’s Chrome will face pressure to get on board as well. Chrome, which has not implemented GPC, is by far the most popular browser with 66.7% of worldwide desktop traffic in the first quarter of 2021 compared to Firefox’s 8.1%.
“[Chrome] is the market leader and it’s owned by a company that makes most of its money off surveillance, targeting and tracking users, and collecting as much data as possible,” Mr. Kint said. “The browser itself is a user agent, it’s supposed to work for the user. This should be a no-brainer.”
A Google spokeswoman said the company is “following the developments” of GPC but stopped short of saying whether it would add the feature.