On today’s internet, information is nearly impossible to control. It’s become commonplace for a single website visit to spill over into targeted ads (often for something you’ve already bought) or unexpectedly canny spam emails. It’s assumed that information from your browsing history will be available to target your Instagram ads, and despite nominal commitments to privacy, tech companies have mostly given up trying to stop those data flows.
Privacy groups are hoping that a new standard, called Global Privacy Control, will change that. It’s designed as a global opt out, a general signal that users want as little data collection and sharing as possible. In particular, the GPC standard will let users signal that they don’t want services to share their data with third-party data brokers, something that is outside the reach of most modern privacy tools. The team hopes that this new signal will give users a way to protect their data after it’s been collected and ensure personal information doesn’t travel too far.
“You don’t know if they’re selling data on the back end”
“When you go to a website right now, you don’t know if they’re selling data on the back end,” says DuckDuckGo CEO Gabriel Weinberg, a central player in the project. “But we’re hoping that this signal will stop them from doing that, because it will be legally binding.”
The GPC standard sprang from a powerful but little-noticed provision in the California Consumer Privacy Act (CCPA), which was strengthened further with the passage of the California Privacy Rights Act in November. A provision in the law gives Californians the right to opt out of having their personal information sold by the sites they visit. Crucially, the law interprets “sell” as including any exchange of value, which could include being read broadly enough to go beyond outright data broker sales and into the endemic tracking pixels that power much of the advertising you see online.
“The right is supposed to prevent any third-party tracking,” says Ashkan Soltani, who worked on drafting the CCPA and CPRA and has been a pivotal force in drafting the new standard. “There hasn’t been too much enforcement yet but more importantly, people don’t know about it and can’t find the button, so not many people opt out…But the CCPA also has in it the right for users to opt-out through a global privacy control.”
Global Privacy Control is meant to automate that opt out, letting users click a single button on their browser instead of hunting for the opt out on every website they visit. Starting today, browsers from Brave and DuckDuckGo will send the GPC signal by default, and DuckDuckGo plugins will let you bring the same signal to Firefox and Chrome. Privacy Badger, Abine, and Disconnect.me have made similar moves to build the standard into their products. All told, project organizers estimate that 40 million users worldwide will be sending out the GPC signal through one product or another, giving them surprising political muscle when future privacy rules are written.
40 million users worldwide
Site partners like The New York Times, The Washington Post, and Meredith Digital have also agreed to respect the signal, and Automattic (the company that owns WordPress) will honor GPC in its self-hosted sites and internal ad network, spanning hundreds of thousands of sites. It’s a small group compared to the billions of Chrome and Safari users out there, but it will provide a proof-of-concept for the more private web the GPC team is trying to build.
There is still a long way to go before GPC is available outside the cloistered world of web privacy tools. None of the major browsers currently support GPC as a native privacy option, although Mozilla said it supports the effort. The team says they’ve submitted the standard to the W3C, but it will be a long road before it gets approved — with lots of opportunity for ad-friendly tech companies to throw a wrench in the works. The last time privacy advocates tried to build an opt-out system, this is where it fell apart, resulting in the short-lived Do Not Track standard of the mid-‘00s.
But GPC boosters like Weinberg say the CCPA and other pending privacy laws make things different this time. There’s a lot that still needs to happen before GPC has the force of law — in particular, the California attorney general will need to definitively state that the GPC counts as an opt out — but it would give the standard a power that Do Not Track never had.
“The CCPA has passed and the GDPR has provisions that we think map to this signal. So there’s a real case that those laws apply to Global Privacy Control, but it hasn’t been legally proven in the courts,” says Weinberg. “Ultimately, there will probably have to be court cases to fully establish what ‘sale’ means under CCPA and what ‘opt-out’ means under GDPR.”
The California attorney general’s office declined to comment for this piece, but AG Becerra said in a tweet that the standard “satisfies [the CCPA’s] legal requirement and protects privacy.”
The biggest lingering question is the long-simmering push for a federal privacy law, which privacy advocates have been fighting to get through Congress since 2016. As long as GPC relies on California privacy law, it will only matter to California residents — but a federal privacy law could open the standard up to the entire country and potentially strengthen GPC’s protections further. There’s also increasing ambition to expand the opt-out signal beyond the web to apps and the Internet of Things, although such a move would be years away.
Even if GPC gets full backing from legislators and courts, it won’t mean an end to targeted advertising or even data sharing. There’s still a lot of targeting that can be done within a single site, and the online ad world will surely get creative in finding loopholes that let them share data further. But establishing a robust opt-out system on the web would still mean a powerful shift in the way personal data works online — and potentially a start to cleaning up the bewildering tangle of data-sharing agreements online. As partners roll out and momentum builds, Weinberg thinks time is on his side.
“Our view is that websites really have to respect it,” says Weinberg. “It’s only a matter of time.”
Update 1/28 1:33PM ET: Included public statements from California AG Becerra, which were made after press time.