The New York Times, Washington Post and Financial Times earlier this week announced their backing of a new proposal that seeks to give consumers a simpler way to prevent their data being shared carte blanche between the websites they visit and other third-party companies.
Dubbed the Global Privacy Control, the proposal sets out a way for users to signal — via a setting in their browser or in browser extension — to every website that they visit that they do not want their data to be sold or shared.
Since the California Consumer Privacy Act came into effect in January 2020, websites must display a “clear and conspicuous” link on their homepages titled “Do Not Sell My Personal Information” so that California residents can request that they stop selling their data. The problem, though, is that users must manually do so on each and every site they visit — which can currently present a complicated and time-consuming task, according to research published earlier this month from Consumer Reports. (There still remains a little ambiguity about what constitutes a “sale” under the CCPA — though that could be resolved if California voters approve the California Privacy Privacy Rights Act — essentially a CCPA 2.0 — on the November 2020 ballot.)
The coalition of organizations and researchers hopes to succeed where the “Do Not Track” initiative failed.
That effort, first proposed in 2009, ultimately wound down due to lack of industry adoption, largely because adherence to the standard was not legally binding. The difference this time is that the GPC builds on the current CCPA regulation that states businesses must also adhere to the requests of users who opt out from the sales of their data using “user-enabled global privacy controls, such as a browser plugin on privacy setting.”
Further down the line, the hope is that the GPC signal could also extend to become a legally binding mechanism under other global privacy jurisdictions, such as Europe’s General Data Protection Regulation. During its initial experimental phase, the GPC signal is not intended to convey legally binding requests.
Other backers of the GPC include WordPress owner Automattic, search engine DuckDuckGo, the Disconnect tracker blocker, privacy-focused browser Brave, Firefox owner Mozilla, former FTC chief technology officer Ashkan Soltani and Wesleyan computer science professor Sebastian Zimmeck.
“For a while there’s been a realization that there’s a common set of interests between publishers and the privacy nerds,” said Don Marti, a privacy blogger and member of the GitHub developer organization. “The privacy nerds don’t want their information shared with companies that they aren’t aware of and publishers don’t want to lose control of their audience data.”
Until recently, while there had been an obvious shared economic interest between the two groups, there hadn’t been an organizational connection between the technical people on the publisher side and privacy developers on the other, Marti added. The involvement of publishers will aid early real-world live testing of the tool.
The GPC was developed with knowledge of, and with a view to interoperating with, the existing IAB-CCPA compliance framework, meaning the process of adding the GPC should — in theory at least — be fairly straightforward for publishers.
The New York Times is adopting the GPC signal for both CCPA and GDPR.
“The value we see is a very strong link between privacy and trust,” said Robin Berjon, vp of data governance at The New York Times. “As a news publisher the trust of our readers is absolutely essentially so we need to be worthy of that trust in pretty much everything we do and how we operate as a business.”
There’s also a business incentive: The less a publishers’ data gets leaked downstream, the more the value of that unique audience data is likely to increase, Berjon said. A consumer opting out from a website selling their data doesn’t stop ad tech companies from being able to serve that user personalized advertising on the site, but it does require that those third-party companies don’t use the data for anything else downstream.
“Much of the [privacy-focused] changes we have seen with browsers, or happening in the law, are a result of the industry not properly aligning with consumer expectations,” said Jason Kint, CEO of publisher trade body Digital Content Next, which is also supporting the GPC proposal. “So left to third-parties and ad tech companies and even tech platforms who have amassed considerable profits and wealth off of using people’s data outside their expectations we will once again fail as an industry to get to solutions.”
The GPC proposal has also received support from influential figures outside the media and tech industry.
California Attorney General Xavier Becerra, who will make the ultimate decision on whether the tool will be legally binding in the state, tweeted on Oct. 7 “This proposed standard is a first step towards a meaningful global privacy control that will make it simple and easy for consumers to exercise their privacy rights online.”
Elsewhere, Sen. Ron Wyden (D-OR) has also supported the initiative.
“It’s past time to give consumers a real and enforceable way to stop companies from tracking and selling their data,” Wyden said in an emailed statement. “My Mind Your Own Business Act would do just that, and this project shows it’s possible.”
Wyden’s bill was introduced to the U.S. Senate in October last year. It would give consumers the option to opt out of sharing data that can be used for ad targeting by imposing a federal Do Not Track requirement on businesses. The Federal Trade Commission would also be given the power to fine businesses up to 4% of their annual revenue for privacy violations. However, Senate Republicans have made clear they have no intention of allowing votes on Democratic privacy legislation this session.
Elsewhere, the Bermuda Privacy Commissioner Alexander White released a statement this week saying the GPC proposal marks “an example of the great potential of interoperability.”
The timeline for mass adoption of the GPC standard is hard to predict, said The New York Times’ Berjon. The proposal was briefly discussed during the Worldwide Web Consortium (W3C) privacy community group’s October 8 teleconference. The W3C is a voluntary consensus organizations that helps set web standards. Representatives from companies including Google, Apple, Microsoft and Facebook were on the call.
The most optimistic timeframe is a matter of weeks if the proposal is approved by the likes of the California attorney general or a European data protection authority — and if the world’s most popular browsers are willing to quickly ship a patch.
However, Berjon said, the GPC coalition is also prepared for opposition, particularly from ad tech, which could make the process stretch out for six months to a year — or even shut it down entirely.