What’s Global Privacy Control?

Photo by Dan Nelson on Unsplash

The internet should be safe to use by default, this is something that I strongly believe, and a big part of ensuring the safety of internet users is trust. For someone like me, who works in tech, navigating cookie/privacy permission notices, rotating passwords and the general safety procedures that come with surfing the web is, at most, an annoyance. For those outside of tech, though, it’s unrealistic to expect them to stay on top of all these things and using the internet becomes increasingly unsafe for them because many services breach users trust by using users’ data without their consent. The internet should be safe for the most vulnerable internet users without them having to jump through so many hoops. There is a lot of work to be done to getting to an online utopia where all users are cared for, but we’re starting the work. Privacy and data protection is the big ticket item at the moment, a number of governments and ruling bodies have already put together groups of laws that protect user’s online data (GDPR, CCPA, LGPD, etc) and these rules have led to an uptick of privacy permission notices, some which use dark-patterns to trick users to give permission to have their data sold. For you and me, these notices are jarring, especially considering they’re on every site and require us to make sure the correct boxes are ticked. But, what if I told you there was another way?

The other way

You might have noticed “Do Not Sell” and “Object To Processing” links around the web from companies complying with privacy regulations. Rather than clicking on each of these links individually across many websites, you can exercise your rights in one step via the “Global Privacy Control” (GPC) signal, which is required under the California Consumer Protection Act (CCPA) and Europe’s Global Data Protection Regulation (GDPR).

How will it work?

Charlie from ‘Always Sunny in Philedelphia’ in front of a board with red string and papers explaining a conspiracy theory

The idea is that there is a Sec-GPC header which servers will be able to read, if the Sec-GPC-field-value = “1”, then the server will know that the user has revoked permission for their data to be sold on to third parties. Clients will also be able to check the Sec-GPC value by using the Navigator.globalPrivacyControl property. Ideally the default would be the reverse, users would explicitly say they want their data sold instead. However, we’re limited by legal frameworks which make either selling data is legal by default or can be made legal through a dark pattern consent dialog.

This is just the start though, beginning from this point is a pragmatic decision but not a permanent one. The CCPA establishes the right to opt-out of the sale of your data, which the GPC adheres to. While for GDPR, LGPD and others, the right to withdraw from consent being sold is what’s stipulated as well as object to data sold under “legitimate interests”. I spoke to Robin Berjon, the VP of Data Governance at the New York Times & one of the main contributors to this new spec and he describes GPC as

a mechanism to use various laws (where possible) to bring users to where the default should be.

The development of GPC will be ongoing and will continue to put the interests of internet users first.

Why is this important?

This feature is also different from current extensions and tools that claim to stop tracking, some of which still sell your data on without consent. GPC allows a universal control, which won’t run any scripts in your browser or on your device and which complies with laws and regulations.

What’s next?

The GPC itself is still in the infant stages and more work needs to be done to figure out how it will work with legal frameworks outside of CCPA.

I’m really looking forward to getting involved with this work in 2021 and will be writing and creating more content around what we’re doing.

Further Reading

@blackgirltech’s mum, published poet, coder, wanderer, wonderer & anti-cheesecake activist.