In a Nutshell: More people should know the information they generate online is for sale. In 2020, the California Consumer Privacy Act (CCPA) gave consumers more control over the information businesses collect about them. Global Privacy Control (GPC) implements the act through an easy-to-use web browser extension that stops companies from selling personal data. Because the CCPA requires firms to comply if they wish to do business in California, it motivates them to extend protection globally, putting consumers who use GPC in the driver’s seat of internet privacy.
The internet isn’t free. Households and businesses pay service providers for a connection, and many individual sites charge a subscription fee for access.
Beyond those costs, a vast economy of revenue and profit building depends on the data users generate as they click and tap from one link to another.
To increase the value of targeted advertising, web publishers use tracking technologies to build detailed user profiles from traffic data. They also sell and share information with third-party advertising networks and analytics providers with the same goal.
Some web advertising is based on identifiers that are directly tied to personally identifiable information, such as names and addresses, and other times it is possible to infer identity. Aside from that, the data is valuable, and many privacy stakeholders believe individual users should have the right to control what companies do with it.
In California, voters exercised that right when the state legislature passed the California Consumer Privacy Act (CCPA), which went into effect in 2020. The CCPA enables Californians to opt out of the data marketplace through Global Privacy Control (GPC). This easy-to-use extension works with popular web browsers, including Firefox, Brave, and DuckDuckGo.
GPC is required by law, so the compliance of web publishers is necessary if they have California visitors. What makes it more powerful is that it’s impractical for a company doing business online to establish one set of privacy rules for Californians and another for everybody else.
Don Marti is Vice President of Ecosystem Innovation at CafeMedia, an ad management company and early supporter of GPC. He said GPC, as of early 2023, offers a practical path to a global internet that respects user privacy.
“It’s technically straightforward and in a stable and solid condition,” Marti said. “From now into the foreseeable future, it’s a matter of companies quietly catching up on implementing it.”
Convenient Browser Extensions Put Users in Control
That means GPC has the potential to establish a global online privacy structure. As more users implement the GPC extension through their browsers, CCPA privacy enforcement becomes more effective.
That incents more governmental jurisdictions to enact privacy laws of their own and puts the onus on the biggest browser companies, including Google and Apple, to implement the extension on their platforms. It pressures more publishers and providers to follow suit as Marti’s company has. More than 50 million users already have GPC up and running.
Marti said GPC is necessary because the California legislature structured the CCPA as an opt-out mechanism for consumers. This structure respects the legitimate consumer preference to receive targeted ads. In other words, GPC allows users to control if companies market their personal data.
In contrast, the European Union’s General Data Protection Rule goes in the opposite direction. It assumes all users want privacy and requires companies to first obtain informed consent before using someone’s information for ad targeting.
“The state realized that to have compatibility with the US constitution and US laws, a consent-based privacy law like Europe’s was not as likely to hold up in court as an opt-out-based law,” Marti said.
Because the marketplace for traffic data works like a network, tens of thousands of companies may control a piece of data at any given time. That’s why it’s impractical to ask consumers to contact each company. By communicating a simple “do not sell” message along with user data, GPC does all the work.
“You can set an option in the software to have it do the opt-outs for you when you connect with a new company,” Marti said. “Today, that’s done on the web, but there’s no reason other software categories, including mobile apps and contactless point-of-sale pads, couldn’t have Global Privacy Control.”
Responding to Consumer Demand for Online Privacy
While it’s true that a substantial number of internet users don’t mind targeted ads and are willing to allow companies to sell and share their data to receive them, most don’t, Marti said. He said surveys consistently report only about a third of users want to see cross-site personalization in the ads they receive.
According to Marti, while some people claim that targeted ads have benefits, the behavioral economics don’t hold up. They also follow users from site to site in a way that may threaten national security and shift ad revenue from away from legitimate sites to criminal ones. And because users who opt in to targeting tend to receive a subset of the ads available, they may develop a false perception of the quality of a site.
“I’d rather see the worst possible ad that any user could see because that helps me establish the reputation for the site,” Marti said. “If a site has high-end product ads on it, it’s probably okay, but if it has a bunch of scams, then steer clear.”
Companies didn’t rush to comply when the CCPA went into effect in 2020. Either they believed the regulation didn’t apply to them, or the risk of noncompliance was minimal because enforcement depended on California taking action.
But the state was preparing all along. In 2022, California filed against the French fashion brand Sephora for breaching the law, and late that year, the company agreed to a $1.2 million settlement.
In violation of the law, Sephora failed to disclose that it was selling data and also failed to process user requests to opt out.
Furthermore, as of January 1, 2023, California passed additional legislation removing a 30-day cure period previously granted to businesses accused of violating the law. Businesses now face real consequences for noncompliance, and California consumers have a privacy enforcement mechanism of proven effectiveness at their disposal.
GPC: Increasing Internet Safety for All
Users with GPC-enabled browsers can spot violations by consulting one of many platforms that lists the companies that have transferred info.
The most practical path to running GPC is to download a participating browser. There’s also a link on the GPC webpage to an extension called OptMeowt that turns on GPC automatically.
Collectively, founding organizations responsible for creating the GPC specification have a hand in hundreds of thousands of websites and blogs. Along with CafeMedia, publishers that have played a leading role in promising implementation include Consumer Reports, Financial Times, the New York Times, and the Washington Post.
As California promises increased enforcement activity around the CCPA after the Sephora case, more companies are springing into action.
“Now that we have some legal documents around it, it’s really not so much a tech advocacy issue as it is a compliance issue,” Marti said. “And that’s a different level of publicity.”
GPC is the subject of an ongoing series of discussions at W3C, the World Wide Web Consortium, which serves as the primary global web standards organization. W3C standardization would prompt more browsers to adopt it and motivate more jurisdictions to implement consumer privacy protections like the CCPA.
For now, California leads the way toward an environment that respects all consumer preferences regarding the data they generate online. And that will continue to hold true.
“The language of the law applies very generally to any transfer for something of value in return,” Marti said. “That can apply to many different technologies, even to things that are yet to be invented.”