Privacy-conscious internet surfers will soon have an additional weapon on their side.
You can’t see it working, but a special signal known as global privacy control tells every website you visit not to pass around your personal data behind your back.
Global privacy control is already tucked away in web browser Brave and browser add-on DuckDuckGo. Soon, the Firefox browser will be adding it. Chrome users, however, must continue to wait.
It’s a big deal because asking websites or apps not to share or sell your personal information involves hunting through company websites and submitting a “do not sell” request to each and every offender. If you live in California, you have some protection for your data under the California Consumer Privacy Act, and companies have to honor these requests. If you live elsewhere, you’re often out of luck. But tools like GPC lay the groundwork for easier management of personal data as more states consider passing data privacy legislation.
Firefox says it’s rolling out the global privacy control signal to its main product in the next two or three months, according to Chief Technology Officer Eric Rescorla. Firefox didn’t adopt the signal right away, instead waiting to see what sort of effect it would have to avoid making privacy promises that don’t hold water, Rescorla said. But the new privacy control has some teeth, its creators say, and it has the potential to make a real difference in your online privacy by opting you out of data sharing before it happens.
The move by Firefox comes after California Attorney General Rob Bonta made it clear in July that under the California privacy law, companies are expected to treat the signal as the same as any other do-not-sell request from consumers. Bonta’s stance is significant as many companies have ignored the signal, making it a less-effective tool despite its reported 40 million users worldwide.
Enforcement is ongoing, a representative at Bonta’s office said, and companies are legally obligated to honor the signals sent by California consumers.
What is global privacy control?
Global privacy control is a browser setting that notifies businesses of your privacy preferences, such as whether you want your personal information to be sold or shared, by sending out a signal to each site you visit.
GPC is a collaborative effort by privacy-focused organizations and advocates, including the Electronic Frontier Foundation and Consumer Reports, and is a successor to the ill-fated “Do Not Track” signal — you may remember when it popped up in browsers in the 2010s, then fizzled when companies failed to honor it. But global privacy control has the law on its side — at least in California.
The CCPA allows California residents to outsource “do not sell” and other data requests to someone communicating with companies on their behalf, or an authorized agent. That authorized agent doesn’t have to be a person — it can also be a piece of technology. That’s where GPC comes in.
Widespread interest in data privacy has surged in recent years as shady corporate data practices come to light. Companies take your data and sell it, or “share” it in exchange for services, says Don Marti, vice president of ecosystem innovations at CafeMedia, an ad management company and early supporter of GPC.
“Back in the day people used to say, ‘Oh, I ordered something out of one catalog and then I started getting 50 catalogs,'” Marti said. The same is true today when you order something from a website, he explained: Soon, dozens of other companies may have their hands on your data.
The type of data sharing that GPC addresses goes beyond the web, Marti said, so it should help cut down on junk mail, calls and faxes. It also theoretically stops big data companies like Facebook and Google from taking data gathered from one site and using it elsewhere, according to Jason Kint, CEO of Digital Content Next, a trade organization for digital content creators including The Washington Post that’s contributing to the development of GPC.
This isn’t to say that GPC is the privacy solution to rule them all, Firefox’s Rescorla said. The tool doesn’t prevent data sharing with official business partners providing services like fraud detection or site analytics. And right now, Californians are the only ones in the United States with assurance that GPC counts as an official opt-out request under their state’s privacy law. To find out whether a specific website honors GPC, you can type its web address into a search tool at gpcsup.com.
Whether Virginia and Colorado, the only other states that have passed comprehensive privacy legislation, make companies honor GPC remains to be seen. But signs that California officials will enforce GPC bode well for the tool’s efficacy.
Kint said it’s “inevitable” that big-name browsers like Google’s Chrome will face pressure to get on board, as well. Chrome, which has not implemented GPC, is by far the most popular browser with 66.7% of worldwide desktop traffic in the first quarter of 2021 compared to Firefox’s 8.1%.
“[Chrome] is the market leader and it’s owned by a company that makes most of its money off surveillance, targeting and tracking users, and collecting as much data as possible,” Kint said. “The browser itself is a user agent, it’s supposed to work for the user. This should be a no-brainer.”
A Google spokeswoman said the company is “following the developments” of GPC but stopped short of saying whether it would add the feature.
What does this mean for you?
If you don’t want every website you visit to pass around your data, you can try sending the “do not sell” signal with GPC.
If you browse with Brave, GPC is already running. You can also install a browser extension like the Electronic Frontier Foundation’s Privacy Badger, Disconnect, DuckDuckGo, Abine and OptMeowt, all of which include GPC. (To find the extension, just search “Disconnect for Chrome” or whatever browser you’re using and download the extension.)
Right now, GPC is only available through Firefox Nightly, the browser’s early-stage testing and development platform, which you can download at Mozilla.org. But in the next two or three months, it will get added to the beta-testing browser, then the main browser, Rescorla said. The process of turning on GPC should remain the same in the short term, he added, although Firefox will add an easy-to-use interface once enforcement and expectations around GPC solidify.
First, open the Nightly browser and type “about:config” into the search bar. Proceed through the warning. Then, type globalprivacycontrol into the bar at the top that says “search preference name” and two options should pop up: privacy.globalprivacycontrol.enabled and privacy.globalprivacycontrol.functionality.enabled.
Both preferences should read “false.” But if you go to the symbol that looks like two arrows on the right-hand side, you can toggle both to “true.”
Now, open a new browser tab and go to globalprivacycontrol.org. You should see a green light at the top of the page that says “GPC signal detected.” That means it worked, and GPC is sending out its “do not sell” beacon on your behalf.