What’s Global Privacy Control?

Lola Odelola

Web Developer Advocate

The internet should be safe to use by default, this is something that I strongly believe, and a big part of ensuring the safety of internet users is trust. For someone like me, who works in tech, navigating cookie/privacy permission notices, rotating passwords and the general safety procedures that come with surfing the web is, at most, an annoyance. For those outside of tech, though, it’s unrealistic to expect them to stay on top of all these things and using the internet becomes increasingly unsafe for them because many services breach users trust by using users’ data without their consent. The internet should be safe for the most vulnerable internet users without them having to jump through so many hoops. There is a lot of work to be done to getting to an online utopia where all users are cared for, but we’re starting the work. Privacy and data protection is the big ticket item at the moment, a number of governments and ruling bodies have already put together groups of laws that protect user’s online data (GDPR, CCPA, LGPD, etc) and these rules have led to an uptick of privacy permission notices, some which use dark-patterns to trick users to give permission to have their data sold. For you and me, these notices are jarring, especially considering they’re on every site and require us to make sure the correct boxes are ticked. But, what if I told you there was another way?

The other way

The Global Privacy Control (GPC)is a new web standard being worked on by a group of organisations who care about how user data is used and user experience. The spec for GPC makes it easy for consumers to exercise their privacy rights. The objective of this control is to allow users to have a global setting that lets websites know their privacy preferences, users decide in their chosen browser settings — once — that they do/don’t want to be tracked. This setting will comply with current regulations around user privacy and data protection.

You might have noticed “Do Not Sell” and “Object To Processing” links around the web from companies complying with privacy regulations. Rather than clicking on each of these links individually across many websites, you can exercise your rights in one step via the “Global Privacy Control” (GPC) signal, which is required under the California Consumer Protection Act (CCPA) and Europe’s Global Data Protection Regulation (GDPR).

How will it work?

The idea is that there is a Sec-GPC header which servers will be able to read, if the Sec-GPC-field-value = “1”, then the server will know that the user has revoked permission for their data to be sold on to third parties. Clients will also be able to check the Sec-GPC value by using the Navigator.globalPrivacyControl property. Ideally the default would be the reverse, users would explicitly say they want their data sold instead. However, we’re limited by legal frameworks which make either selling data is legal by default or can be made legal through a dark pattern consent dialog.

This is just the start though, beginning from this point is a pragmatic decision but not a permanent one. The CCPA establishes the right to opt-out of the sale of your data, which the GPC adheres to. While for GDPR, LGPD and others, the right to withdraw from consent being sold is what’s stipulated as well as object to data sold under “legitimate interests”. I spoke to Robin Berjon, the VP of Data Governance at the New York Times & one of the main contributors to this new spec and he describes GPC as

a mechanism to use various laws (where possible) to bring users to where the default should be.

The development of GPC will be ongoing and will continue to put the interests of internet users first.

Why is this important?

We currently live in a constant state of surveillance, everything we do online is tracked, followed and analysed and only recently did our consent in these things start to matter. Considering how valuable and precious personal data is, it’s important that the decision power of what happens with the data is given to the owner of the data.

This feature is also different from current extensions and tools that claim to stop tracking, some of which still sell your data on without consent. GPC allows a universal control, which won’t run any scripts in your browser or on your device and which complies with laws and regulations.

What’s next?

Publishing organisations such as The New York Times, The Washington Post, The Financial Times as well as civil society groups such as the Electronic Frontier Foundation have been working on this, as well as a host of tech companies including Brave browser and DuckDuckGo. However the technical work will likely happen at the W3C Privacy Community Group where it can be worked on in the public eye. Since privacy is priority at Samsung Internet, we’ll be actively participating in the development of this feature and help to bring it to life, although we don’t yet know when it will ship in our browser at this point.

The GPC itself is still in the infant stages and more work needs to be done to figure out how it will work with legal frameworks outside of CCPA.

I’m really looking forward to getting involved with this work in 2021 and will be writing and creating more content around what we’re doing.

Further Reading