Ashkan Soltani: « Enable users to control their privacy simply and effectively from a browser»

In 2011 and in response to encouragement from both the FTC and the European Commission, the W3C (for World Wide Web Consortium, the organization responsible for the standardization of the web) created the DNT working group in order to develop a standard allowing every web user to easily opt-out of website tracking through their browser settings. This group worked on a technical specification for browsers and websites that was divided into two documents: The Tracking Compliance and Scope, which defined obligations web publishers had to comply with in order to respect DNT, and the Tracking Preference Expression, which defined the protocol and messages that could be exchanged between servers and browsers. Due to the lack of adoption or support for these two specifications, the first fell out of use in 2016 and the second was declared obsolete by 2019. 

One of the original architects of DNT, Ashkan Soltani, is now leading the effort to make the Global Privacy Control (or GPC) available to users and respected by publishers. The GPC is inspired by DNT’s history, trying to create a way for the user to express the « Do Not Sell My Personal Information » as defined by the California Consumer Privacy Act (CCPA) and other laws. He took the time to answer a few questions to help us understand what precisely the GPC is and how it helps users exercise their rights.

What is the GPC?

  
The Global Privacy Control (GPC) is a proposed specification, developed by a consortium of privacy-focused companies and individuals, designed to allow Internet users to automatically communicate their privacy preferences to businesses they interact with. It consists of a setting in the user’s browser, browser extension, or mobile device, and a mechanism that websites can use to indicate they support the specification. The legal effect of a GPC signal depends on local law, but in California for example, the California Consumer Privacy Act (CCPA) requires that businesses honor consumers’ requests to opt-out of the sale of their personal information, sent via a mechanism such as the GPC. Currently, the GPC is being used widely by some 40 million people and major publishers including The New York Times and Washington Post have announced they will be honoring it as a valid opt-out under the California law.    
 

What are the main differences with DNT and how can it tackle its current lack of adoption?  

Do Not Track (DNT) was a similar technical mechanism proposed in 2009 and adopted by several browser vendors and websites. Unfortunately, there was no legal requirement for businesses to honor it, so most businesses either ignored users’ preference expressed by this signal or stated that they simply would not honor it.  

Unlike DNT, GPC has a legal basis for recognition, at least in the United States. Regulations promulgated under the CCPA require businesses collecting data online to treat "user-enabled global privacy controls, such as a browser plug-in or privacy setting” as valid opt-out requests (CCPA Regulations § 999.315(c)). Other jurisdictions may also have current law that provides a legal basis for respecting the GPC’s opt-out signals. For instance, the GDPR allows data subjects to use automated means to object to the processing of their personal data (GDPR Art. 21(5)).  As the GPC becomes more widely adopted, other jurisdictions may choose to adopt laws that provide a legal obligation for companies to honor the opt-out signal.  

Another difference between DNT and GPC is who receives the opt-out signal. While DNT sent a signal to advertisers and other third-party web trackers, GPC communicates directly with the website a person visits, telling that site specifically that the visitor does not want their information sold. 
 

Why should such a signal be handled at the browser level and not on a per-site basis?

   
 
Individuals have a wide range of privacy rights that apply differently depending on the circumstance. However, even when these rights are present, individuals may not have the time, energy, or attention to exercise them. Or companies may simply make it difficult to exercise those rights and hope that individuals will think it isn’t worth the time. Studies on exercising privacy rights under the CCPA have shown that individually opting out of websites is extremely time-consuming, confusing, and burdensome. A similar situation can be observed with consent dialogs in Europe. Placing a privacy setting in the browser enables users to control their privacy simply and effectively from a single location, rather than navigating through complex menus and privacy policies on every site they visit. The centralized location of the GPC puts the user back in the driver’s seat, gives users control of their preferences, and gives them the flexibility they need to browse the Internet confident of their privacy and the security of their data.  

Further, the GPC provides an ability to provide users notice of site-specific choices they make. In California, for instance, privacy regulations state that when a GPC signal conflicts with the existing privacy settings a consumer has with a business, the business shall respect the GPC signal but may notify the consumer of the conflict and give the consumer an opportunity to confirm the business-specific privacy setting or participation in a financial incentive program. This allows the consumer to make easy, informed decisions about their privacy while also benefiting from additional uses of their data.  
 

What is, or hopefully will be, the legal effect of this signal in US? And (in your opinion) in Europe?  

 
Receiving a GPC signal may have legal effects, depending on factors such as the location of the individual sending the signal and the scope of the applicable law, as well as any separate agreement between the recipient of the signal and the individual. 

In California, GPC is recognized as a legally enforceable opt-out of “sale” of personal information, defined in the CCPA as the exchange of personal information for something of value. Based on this definition, the GPC enables consumers to opt out of many data sharing practices, such as having a business share personal information with a third-party advertiser.  Nevada has a similar Do Not Sell provision in its recent privacy law, SB220, and multiple other states in the United States currently have pending privacy legislation to recognize such a right as well. 

In Europe, Article 21(5) of the GDPR permits the data subject to object to specific forms of processing of their data via automated means. GPC, as it is currently defined to signal a persons’ desire to not have their data ‘sold or shared’, could be construed as a technical specification to exercise the right to object. 

Ultimately, regulators tasked with interpreting and enforcing the law must provide guidance and potentially take action against companies that ignore individual’s requests, but our goal is to provide a flexible and easy to use framework to permit subjects to exercise their rights.
 
 

Do you feel that in the future GPC could be extended to support other types of legal signals such as the consent for reading/writing cookies and others trackers as defined by the GDPR and ePrivacy?

 
The current rules for online privacy include the provision that the consumer’s consent to processing may be expressed by a browser (Recital 66 of the 2009/136EC Directive amending Directive 2002/22/EC “ePrivacy”). Furthermore, and similar to California, the enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities. The proposal of the European Commission for future rules for online privacy and the amendments by the European Parliament also indicate a provision that allows people to express and withdraw consent through a technical protocol. Although the details of the legislative proposals differ between the positions of the EU Commission, the EU Parliament, and the Council of the European Union, we should not rule out that the future rules for online privacy embrace the concept that consent expressed by end-users through a browser shall be legally binding on the websites they visit.

One way to understand GPC under the ePrivacy Directive and the GDPR is that it conveys the data subject’s request that the only data controller should be the first party. This can be implemented through specific mechanisms present in the regulation where the legal basis is consent, the signal could be interpreted to convey a withdrawal of consent (GDPR Art. 7(3)) to processing by any controller other than the first party and where the legal basis is legitimate interest, GPC could be interpreted to convey an objection (GDPR Art. 21) to that category of processing.

Finally, GPC is an extensible protocol and has the ability to be expanded to support the invocation (or revocation) of additional rights that don’t map clearly to the concept of ‘Do Not Sell’. For example, the specification could add additional signals that could be tailored to specify additional rights, although there are trade offs here in terms of simplicity and privacy.