A new browser specification called Global Privacy Control (GPC) allows users to communicate to websites that they do not wish to have their browsing data sold. Similar to its failed predecessor Do Not Track, this is done through an HTTP header. Could GPC succeed where Do Not Track faltered?
Do Not Track’s failure
Do Not Track was developed by a consortium of companies, beginning as a Firefox plug-in. After federal regulation of the online ad industry in 2011 never materialized, Do Not Track was an exercise in self-regulation. Ultimately, the growing online ad economy and absence of regulatory action led to the collapse of Do Not Track because of lack of support from the online ad ecosystem.
If GCP can succeed where Do Not Track failed, it will be because of the regulatory environment that has developed in the intervening years, namely, the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). The CCPA specifically requires businesses to treat “user-enabled global privacy controls, such as a browser plug-in or privacy setting”—which is exactly what GCP is—as valid requests under California law. The attorney general of California recently tweeted his support of GCP, a positive sign for GCP’s future in California.
Why browser settings matter
So-called “cookie consent” refers to a user’s browser settings around “cookies.”—determines the use of stored browser data (e.g., ad tracking, sale, etc.) and gives the website permission or not (by tapping on a popup or banner) to track the user via cookies. Laws such as the CCPA and GDPR have moved towards requiring affirmative consent rather than the passive consent of browser settings; however, for the users outside of those jurisdictions, browser settings will likely continue to be important.