Standardizing Global Privacy Control (GPC)

[SebastianZimmeck]

Background

On January 1, 2020 the California Consumer Privacy Act (CCPA) went into effect and established new privacy rights for California consumers. Specifically, it covers the rights to:

1. Opt out from the sale of personal information (Do-Not-Sell),
2. Access personal information, and
3. Delete personal personal information.

A "sale" is understood broadly and likely covers, for example, a website making available or disclosing identifiers or location data to an ad network for purposes of monetization. The most recent regulations to the CCPA published by the California Attorney General specify that automatic signals communicating a user's decision to opt out must be respected. Here is the relevant language:

If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request ... .

The CCPA appears to be a catalyst for implementing new privacy functionality in browsers and other clients. Other states beyond California are introducing similar privacy bills in their legislatures. Microsoft announced to honor the new CCPA privacy rights not only for California but for all other states as well. Similarly, Mozilla announced the option to delete telemetry data for its users anywhere.

In addition to the CCPA, the General Data Protection Regulation (GDPR) also mentions the option for clients to make privacy practices explicit via machine-readable icons:

The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

Various efforts are underway to implement the new privacy rights. The Interactive Advertising Bureau has released the IAB CCPA Compliance Framework for Publishers & Technology Companies and the Digital Advertising Alliance CCPA tools. Efforts by W3C Working Groups include the Confinement with Origin Web Labels. There are also various approaches led by companies in this space, for example, the Data Transfer Project.

Some Initial Thoughts

At this point, it seems worthwhile to have a discussion of these developments with the goal of converging to a standard. In particular, a Do-Not-Sell signal could be implemented similar to the Do-Not-Track (DNT) signal via an HTTP header.

Previously, the Tracking Protection Working Group developed the Tracking Preference Expression (DNT). There are certainly lots of learnings that can be taken from that effort for the question here. Though, a big difference is that recipients of a DNT signal are not required to comply with it. Per the California Online Privacy Protection Act (CalOPPA) they only need to say whether they comply.

There are multiple dimensions to the implementation of privacy rights:

1. Which functionalities should be implemented? For example, a narrow implementation could just focus on a Do-Not-Sell signal, a simple binary signal. At the other end of the spectrum could be a full privacy communication channel that allows users not only the opt out from selling data, but also signal access requests and receive related data through the browser, for example.
2. Which types of clients or platforms should be covered? Especially, on mobile devices much of the user interaction happens through non-browser apps. Should operating system vendors get involved here to add or change existing APIs to accommodate for privacy signals and communication?
3. Which technologies should be used? The DNT effort relied on HTTP headers. Other choice mechanisms are reliant on HTTP cookies, many on third party cookies and some on first party cookies. With relevance for this context Google recently announced a plan to phase out support for third-party cookies in Chrome. Should Do-Not-Sell and similar functionalities even part of the browser and other clients or should there be a web platform (e.g., a Do-Not-Sell registry similar to the Do-Not-Call registry)?

Internet users, publishers, privacy organizations, and ad networks are some of the stakeholders in this question. Ultimately, there needs to be a consensus because the proposed task here is not only one of technology but also one of policy. The implementation of privacy rights such that they can be meaningfully exercised and the evolvement of the web ecosystem for all participants go hand-in-hand.

One concrete idea to move forward is the implementation of prototypes and testing them in usability studies. We already started this effort here at Wesleyan.

This issue is continuing a discussion of members of the Privacy Community Group on the mailing list.

Edit July 30, 2021: Below is a list of blog posts, public comments, and other responses on Global Privacy Control. I am updating the list on a regular basis. It is not comprehensive, but I am trying to cover all major developments.

[jwrosewell]

@rvaneijk great question. I would be surprised if there were any interest in a web browser vendor implementing, or their representatives even being involved in discussing implementing, specific jurisdiction's laws when there is no legal requirement for them to do so. To do so would go against their well known and stated public position on such matters. In my experience such a change in position would require approval from the very top.

It is for this reason I believe this matter should go to the AC for consideration by the membership which might then enable web browser representatives to engage in such a discussion after a W3C policy on such matters has been agreed to.

[michael-oneill]

Rob, I believe at least Brave, FireFox, PrivacyBadger on the client side, and we were told New York Times & Washington Post comply.

[AramZS]

I confirm above on the behalf of The Washington Post, we do intend to implement support for the signal in CA.

[jwrosewell]

How do you know if someone is in California?

[darobin]

I can also confirm for The Times that we do intend to support this signal in CA, as well as in GDPR jurisdictions and regimes that are similar enough to the GDPR to have comparable rights (Brazil, Bermuda, UAE…).

[ebrawer]

Utreon is supporting GPC. Support is indicated at https://utreon.com/.well-known/gpc.json

An implementation detail question: suppose a user logs-in via multiple browsers over a period of time. Some signal GPC true, and some false. Should a service or website consider that last received signal to be the current one?

[eligrey]

I think 'Do Not Sell' consent signals should be gated by genuine user initiation (e.g. consent can only be set in the handler for a trusted user-triggered UIEvent).

[asoltani]

We've scheduled an ad-hoc meeting on Thursday Dec 10th to discuss this further (right after the regular PrivacyCG teleconference). More details can be found here.

For reference, a draft proposal is available on github and we've put together a website, press release and FAQ for those that want more background.

We look forward to hearing everyone's feedback and questions.

[jwrosewell]

A fascinating discussion at the meeting yesterday. My takeaway is that there are two ways forward concerning this proposal.

1. Involve multiple external lawyers from different jurisdictions, with different briefs to fully understand the legal ramifications. The output from this activity will benefit the proposal and ensure it is robust prior to deployment.

2. Turn the proposal into a technical standard and remove all references to laws and specific signal use cases. Focus on the single use case of minimising repetitious preference entry.

In general, I remain concerned about the W3C being complicit in the implementation of a standard to support a specific law without agreement from the membership on the rules associated with doing so.

[hlauinfo]

Can we revisit this as part of the agenda this week? The outgoing attorney general has already expressed support for GPC.

[TanviHacks]

Can we revisit this as part of the agenda this week? The outgoing attorney general has already expressed support for GPC.

@SebastianZimmeck @asoltani - Do you want to lead a discussion in the Privacy CG call tomorrow on this?

[asoltani]

Sure. I'm happy to take a few minutes and say a few words about the press release we put out a few weeks ago: https://globalprivacycontrol.org/press-release/20210128

Basically that there are now ~40M people that are utilizing a browser or extension with GPC support, and a number of major publishers including the NYT, WashingtonPost, Meredith and smaller pubs like the Cafemedia network and Wordpress.com hosted sites all have committed to honoring the GPC as a valid opt-out under the CCPA. Leading CMPs OneTrust, Sourcepoint, and Wirewheel have also implemented support for the mechanism so clients that utilize them for consent management can simply enable support if they choose to.

Looking forward to it.

On Wed, Feb 10, 2021 at 11:03 AM TanviHacks notifications@github.com wrote:

Can we revisit this as part of the agenda this week? The outgoing attorney general has already expressed support for GPC.

@SebastianZimmeck https://github.com/SebastianZimmeck @asoltani https://github.com/asoltani - Do you want to lead a discussion in the Privacy CG call tomorrow on this?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/privacycg/proposals/issues/10#issuecomment-776939418, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM2ZIAXRTE6OMRSAUK2VPTS6LKBDANCNFSM4MCTQP4A .

[TanviHacks]

Thanks! I've added this to the agenda.

[LeVasseur-Me2B]

I realize how closely related this standard is to the CCPA/CPRA regulation, and I have to raise once more (last time, promise) that a global standard should transcend one jurisdiction's specific regulation. This standard, in particular, should uphold the principle of Privacy by Default. A global privacy signal called "Do Not Sell" without a default setting of "enabled" does not do that. I continue to advocate for a default setting "Do Not Sell" as enabled to uphold the principle of Privacy by Default.

[asoltani]

@LeVasseur-Me2B indeed. Unfortunately it's hard to dictate through a standard what a particular legal regime should do.

That said, as I mentioned on the call, the California CCPA, in their Final Statement of Reasons - Appendix E #73 does specify, in response to questions about whether such a mechanism can be on by default, "The consumer exercises their choice by affirmatively choosing the privacy control […] including when utilizing privacy-by-design products or services")

[asoltani]

I'm happy to provide an update on GPC adoption and the various US state privacy proposals that include language for a 'Global Privacy Control' if it would be helpful (and theres room on the agenda). @TanviHacks

[SebastianZimmeck]

I added both labels agenda+ and agenda+F2F for an update depending on which meeting has time available.

[jwrosewell]

I've just checked the agenda here and don't see GPC included. Does anyone know the time the discussion is scheduled for?

[chelseakomlo]

@rvaneijk great question. I would be surprised if there were any interest in a web browser vendor implementing, or their representatives even being involved in discussing implementing, specific jurisdiction's laws when there is no legal requirement for them to do so.

Note that major browsers are actually going above and beyond existing privacy laws, which is a great thing for user privacy. Allowing these privacy improvements to move forward is in users' best interest, which is what standards bodies exist for.

[michael-oneill]

I think thats a bit of a stretch, the law in Europe has required specific, informed and freely given prior consent for tracking since 2009 (ePrivacy), and as easy to withdraw consent as to give it since 2016 (GDPR) But I agree its great that browsers are finally catching up (more some than others of course).

[SebastianZimmeck]

In light of the upcoming GPC discussion, here is the spec as it stands.

[kasnder]

Is there any information on how to implement something similar for mobile apps? This refers to @SebastianZimmeck's point on "Which types of clients or platforms should be covered?".

At the initiative of Luis Alberto Montezuma, we had a lengthy discussion on this topic recently on Twitter.

There was also some discussion as to whether an implementation on Android would even be possible, so I now created a small proof of concept for Android: https://github.com/kasnder/gpc_android

I'm sure there are many flaws with my piece of code, but an implementation on Android seems possible to me?

[SebastianZimmeck]

Nice work, @kasnder! I opened an issue in your repo to discuss a bit more over there.

[martinthomson]

We have moved this to the CG as a work item. Closing this.