First proposed in 2009, “Do Not Track” was a well-intentioned effort to create an HTTP header protocol that would automatically notify websites that the visitor was opting out of personal data sharing. Spotty uptake has made it a tool of very limited use; a new proposed update to it called “Global Privacy Control” looks to refresh the concept by focusing on data that is shared specifically for sale to third parties and by getting it into emerging state and national privacy legislation.
Making “Do Not Track” work
“Do Not Track” was not an abject failure in the sense that nearly every major browser supports it; the problem was always that the protocol always required voluntary uptake by websites, many of whom predictably opted not to incorporate it.
Global Privacy Control is headed up by Ashkan Soltani (former privacy researcher for the FTC) and backed by a coalition of some of the world’s biggest names in newspaper and magazine publishing (New York Times, Washington Post) along with web browser developers such as Mozilla and Brave. Privacy organizations such as the EFF are also involved in the effort. The group hopes to win over both advertising industry players and legislators with a more narrow focus on preferences about collection and sale of personal data when visiting a site; tracking for the purposes of delivering targeted ads as users browse other sites does not look to be as substantially impacted by this plan.
The Global Privacy Control signal would be appended to HTTP headers as the prior “Do Not Track” signal was, communicated to websites automatically by browsers that support it. A similar signal could be arranged for mobile phone operating systems to automatically communicate with app publishers based on the user’s privacy settings, though this would require voluntary uptake by Apple and Google.
Why Global Privacy Control might work
The fortunes of Global Privacy Control are not improved by better technology or a more powerful lobbying coalition so much as they are the uptake of data privacy laws in recent years. “Do Not Track” failed primarily because companies were asked to voluntarily adopt it; most had no reason to and thus ignored it. Global Privacy Control fits in better with new data collection requirements established by privacy legislation, particularly the terms of the California Consumer Privacy Act (CCPA).
Legal enforcement is likely the only way the personalized ads industry will agree to any kind of “do not track” standard, as it is antithetical to the business model. Newspapers and magazines appear to be more amenable to the Global Privacy Control due to operating on a more traditional advertising model that focuses on generalized demographic information rather than tracking personal information. Legacy media publishers generally would prefer this model, but it has become unsustainable in the age of third-party ad tracking.
From the user end, Global Privacy Control might also be the only way to get consumers to protect themselves. While the CCPA provides Californian residents with the right to opt out of the sale of their data, it requires them to do so manually with each website or service they patronize. Recent studies have found that very few consumers actually exercise their right to opt out, quite possibly because it is perceived as too complicated and time-consuming. A functional form of “do not track” system handling this automatically (in accordance with user settings) would be expected to greatly increase the amount of opt-outs.
Global Privacy Control is already in place in some participating browsers; Mozilla, Brave, and DuckDuckGo. It can also be added to Chrome via the DuckDuckGo browser extension and to that and other major browsers with the EFF’s Privacy Badger extension. The lists of sites that support it is limited to several major magazines and newspapers at present, however. The biggest social media / website network supporting it is Automattic, owners of Tumblr and Wordpress.com.
With the CCPA in place and increasing pressure for strong national-level data privacy laws both in the US and throughout the rest of the world, Global Privacy Control looks like it has a fighting chance to succeed where “Do Not Track” failed. Success hinges to some degree on future legislation specifically embracing it, and potentially revision to existing legislation to specify that it be used. But it is already compatible with the existing terms of the CCPA, and looks to dovetail with the European Union’s General Data Protection Regulation (GDPR) as well. And the fact that it is presently active and enabled by at least a handful of big-name websites helps to get it into the political conversation about forming and passing a national data privacy bill in the US, a matter that has recently been subject to renewed pressure as parity with the GDPR becomes a matter of sustaining international trade.