In a Nutshell: Consumers who visit websites throughout the day are generally aware that their information may be tracked, shared, and sold. Statutes such as the California Consumer Privacy Act serve to protect consumers’ online privacy. Global Privacy Control (GPC) provides consumers access to universal data opt-out signals. When GPC is enabled, a user’s browser broadcasts the user’s privacy preferences to every website they visit.
The internet enables college students to access entire collections of libraries around the world from the comfort of their dorm rooms. Online shoppers can peruse the wares of millions of companies on their phones without ever getting out of bed. Sports fans can go online to surreptitiously livestream their favorite team’s big game from a church pew.
Despite all the conveniences the internet provides, experienced web users know that some online elements can also cause harm. Online scams, viruses, and identity theft are just a few problems that can ruin an online enthusiast’s day.
Following internet safety tips can help consumers avoid online troubles. But even those who visit only reputable websites may have their data captured and subsequently sold or shared with undisclosed parties.
No single law regulates user online privacy, but several states have adopted laws to protect consumers. The California Consumer Privacy Act (CCPA) was passed in 2018 and became effective in 2020. The CCPA gives consumers the legal right to opt out of certain online data processing. Since the CCPA passed, multiple other states have passed privacy laws allowing universal opt-out signals.
Global Privacy Control (GPC) allows consumers to access universal data opt-out signals.
Justin Brookman is the Director of Privacy and Technology Policy for Consumer Reports, one of the founding organizations of GPC. Brookman said that many consumers may not understand what can happen with their online information.
“Part of the problem is that users really have no idea what companies are doing with their data,” Brookman explained. “And companies are under no legal obligation to tell you. Once you share your information with a certain company, all bets are off.”
Brookman said a lot of online data gets sold or shared with big tech companies. Sold or shared data can include sensitive information such as healthcare guidance an individual has accessed online or an individual’s exact geographic location.
“Your online activities can be used for banal things like sending you marketing messages, but they can also be used to make significant decisions about you,” Brookman said. “There are a lot of companies out there who offer assessments of you — how good a hire you may be, how your financial situation looks — and what you do online could be used to deny you opportunities. To the extent we’re relying more and more on AI, we may not even know what’s being decided about us or why.”
Founded by Companies Concerned with Data Tracking
The GPC’s founding organizations comprise different companies and entities that are concerned with online data tracking and have worked on data privacy reform in various capacities.
“There are also a lot of publishers, like The New York Times and The Washington Post, and other companies who are frustrated with the amount of power big tech companies have,” Brookman said. “Also, browser companies such as DuckDuckGo and Mozilla are founders and have been pushing alternative privacy options.”
Brookman said more states are pursuing data privacy laws, and companies are honoring those laws more often. Some popular web browsers don’t incorporate GPC’s solution directly into browsers, but extensions are available to help consumers maintain online privacy in their preferred browsers.
Brookman said GPC is simple to use. Users enable GPC to communicate their data privacy preferences. A user’s browser will then signal the user’s preferences to each site the user visits.
“When GPC is enabled, your browser broadcasts a message to every website you visit,” Brookman detailed. “That message contains information notifying websites of your preferences regarding sharing your data. GPC is a good way to attach and transmit that message, in a standardized way, for every site to be able to notice that you’re exercising your rights in regard to data privacy.”
Brookman said users who communicate their preference for not tracking or selling their personal data to websites shouldn’t be concerned that their browsing experience will be limited.
“Users should have a seamless browsing experience, albeit one with fewer ads,” Brookman said.
U.S. Laws Regarding Data Tracking are Opt-Out Based
In Europe, the General Data Protection Regulation (GDPR) has provisions that prohibit forms of data tracking. Brookman said companies should not be permitted to capture user data and track users online, but in the U.S., the laws regarding data tracking require individuals to opt out.
The GDPR became effective in 2018. Since that time, the regulation has served as a model for other countries to base their own data privacy laws on.
“We’re building tools to reflect the legal reality we’re facing,” Brookman said. “We recognize that it’s impossible to exercise opt-out rights one by one. You need to have some sort of global solution. The data privacy laws in the U.S. are not as strong as we’d like them to be, and they’re probably more forgiving of bad behaviors than they should be. On the other hand, we’ve made a lot of progress with data privacy laws over the past five years.”
Brookman said some browsers specialize in offering users a private browsing experience. Though he said he wishes all online activities were private by default, having the right to private browsing is a step in the right direction.
Brookman said there can be consequences for companies that don’t comply with users’ indicated privacy preferences.
“We are seeing some regulators crack down on companies that mistreat users who are trying to protect their online privacy,” Brookman said. “If you’ve indicated that you don’t want your data tracked or sold, then you shouldn’t have an experience where every site you visit is asking you if they can bypass your preferences. We’re conscious of that, and most laws have provisions that try to address that.”
Education and Advocacy Protect Consumers
Consumer Reports offers educational resources to its customers about technology, data protection, and privacy. The company provides its 6 million members with information about how to protect themselves online and how to use tools that promote online privacy.
Brookman said he is directly involved in work on the government-advocacy side.
“When states are considering data privacy laws, I’ll inform them that opting out by itself doesn’t work,” Brookman said. “There needs to be some sort of universal control; otherwise, this isn’t going to be meaningful. A lot of states have listened to that and passed laws allowing for universal opt outs and global privacy control.”
Brookman said he thinks there are going to be many more data privacy laws established in the near future. He said he also expects to see more comprehensive enforcement of privacy laws relatively soon. That includes pushing back against companies that are not following laws or choosing to follow unfairly narrow interpretations of the law. Companies that violate privacy laws can face penalties, including fines.
“In the past, companies who were caught not following privacy laws could just say that they were going to begin following the laws,” Brookman explained. “And they wouldn’t necessarily get in any trouble for their infractions. If you get caught speeding, you can’t just say you’re going to drive the speed limit now and be on your way. From my point of view, that’s not a great approach. Now there are consequences, and attorney generals have the ability to impose fairly significant fines.”