On January 1, 2020 the California Consumer Privacy Act (CCPA) went into effect and established new privacy rights for California consumers. Specifically, it covers the rights to:
A "sale" is understood broadly and likely covers, for example, a website making available or disclosing identifiers or location data to an ad network for purposes of monetization. The most recent regulations to the CCPA published by the California Attorney General specify that automatic signals communicating a user's decision to opt out must be respected. Here is the relevant language:
If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request ... .
The CCPA appears to be a catalyst for implementing new privacy functionality in browsers and other clients. Other states beyond California are introducing similar privacy bills in their legislatures. Microsoft announced to honor the new CCPA privacy rights not only for California but for all other states as well. Similarly, Mozilla announced the option to delete telemetry data for its users anywhere.
In addition to the CCPA, the General Data Protection Regulation (GDPR) also mentions the option for clients to make privacy practices explicit via machine-readable icons:
The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
Various efforts are underway to implement the new privacy rights. The Interactive Advertising Bureau has released the IAB CCPA Compliance Framework for Publishers & Technology Companies and the Digital Advertising Alliance CCPA tools. Efforts by W3C Working Groups include the Confinement with Origin Web Labels. There are also various approaches led by companies in this space, for example, the Data Transfer Project.
Some Initial ThoughtsAt this point, it seems worthwhile to have a discussion of these developments with the goal of converging to a standard. In particular, a Do-Not-Sell signal could be implemented similar to the Do-Not-Track (DNT) signal via an HTTP header.
Previously, the Tracking Protection Working Group developed the Tracking Preference Expression (DNT). There are certainly lots of learnings that can be taken from that effort for the question here. Though, a big difference is that recipients of a DNT signal are not required to comply with it. Per the California Online Privacy Protection Act (CalOPPA) they only need to say whether they comply.
There are multiple dimensions to the implementation of privacy rights:
Internet users, publishers, privacy organizations, and ad networks are some of the stakeholders in this question. Ultimately, there needs to be a consensus because the proposed task here is not only one of technology but also one of policy. The implementation of privacy rights such that they can be meaningfully exercised and the evolvement of the web ecosystem for all participants go hand-in-hand.
One concrete idea to move forward is the implementation of prototypes and testing them in usability studies. We already started this effort here at Wesleyan.
This issue is continuing a discussion of members of the Privacy Community Group on the mailing list.
Edit July 30, 2021: Below is a list of blog posts, public comments, and other responses on Global Privacy Control. I am updating the list on a regular basis. It is not comprehensive, but I am trying to cover all major developments.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3