Connecting the dots on: global privacy controls

You might have heard of an initiative to create a technical specification for universal opt-out signals, called Global Privacy Control.

But the term ‘global privacy controls” (lowercase) is also sometimes used to refer to universal opt-out mechanisms, or any browser or device-level control that allows users to communicate their privacy preferences.

Such efforts, including the well known Do Not Track header signals, date back to the early 2000s but have historically lost momentum due to lack of industry buy-in or regulatory backing. 

As the digital advertising industry reckons with calls to improve transparency and streamline user experience, a future in which the existing consent frameworks like the IAB TCF are being reconsidered for different models, like legally binding global privacy controls, may not be very far. 

Download our timeline to connect the dots on how global privacy controls have risen and fallen over the years.

TIMELINE

A BRIEF HISTORY OF GLOBAL PRIVACY CONTROLS

Registries and cookie based opt-out as the status quo

2003: The FTC’s Do Not Call Registry goes into effect.

2007: Several groups (World Privacy Forum, CDT, EFF, among others) ask FTC to create a Do Not Track list for online advertising. The registry would have required online advertisers to submit their information, allowing browsers to block them from tracking. (CDT)

March 2009: Google releases a browser add-on that would allow users to make their “opt-out cookie” persistent, but only on Google ad networks. Users have long been able to obtain opt-out cookies from NAI or for specific ad networks, but these were prone to deletion. (NAI)

‘Do Not Track’ headers gain momentum

July 2009: As an alternative to opt-out cookies, which can’t be interpreted between different domains, privacy and security researchers Christopher Soghoian and Sid Stamm create a prototype Firefox plug-in that adds a Do Not Track signal as a HTTP header field. (Fast Company)

Jan 2011: Mozilla Firefox implements support for DNT header plug in, followed by Microsoft Internet Explorer in March, Apple Safari shortly after in April, and finally Google Chrome in Nov 2012. (WSJ)

2011: W3C Tracking Protection Working Group works to provide technical specifications for implementing & respecting the DNT header (NPR)

2019: W3C working group closes due to lack of planned support among ecosystem participants. (W3C)

March 2019: Apple removes support for the DNT header because it was found to be useful (ironically) as a fingerprinting variable. (Apple)

Global Privacy Control gets backing in state law

Aug 2020: CCPA final regulations approved, including a requirement for businesses to respond to requests made via global opt-out mechanisms. (CA OAG)

Oct 2020: Global Privacy Control launches a technical specification for transmitting universal opt-out requests. Users can send signals by using participating browsers like DuckDuckGo and Brave or downloading extensions. (Global Privacy Control)

Nov 2020: California voters approve the California Privacy Rights Act, set to go into effect in 2023. The CPRA suggests that support for global opt-out requests will only be necessary if the business chooses to forego providing the standard Do Not Sell/Share links for visitors to exercise their data subject rights. (IAPP)

July 2021: California Attorney General’s office updates FAQ to clarify that responding to universal opt-outs is mandatory under CCPA. (California OAG)

July 2021: Colorado passes Colorado Privacy Act, requiring recognition of opt-outs through “user-selected universal opt-out mechanisms” starting in 2024. (Sourcepoint)

Sept 2021: UK’s data protection authority, the ICO, calls for reform to address cookie consent fatigue, urging regulators to shift attention towards browser based consent. (TechCrunch)

Nov 2021: A Work Group created pursuant to the Virginia Consumer Data Protection Act (VCDPA) publishes a report emphasizing need for browser level, global opt-out mechanism (VCDPA Work Group)

INDUSTRY STAKEHOLDERS REACT

Jan 2022: Comments on CPRA rulemaking submitted to the California Privacy Protection Agency are published, including debate around the mandatory nature of GPC, with one side supporting clearer language and the other for completely repealing the regulation. (AdExchanger)

Want to learn about how Sourcepoint can prepare you for the future of global privacy controls? Get in touch.