Welcome

Global Privacy Control Popularity Grows as Legal Status Up in Air

Dec. 21, 2021, 10:00 AM

Global Privacy Control, a way for consumers to signal privacy preferences to a host of websites without manually reaching out to each one, is gaining traction.

A handful of internet browsers offer the tool, and California’s attorney general indicated the tool could be used to comply with the state’s privacy law. But its ability to satisfy privacy statutes on the books in Virginia and Europe is less certain.

Mozilla Corp.'s Firefox, one of the country’s most popular browsers, released Global Privacy Control in December for people to turn on if they wish after rolling it out experimentally earlier this year. Brave and DuckDuckGo, two leading privacy-oriented internet browsers, also offer the technology.

“It’s a signal that expresses a user’s preference for privacy,” said Peter Dolanjski, a product director at DuckDuckGo, which helped develop the tool. “The goal is for that preference to have legal teeth behind it—like it does in California—and carry protection in jurisdictions where websites might otherwise sell or share your data.”

Legal Gaps by State

California Attorney General Rob Bonta has made it clear that businesses subject to the California Consumer Privacy Act must accept such browser signals when applicable.

“Opting out of the sale of personal information should be easy for consumers, and the GPC is one option for consumers who want to submit requests to opt out of the sale of personal information via a user-enabled global privacy control,” according to the FAQ section of the attorney general’s CCPA webpage. “Under law, it must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”

The California Attorney General’s Office has already sent letters to companies asking how they’re honoring Global Privacy Control signals, said Darren Abernethy, shareholder at Greenberg Traurig LLP in San Francisco.

But because California is the only U.S. state with a comprehensive consumer privacy law currently in effect, companies operating in other jurisdictions—and serving consumers of other states—currently aren’t required to extend CCPA-specific privacy rights to non-California residents, he said.

“If you’re dealing with a consumer in Ohio or you’re a business that’s not subject to CCPA, you have a very strong case for saying you wouldn’t legally have to honor the GPC signal,” Abernethy said.

Virginia’s new consumer privacy law, which takes effect Jan. 1, 2023, doesn’t currently mention Global Privacy Control or any similar tools, Abernethy added. But a working group in that state issued a final report recommending development and implementation of a software or browser extension that would allow users to universally opt out.

The Colorado Privacy Act requires the Colorado attorney general to adopt technical specifications for one or more universal opt-out mechanisms. Most of the law’s provisions take effect July 1, 2023, but the universal opt-out mechanism requirement takes effect a year later.

That means companies that fall under the purview of the Colorado Privacy Act will likely have to honor Global Privacy Control signals for those residents once that provision takes effect, said Sarah Bruno, a partner at Reed Smith LLP in San Francisco.

Many businesses that fall under the purview of the CCPA are working with information technology specialists to understand universal opt-out of sale signals, said Jenna Rode, counsel at Hunton Andrews Kurth in New York.

“They’re working to understand the technical compliance requirements to be able to recognize and respond to Global Privacy Control signals that would trigger an opt-out of sale request under the CCPA,” she said.

‘Workable’ Privacy

An ideal privacy law would be opt-in, requiring users to consent to data collection and usage from the get-go, instead of opt-out, as is the model in most provisions the CCPA and other privacy statutes in the U.S., said Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation.

The “overwhelming majority” of people are not going to act to opt out, either because they’re not aware of their privacy rights or because it’s too burdensome and time-consuming to do so site by site, Schwartz said.

“If you do have an opt-out law, at the very least it needs tools that make it workable for users,” said Maureen Mahoney, senior policy analyst at Consumer Reports. “That’s where something like the Global Privacy Control comes in.”

Regardless of whether a tool like the Global Privacy Control ends up being mandated by additional state privacy laws, it won’t be the end-all, be-all, Bruno said.

“It shouldn’t take away from other compliance measures with regards to understanding data flows and the nature of the data they’re collecting,” she said. “The GPC may be a helpful solution, but it’s not going to get you all the way to compliance with other legal provisions.”

Harmonizing Privacy Rights

The legal status of Global Privacy Control in Europe is much murkier, said Tom Gates, an associate at Reed Smith in London.

In the U.K., the Information Commissioner’s Office last month published an opinion that the Global Privacy Control is intended to convey a “general request” concerning the sale of personal data, and not “meant to withdraw a user’s consent to local storage as per the ePrivacy Directive.”

Because of that, the tool “does not at this time appear to offer a means by which user preferences can be expressed in a way that fully aligns” with data protection requirements in the U.K., according to the opinion. Those requirements include the U.K. General Data Protection Regulation, or U.K. GDPR; the Data Protection Act 2018; and the Privacy and Electronic Communications Regulations 2003, according to an ICO spokeswoman.

“The ICO haven’t closed the door on it,” Gates said. “The way it’s been developed so far and applied to date indicates it’s not fully aligned, but that could change in the future.”

In the U.S., legislative proposals for consumer privacy laws mention universal opt-outs, likely signaling future success for the Global Privacy Control, said Peter Snyder, director of privacy and senior privacy researcher at Brave, which also helped spearhead the Global Privacy Control.

As more privacy laws come to fruition, the Global Privacy Control will remain an important mechanism for users to assert their rights, he added.

Additional regulations in more jurisdictions are needed to “harmonize” privacy rights for consumers—regardless of which side of a state border they live on, said Mika Shah, co-acting general counsel of Mozilla.

“The technology exists—people can send that signal to all these businesses—but the legal piece is missing to require businesses to honor that signal,” she said. “We’d love to see fast movement in law to fix that gap.”

To contact the reporter on this story: Jake Holland in Washington at jholland@bloombergindustry.com

To contact the editors responsible for this story: Kibkabe Araya at karaya@bloombergindustry.com; Renee Schoof at rschoof@bloombergindustry.com

To read more articles log in.

Learn more about a Bloomberg Law subscription.