A group of tech companies, publishers, and activist groups including the Electronic Frontier Foundation, Mozilla, and DuckDuckGo are backing a new standard to let internet users set their privacy settings for the entire web.
“Before today, if you want to exercise your privacy rights, you have to go from website to website and change all your settings,” says Gabriel Weinberg, CEO of DuckDuckGo, the privacy-focused search engine.
That new standard, called Global Privacy Control, lets users set a single setting in their browsers or through browser extensions telling each website that they visit not to sell or share their data. It’s already backed by some publishers including The New York Times, The Washington Post, and the Financial Times, as well as companies including Automattic, which operates blogging platforms wordpress.com and Tumblr.
Advocates believe that under a provision of the California Consumer Privacy Act, activating the setting should send a legally binding request that website operators not sell their data. The setting may also be enforceable under Europe’s General Data Protection Regulation, and the backers of the standard are planning to communicate with European privacy regulators about the details of how that would work, says Peter Dolanjski, director of product at DuckDuckGo. At the moment, the official specification of the standard specifies that it’s in an experimental stage and “currently not intended to convey legally binding requests,” but that’s expected to change as legal authorities and industry groups have time to react to the standard and put it into place across the web, Dolanjski says.
“It’s going to take a little bit of time for them to make the modifications and all that,” he says.
If it becomes widely accepted and helps prevent website operators and companies from building cross-site profiles of their users, the new standard could help bring an element of privacy back to the web, advocates say. Global Privacy Control could not only help internet users avoid ads that seem to follow them across the web but also potentially limit some of the other negative aspects of today’s internet experience, from filter bubbles and misinformation to discrimination based on people’s behavior and perceived demographics, says Weinberg.
“It’s all traced back to the same behavioral data profiles,” he says.
While the exact details may vary based on future regulations, the standard was designed to allow some sharing of data with service providers such as analytics companies that track web visits for individual sites—but not for building aggregate profiles of how people behave across sites. Those profiles are used by search engines, social media companies, and ad networks to discern people’s interests and demographics and target them with marketing accordingly. While that can result in people seeing more relevant ads on the internet, it’s also been a way for propagandists and fraudsters to find people they believe are vulnerable to receiving particular types of misinformation, from misleading election information to work-from-home scams.
The new setting can be activated through the configuration menu of DuckDuckGo’s browser extensions and is expected to be present in future versions of Mozilla’s Firefox browser as well as other browsers and privacy-focused extensions. Users wanting to test if the setting is activated can visit the Global Privacy Control website, which has a banner indicating whether the setting is enabled.
The concept is similar to Do Not Track, a similar feature introduced in web browsers about a decade ago but never widely observed by website operators. The difference, Weinberg says, is that Do Not Track never really had any legal teeth behind it, while Global Privacy Control is expected to be backed by California authorities under the state privacy law. It’s unclear whether people still using Do Not Track in their browsers would have the same result. Companies could argue that the setting, which some browsers turned on by default and which predates the California law, wasn’t necessarily turned on with the intention of giving notice not to sell data under the law, he says.
Even if that law only covers California residents, the builders of the standard hope that as more jurisdictions put such rules into place, website operators will choose to observe Global Privacy Control user intentions even in the potentially shrinking number of places where they’re not legally bound to do so.
“We hope that this is just a stepping stone to federal legislation,” says Weinberg.
