When a "Global Privacy Control" really isn't.

The August 24, 2022 press release from Rob Bonta, California attorney general announcing the $1.25M enforcement action against Sephora for CCPA violations has changed attitudes in many corporate c-suites. Bonta clearly set the stage for many more enforcements, and reminded enterprises that even the 30 day curative period will expire at the end of 2022.

But the most remarkable aspect of the Bonta press release was its strong focus on "Global Privacy Control" (GPC), a new initiative requiring websites to automatically stop selling/sharing user data when a user logs in with a web browser that asserts this signal. GPC is referenced 10 times by Bonta in a 995 word press release.

The GPC is a re-hash of the "Do Not Track" signal that was proposed in 2009, but was successfully derailed by the ad industry due its voluntary nature and lack of regulatory backing. With the CCPA's built-in requirement for sites to offer users a "Do Not Sell My Data" button, the resurgence of an automatic signal makes perfect sense, much to the dismay of big data and adtech companies that have come to rely on tracking and reselling consumer data for their revenues.

In my opinion, GPC is a great advance for users, but I want to explain some of its flaws and weaknesses because it is sometimes being portrayed as a panacea for all online privacy issues, which it definitely is not. It's an important step forward but it has some real limitations that consumers will not understand.

My goal here is to help everyone understand what really happens (and what doesn't) when they use GPC.

Let's start with the (unfortunate) name of "Global Privacy Control". Based on this name, the average user will believe that by setting this control, they globally told Facebook/Google/Ad Networks "Do Not Sell/Share" their data ever again.

But they really haven't. There is no such thing as a "Global Privacy" setting. The GPC signal is not a persistent setting that is stored in a master database by the adtechs. It is a browser setting that is only relevant to the current session with the current browser.

What does that mean? It means that unless you set GPC on every browser and device you use, sometimes your privacy preferences will be asserted and sometimes they won't. That's because each time you log on to a web site with a different device (desktop pc vs. mobile phone vs. tablet), the website sees you as a different person. Even using different browsers on the same desktop PC (Chrome, Firefox, Edge), you are a different person from the perspective of the website.

The fact that yesterday, you visited a site from your home PC with GPC set doesn't mean that today when you visit the same site from your work computer, your privacy preferences are going to be honored. Consumers just aren't aware of this technical limitation. They will think "I turned on GPC in my browser, so I'm protected".

That's not good. And it gets a lot worse...

The GPC signal's design goal was to streamline privacy preference for website access by eliminating repetitive popups that request consent, and it works for that purpose. But in today's digital online world, companies gather and process your private data from a LOT of other touchpoints than just websites.

For example, most large retailers, social networks and content sites have their own native apps for your smartphone. There are millions of native apps in the Apple and Android app stores. Native apps don't use a web browser, therefore none of them have a way to know anything about the GPC preference you may have set in your home computer browser.

We all get dozens of marketing, loyalty, and coupon emails every day, and your activity (reading, clicking, buying) based on the emails is very studiously tracked. But email marketing systems also know nothing about your GPC preference.

This same problem exists for telemarketing, SMS text messaging, IOT devices like doorbells, video surveillance, and biometric facial recognition systems.

Modern digital life has myriad touchpoints where our data is collected and resold. The GPC signal only really pertains to one of those touchpoints, websites.

Consumers who reasonably believe they have "Globally" protected their privacy by setting "Global Privacy Control" on their web browser are really not protected at all.

In my view, this false sense of having protected themselves is quite dangerous, because after setting it, consumers will be unlikely to seek out further ways to opt out, revoke, cancel data sharing because they feel they have already solved the problem.

Headlines proclaiming "Users are back in control over their privacy now that GPC is in force" do a disservice to consumers by giving them a false sense of having protected their privacy when in fact they have taken one step toward protecting their privacy.

There is a way that GPC could become what consumers expect it to be. If the regulators would require the enterprises to retain the user's preferences in a "Central Source of Truth" whenever it is expressed, the user's private data could always be properly handled, regardless of the method of data ingestion, or the purpose of processing. While enterprises routinely share user data to so-called "downstream processors", the user's GPC preference can be checked by these third, fourth and fifth party companies to comply with CCPA on a realtime basis.

The scenarios presented above could have a very different outcome if enterprises retained each users' GPC preference. When a non-anonymous user asserts GPC, from that moment on, all of the processing of that user's data (regardless of how it was ingested) can be protected every time the enterprise wants to use or share it. With this simple change of centrally storing GPC, the "Global Privacy Control" can truly do what consumers expect it to do.

This is the approach we have taken at PrivacyCheq, using a single central database that keeps track of a user's expressed privacy preferences that our customers use to verify consent each time private data is processed. We fully support the popularization of GPC and look forward to helping it to fulfill its destiny in truly being a global privacy control.