Global Privacy Control: What Users Want

Recently Google backtracked on their plans to remove third-party cookies from Chrome. However, work is still being done to find alternative ways for ad companies and browsers to track web users while preserving their privacy. Tracking users anonymously has been tried and tested and continuously reveals that removing the shield of anonymity is not only possible but sometimes quite easy. There are several new draft specifications and proposals which are trying to address the issue in new and novel ways but they tend to either centre ad companies or the browser vendors (which sometimes is also an ad company).

When it comes to web user attitudes to being tracked and sharing personal data online, the data is scarce but not completely absent. According to the UK Government’s Center for Data Ethics and Innovation (CDEI) Public Attitudes to Data and AI Survey, 57% of survey respondents think collecting personal “data is useful for creating products and services that benefit them as individuals”. However, despite the majority of respondents seeing the benefits of sharing their personal data, most are also concerned with how their data is stored, the potential for security breaches, and the potential for their data to be sold to third parties. Whereas others are concerned about surveillance and having limited control over when their data is shared.

The CDEI documents that

• 55% of people are worried about their data being sold for profit
• 33% are worried that they won’t have a say in when their data is shared
• 32% are concerned about their data being used for surveillance

The Global Privacy Control (GPC) specification aims to address these main concerns. I wrote about the GPC in 2021 and since then work has been done to progress the control and it is currently on the standards track with the first public working draft recently published. The GPC aims to work within current legal frameworks such as the EU’s GDPR, and California’s CCPA to have a universal control that allows web users to decide when they consent to sharing and selling their data.

It proposes to do this by having two signals:

1. An interaction called do-not-sell-or-share which web users can use to let observing parties know that they don’t want their data sold or shared with third parties in specific instances. So a person may be comfortable with the National Health Service sharing their data with third parties (typically other health providers such as pharmacies) but would like to limit how Meta shares their data with third parties (typically advertisers).

2. A preference called do-not-sell-or-share in which web users can activate the Global Privacy Control which will set do-not-sell-or-share on all web interactions.

Where Do Not Track was unenforceable and ignored, GPC aims to be legally enforceable in multiple jurisdictions, similar to how accessibility standards and recommendations are used to write various laws.

The progress of GPC is exciting, it addresses many concerns that web users have and has us at the centre. Most people are not opposed to sharing their data but want more control about how and when they share, and who they share with. I’m looking forward to seeing the continuation and progress of this work.

If your company is a W3C member organisation and you have a particular interest in this work, consider joining the Privacy Working Group where this work is being developed.