What do you call a privacy law that only works if users individually opt out of every site or app they want to stop sharing their data? A piece of paper.
Or you could call it the California Consumer Privacy Act. In theory, the law gives California residents the right to opt out of any business selling their data. In practice, it hasn’t seen much use. Most people don’t go to the trouble of opting out of every website, one at a time. One analysis, by DataGrail, a privacy compliance company, found that there were only 82 “do not sell” requests for every million consumer records over the first six months of the year. A study published last week by Consumer Reports helps explain why: Opting out of everything is a complicated pain in the ass.
Change could be coming, however. The CCPA includes a mechanism for solving the one-by-one problem. The regulations interpreting the law specify that businesses must respect a “global privacy control” sent by a browser or device. The idea is that instead of having to change privacy settings every time you visit a new site or use a new app, you could set your preference once, on your phone or in a browser extension, and be done with it.
When the attorney general issued those regulations, the technology for a global opt-out didn’t exist. As of today, it does. This morning a group of privacy-focused tech companies, nonprofits, and publishers, including The New York Times, the Electronic Frontier Foundation, and the search engine and browser DuckDuckGo, announced the beta launch of a new global privacy control. The idea is to create a technical specification that qualifies as a universal opt-out under the CCPA, so that exercising rights under the law would flip from being hopelessly complex to extremely easy.
“This would provide a key component that’s called for in the California law, which is a simple way for consumers to invoke their right without having to go to each website and find the button,” said Ashkan Soltani, a privacy researcher who helped lead the effort. Soltani has spent as much time as anyone in the trenches of privacy controls. A decade ago, as a technologist at the Federal Trade Commission, he worked to develop the Do Not Track web standard, which was supposed to establish a universal opt-out. That effort was ultimately doomed, however, because companies were under no legal obligation to honor Do Not Track requests, and most chose not to.
The technology, in other words, was too far out in front of the law. But now, with the CCPA, the inverse is true. “The law, for the first time, is kind of ahead of the technology,” said Soltani.
The idea for the new global opt-out started with Sebastian Zimmeck, a computer science professor at Wesleyan who began building a Chrome extension called OptMeowt with his students last spring. In April, he connected with Soltani, who helped pull more collaborators into the effort. As of today, users will be able to set a global browser opt-out in browsers including Mozilla, Brave, and DuckDuckGo, as well as the DuckDuckGo privacy extensions for Chrome. The code necessary for businesses to respond to the privacy control is publicly available. Publishers who have signed on, most notably The New York Times and The Washington Post, have agreed to honor the signal.
For California residents, the global privacy control, if enforced by the attorney general, would have a very different effect than existing privacy controls such as third-party cookie blockers. Those settings have no power over what a website or app does with the data it collects directly from you. The global control, by contrast, would issue a legally binding order that, if violated, would be punishable by major fines.
