Implications of Global Privacy Control
21 comments
·March 16, 2025onli
The article ignores that the DNT header already had some regulatory backing, as in court decisions saying it ought to be respected. https://www.datev-magazin.de/nachrichten-steuern-recht/recht... references such a decision against LinkedIn.
Instead of using that, this new proposal seems to be exactly the same thing, just with more work for website hosters (having to add nonsensical files to /well_known/) and claims that this time, the regulatory backing will be good enough. Bullshit. They could have just tried to enforce the DNT header now, with the new regulations and the old case law. Instead they ripped it out of Firefox.
jeroenhd
DNT failed because advertising and online stalking companies refused to abide by it when browsers enabled it by default. The GPC spec tries to work around this by having the spec disable the feature by default.
This new spec is necessary because American legislation requires opt-out signals not to be the browser default. That means DNT, as browsers used it, is not legally an opt-out signal, because browsers default to it.
What this is doing is throwing out the header that had legal backing in Europe for a slightly worse copy that hopefully has legal backing in America in the future.
It's a silly specification, but if it gets companies to actually respect this iteration of the DNT spec then I'll accept it.
As for DNT, Firefox may have removed it but addons can still set it. As useless as that may be, because the spec is marked as outright deprecated (https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...), you can still send the signal.
salawat
Allowing assholes to continue being assholes is the crux of the problem. Companies ignoring DNT on as a default should have been met with massive punitive fines and liability. Instead, we're not doing anything to curtail the behavior.
greatgib
Do I understand correctly that this means that browser will have to do yet another useless request to domains or website to know the GPC status in addition with the request required to retrieve the ressources ? In addition with OPTION requests that already have to be done?
jeroenhd
OPTION isn't always necessary, there are ways to prevent those requests.
Also, the GPC request will probably only be sent when you enable GPC, which basically means "almost nobody".
colingauvin
I was pleasantly surprised to learn that my state passed a law requiring businesses that serve 50k or more residents here respect this setting and opt me out of tracking by default.
roenxi
> The main problem with DNT was the lack of legal and regulatory backing it received. Website owners could decide if they'd observe the DNT signal and there were no legal repercussions if they chose not to. This is where GPC is different.
This sounds like an attempt to regulate the entire internet.
drpossum
So what do you refer to all the other stuff that is accepted as "the internet" but is not websites?
pessimizer
Ideally it would be an attempt to regulate more than that. If I've set a flag that indicates a preference about the use of my personal information that I have some legal right to demand, I want it enforced. You don't get to ignore my request because internet.
casenmgreen
Any takes on this from someone who knows about it?
anticristi
I work as a Data Protection Officer, which is a legal role under GDPR, and am rather unimpressed by GPC. I could whine for a day, but among the most problematic issues: It's not clear if "Sec-GPC: 0" should be interpreted as:
1. "no" to collect personal data under GDPR consent; or 2. "objection" to collect personal data under GDPR legitimate interest or; 3. "no" to retrieving and storing data on a user device (e.g. cookies, localStorage); or 4. A linear combination of the above.
Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button. No need for browser vendors to propose standard which at least one browser vendor can't be bothered to implement.
jeroenhd
"Sec-GPC: 0" is invalid. The value can only be 1, and that explicitly cannot be changed in the future according to the spec.
This makes GPC a flag that means "unknown" or "opt-out". There is no "please share my data with your newsletter company" value, there can only be "do whatever the default is for sharing my data with any company you partner with".
JimDabell
I don’t think this article does a good job of explaining what this achieves.
> Web users want to have more autonomy over their data. They want to know who has it, where it's going and why, and they want to be able to consent to how their data moves between parties.
> It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.
Okay, so assuming a user has this enabled in their browser settings, and they register on a website. They tick the box that says “Add me to your mailing list”.
Common sense would indicate that ticking of the box overrides the browser setting. So I can share their details with my mail service provider. So by default opt-out and asking for their permission to opt-in is compatible with this setting, right?
Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?
Also, how does this tell the user “who has it, where it's going and why”? All I see is a boolean flag.
> At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA. There are also intentions to work with the European Union's GDPR
By default opt-out and asking for their permission is already required by the GDPR, so what is being worked on here exactly?
jeroenhd
> Common sense would indicate that ticking of the box overrides the browser setting
In theory, the /.well-known/ file could have its timestamp updated to reflect to the browser that the situation has changed and the user may perhaps need to make another choice. In practice, every website with trackers will just always pretend things have changed and browser controls will be useless.
> Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?
This is why I prefer what Microsoft attempted to do with P3P instead. Of course no website ever bothered implementing it, but Microsoft came up with a protocol to at least list a display privacy policies for every partner website.
If browsers came with UI to manage which trackers the user accepts by default, with specific website overrides of course, this mechanism could be extended to in-browser privacy popups that can have their defaults be "no, fuck off" without the ambiguity.
The protocol could even be extended to permit the website to request changing the sharing setting, for instance when you sign up for a newsletter. As long as the UI is gatekept enough (say, once per x minutes after user interaction, up to y parties at once, otherwise the notification will be a little icon in the URL bar), it might just automate away the entire cookie popups.
Of course you'd need to convince the EU and California to declare these protocols as mandatory, but I think that's going to be a lot easier with a protocol where users have more choice than with this unary GPC header.
nimbius
these web frameworks for privacy always give me a chuckle. DnT didnt work, why would this?
Advertising is an economy worth more than 7.4 trillion USD. it has evaded most attempts to regulate or restrict it in any meaningful sense in the 21st century. the GDPR serving as a bureaucratic organ to which advertisers must subscribe, or quietly ignore with all but the most modest and encumbered window dressings for the illusion of choice by the user.
you cannot restrict, limit, control, or meaningfully impact a 7.4 trillion dollar economy with a voluntary framework. this market rivals the GDP of many developed nations. it will simply spend its way out of any legal problem. there exists no fine that can tame it.
The only thing you can reasonably do in the face of something that evades even governments themselves, is to ship a built-in version of uBlock and noscript, and a blacklist of advertising provider DNS, that is enabled by default for the user. make cookies whitelist-only, and make counter-fingerprinting technology default.
you must do things that cause, as an organism, marketing and advertising agencies to recoil in terror. DoH is a good example, which rallied nearly every telecom provider in the US to lobby the federal government until Mozilla and others acquiesced to letting them join the club.
jeroenhd
If the CCPA does indeed interpret this as an opt-out signal, those 7.4 trillion are going to be at risk of a whole lot of (class action) lawsuits. The spec is trying to make itself applicable as an official, regulated signal. DNT couldn't, because Colorado (or more likely, a large donation by those 7.4 trillion dollars) decided that an opt-out cannot be the default.
The stupidest thing is that Google actually got in trouble for trying to restrict third party cookies by default. The UK competition watchdog agreed with advertising companies that Google making such a decision would be abuse of power and bad for competition. That's why they came up with this weird alternative ad system where your browser tracks your interests and shares them in request, so that ad companies can shut the fuck up about it.
Once Google is forced to sell Chrome to a third party, I hope third party cookies will finally be disabled by default.
jm4rc05
in a era when google and openai ask to circumvent copyrights, what’s the point?
fmajid
The point is you’d have one browser setting that would make all the obnoxious cookie consent pops disappear. Making laws is one thing, enforcing them is another, however.
broken-kebab
I think cookie consent is a different story. GPC would mean: "Under the GDPR, the intent of the GPC signal is to convey a general request that data controllers limit the sale or sharing of the user's personal data to other data controllers".
It doesn't preclude a website from storing cookies, and therefore doesn't relieve it from the obligation (at least in the EU) to show an obnoxious popup
jm4rc05
and google’s chrome will never ever ignore blocking own cookies, at least while they can
> The GPC signal will be intended to communicate a Do Not Sell
So, there is no tracking opt-out like DNT had.
Do Not Sell is classic regulatory capture: It allows incumbent players to continue their current bad behavior, and directs revenue streams from smaller players (data brokers) to existing monopolies.
Also, this opt out won’t interfere with Mozilla’s recently acquired ad business, which uses user data to sell ad real estate (invading their privacy with obtrusive ads).
(Sorry for the awkward sentence, but they claim it is a privacy preserving technology that doesn’t gather or sell user data, and there’s no way to be doublespeak compliant without using tortured grammar.)