Global Privacy Control has the potential to solve the consent banner problem
Data privacy regulation has made great steps toward protecting the privacy of people using web products, but it has come with user experience friction. Consent and disclosure banners are a solution for compliance, but they are not elegant.
Browser makers, the W3C, and a group of participating organizations are working to fix that. The first step is a proposal called Global Privacy Control (GPC). It's still in the early stages of an unofficial draft specification, but some browsers have begun implementing it.
What is it?
The GPC is a way for users to signal their desired privacy settings to websites and services. The proposed standard, while not yet finalized, currently supports a method for users to signal that they do not want their information sold.
This aligns with the CCPA's "Do Not Sell" request requirement and the GDPR's general request that data controller's limit the sale or sharing of personal data. The long-term goals of the project aim to give users an option in their browser to signal to sites what their privacy intentions are.
How can developers support it?
Supporting the specification is surprisingly easy. Browsers will signal a GPC value to indicate the user's intent. Currently, the only option available is "1" to signal that a user does not want their information shared or sold.
On the server, browsers will send a
Sec-GPC header with each request. The header's value will be "1" if enabled. If the header does not exist, the assumption is that no global setting has been set or the browser doesn't support GPC.
On the client, browsers implement
Navigator.globalPrivacyControl. It returns true if the
Sec-GPC header is set to "1", otherwise it returns false.
Websites can signal their support by including a GPC Support Resource located at
/.well-known/gpc.json relative to the site's origin. When a GET request is made to the resource, the server can then respond with a JSON object containing their GPC support (true or false) along with the version of the GPC that they support(currently this must be 1). Browsers can incorporate this as a way to visually display to users that the site is supporting their requested settings—much like the way browsers emphasis secure vs. insecure sites.
What is missing from GPC
As it is still in the early stages, GPC isn't a full solution to user privacy consent. For one, it isn't a requirement of any specific legislation, but instead intends to make certain requirements easier. This isn't something that can necessarily change, as regulators are unlikely to agree upon a method of implementing consent, and instead require criteria for consent. One example is the CCPA's language about including a "Do not sell my information" link on the homepage of a site.
It is also heavily geared toward CCPA/CPRA compliance, and specifically the "Do not sell" directive of the legislation.
The larger issue is the lack of granularity. For something like GDPR cookie consent, GPC doesn't offer a way to distinguish between essential vs non-essential tracking. The current specification also lacks a clear path forward to do so—as shown by the client-side boolean response. Perhaps further updates will clarify this issue, adopt an agreed upon set of values along the lines of HTTP status codes, or break the headers out into individual flags for common consent types.
The other questionable part is the well-known identifier. As it signals intent by the site, but is not derived, it relies on the assumption that the site is acting in good faith. In order to hold sites accountable, regulators would need to scrutinize the signal in the same way they scrutinize misleading privacy policies.
Will organizations and vendors adopt GPC?
Perhaps the most important question worth asking is: Will anyone actually use it? Privacy-focused organizations are likely to implement the finalized standard, but what about everyone else? A global setting within clients removes the ability for services to use dark patterns to trick users into consenting to tracking and data collection. Cookie Consent Speed Run shows the extreme methods many use to get around the consent requirement.
The push for some organizations may be that it could make the nuisance of consent banners a thing of the past. The bigger push, however, would need to come from browsers themselves in the same way that they now warn users on sites that are not supporting HTTPS. With that in mind, it’s also worth questioning whether browsers like Google Chrome will adopt a feature that has the potential to conflict with their own practices.
While the standard isn't fully baked yet, ideas like it have promise. Platform owners—browser vendors, operating systems, devices—have the potential to shift privacy legislation from a nearly unenforceable task to something that is directly in the hands of their customers. Regulators know that compliance is a large cost, even for businesses that are trying to be good privacy citizens. If regulators, specification writers, and vendors can all agree on an acceptable approach it could make the lives of engineers and privacy teams much easier. For consumers, this also means direct control on the platform they trust, rather than on every individual site they visit.