Blog

Connecting the dots on: global privacy controls

Sourcepoint
January 24, 2022

You might have heard of an initiative to create a technical specification for universal opt-out signals, called Global Privacy Control.

But the term ‘global privacy controls” (lowercase) is also sometimes used to refer to universal opt-out mechanisms, or any browser or device-level control that allows users to communicate their privacy preferences.

Such efforts, including the well known Do Not Track header signals, date back to the early 2000s but have historically lost momentum due to lack of industry buy-in or regulatory backing. 

As the digital advertising industry reckons with calls to improve transparency and streamline user experience, a future in which the existing consent frameworks like the IAB TCF are being reconsidered for different models, like legally binding global privacy controls, may not be very far. 

Download our timeline to connect the dots on how global privacy controls have risen and fallen over the years.

TIMELINE

A BRIEF HISTORY OF GLOBAL PRIVACY CONTROLS

2003: The FTC’s Do Not Call Registry goes into effect.

2007: Several groups (World Privacy Forum, CDT, EFF, among others) ask FTC to create a Do Not Track list for online advertising. The registry would have required online advertisers to submit their information, allowing browsers to block them from tracking. (CDT)

March 2009: Google releases a browser add-on that would allow users to make their “opt-out cookie” persistent, but only on Google ad networks. Users have long been able to obtain opt-out cookies from NAI or for specific ad networks, but these were prone to deletion. (NAI)

‘Do Not Track’ headers gain momentum

July 2009: As an alternative to opt-out cookies, which can’t be interpreted between different domains, privacy and security researchers Christopher Soghoian and Sid Stamm create a prototype Firefox plug-in that adds a Do Not Track signal as a HTTP header field. (Fast Company)

Jan 2011: Mozilla Firefox implements support for DNT header plug in, followed by Microsoft Internet Explorer in March, Apple Safari shortly after in April, and finally Google Chrome in Nov 2012. (WSJ)

2011: W3C Tracking Protection Working Group works to provide technical specifications for implementing & respecting the DNT header (NPR)

2019: W3C working group closes due to lack of planned support among ecosystem participants. (W3C)

March 2019: Apple removes support for the DNT header because it was found to be useful (ironically) as a fingerprinting variable. (Apple)

Global Privacy Control gets backing in state law

Aug 2020: CCPA final regulations approved, including a requirement for businesses to respond to requests made via global opt-out mechanisms. (CA OAG)

Oct 2020: Global Privacy Control launches a technical specification for transmitting universal opt-out requests. Users can send signals by using participating browsers like DuckDuckGo and Brave or downloading extensions. (Global Privacy Control)

Nov 2020: California voters approve the California Privacy Rights Act, set to go into effect in 2023. The CPRA suggests that support for global opt-out requests will only be necessary if the business chooses to forego providing the standard Do Not Sell/Share links for visitors to exercise their data subject rights. (IAPP)

July 2021: California Attorney General’s office updates FAQ to clarify that responding to universal opt-outs is mandatory under CCPA. (California OAG)

July 2021: Colorado passes Colorado Privacy Act, requiring recognition of opt-outs through “user-selected universal opt-out mechanisms” starting in 2024. (Sourcepoint)

Sept 2021: UK’s data protection authority, the ICO, calls for reform to address cookie consent fatigue, urging regulators to shift attention towards browser based consent. (TechCrunch)

Nov 2021: A Work Group created pursuant to the Virginia Consumer Data Protection Act (VCDPA) publishes a report emphasizing need for browser level, global opt-out mechanism (VCDPA Work Group)

INDUSTRY STAKEHOLDERS REACT

Jan 2022: Comments on CPRA rulemaking submitted to the California Privacy Protection Agency are published, including debate around the mandatory nature of GPC, with one side supporting clearer language and the other for completely repealing the regulation. (AdExchanger)


Want to learn about how Sourcepoint can prepare you for the future of global privacy controls? Get in touch.

Latest Blog Posts

California CPPA Issues Notice of Proposed Rulemaking

November 25, 2024

News out of California this week. The CPPA moved...

Mitigating risk under the Video Privacy Protection Act (VPPA)

November 23, 2024

Because VPPA is just one of many tools being...

CPPA Settles With Unregistered Data Brokers

November 18, 2024

Following an investigative sweep of unregistered data brokers, the...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]