Blog
Connecting the dots on: global privacy controls
January 24, 2022
You might have heard of an initiative to create a technical specification for universal opt-out signals, called Global Privacy Control.
But the term ‘global privacy controls” (lowercase) is also sometimes used to refer to universal opt-out mechanisms, or any browser or device-level control that allows users to communicate their privacy preferences.
Such efforts, including the well known Do Not Track header signals, date back to the early 2000s but have historically lost momentum due to lack of industry buy-in or regulatory backing.
As the digital advertising industry reckons with calls to improve transparency and streamline user experience, a future in which the existing consent frameworks like the IAB TCF are being reconsidered for different models, like legally binding global privacy controls, may not be very far.
Download our timeline to connect the dots on how global privacy controls have risen and fallen over the years.
TIMELINE
A BRIEF HISTORY OF GLOBAL PRIVACY CONTROLS
Registries and cookie based opt-out as the status quo
2003: The FTC’s Do Not Call Registry goes into effect.
2007: Several groups (World Privacy Forum, CDT, EFF, among others) ask FTC to create a Do Not Track list for online advertising. The registry would have required online advertisers to submit their information, allowing browsers to block them from tracking. (CDT)
March 2009: Google releases a browser add-on that would allow users to make their “opt-out cookie” persistent, but only on Google ad networks. Users have long been able to obtain opt-out cookies from NAI or for specific ad networks, but these were prone to deletion. (NAI)
‘Do Not Track’ headers gain momentum
July 2009: As an alternative to opt-out cookies, which can’t be interpreted between different domains, privacy and security researchers Christopher Soghoian and Sid Stamm create a prototype Firefox plug-in that adds a Do Not Track signal as a HTTP header field. (Fast Company)
Jan 2011: Mozilla Firefox implements support for DNT header plug in, followed by Microsoft Internet Explorer in March, Apple Safari shortly after in April, and finally Google Chrome in Nov 2012. (WSJ)
2011: W3C Tracking Protection Working Group works to provide technical specifications for implementing & respecting the DNT header (NPR)
2019: W3C working group closes due to lack of planned support among ecosystem participants. (W3C)
March 2019: Apple removes support for the DNT header because it was found to be useful (ironically) as a fingerprinting variable. (Apple)
Global Privacy Control gets backing in state law
Aug 2020: CCPA final regulations approved, including a requirement for businesses to respond to requests made via global opt-out mechanisms. (CA OAG)
Oct 2020: Global Privacy Control launches a technical specification for transmitting universal opt-out requests. Users can send signals by using participating browsers like DuckDuckGo and Brave or downloading extensions. (Global Privacy Control)
Nov 2020: California voters approve the California Privacy Rights Act, set to go into effect in 2023. The CPRA suggests that support for global opt-out requests will only be necessary if the business chooses to forego providing the standard Do Not Sell/Share links for visitors to exercise their data subject rights. (IAPP)
July 2021: California Attorney General’s office updates FAQ to clarify that responding to universal opt-outs is mandatory under CCPA. (California OAG)
July 2021: Colorado passes Colorado Privacy Act, requiring recognition of opt-outs through “user-selected universal opt-out mechanisms” starting in 2024. (Sourcepoint)
Sept 2021: UK’s data protection authority, the ICO, calls for reform to address cookie consent fatigue, urging regulators to shift attention towards browser based consent. (TechCrunch)
Nov 2021: A Work Group created pursuant to the Virginia Consumer Data Protection Act (VCDPA) publishes a report emphasizing need for browser level, global opt-out mechanism (VCDPA Work Group)
INDUSTRY STAKEHOLDERS REACT
Jan 2022: Comments on CPRA rulemaking submitted to the California Privacy Protection Agency are published, including debate around the mandatory nature of GPC, with one side supporting clearer language and the other for completely repealing the regulation. (AdExchanger)
Want to learn about how Sourcepoint can prepare you for the future of global privacy controls? Get in touch.
Latest Blog Posts
FTC and Sensitive Location Data; New Pen Register Class Actions
December 9, 2024FTC takes action against the sale of sensitive data...
California CPPA Issues Notice of Proposed Rulemaking
November 25, 2024News out of California this week. The CPPA moved...
Mitigating risk under the Video Privacy Protection Act (VPPA)
November 23, 2024Because VPPA is just one of many tools being...
Latest White Papers
E-book: Enterprise Guide To Cookie management & Tracker List Curation
July 1, 2024How to review the tracking tech on your websites...
Benchmark Report: US Privacy Compliance
August 19, 2022The current state of publisher compliance with CCPA, and...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.