What businesses need to know about Browser Privacy Signals

Internet users have gone unfathomable distances in their stride to safeguard their privacy online. A study by Norton indicates that 71% of adults worldwide have taken some sort of proactive measure, including disabling third-party cookies, adding multi-party authentication, reconfiguring privacy settings on their devices, or even using a VPN, to fight against privacy abuse.

With the advent of the GDPR, consent has primarily emerged as the lawful basis for businesses to collect and process user data. Complying with GDPR—or jurisdiction-specific data protection law for that matter—an increased number of cookie consent banners proliferate the websites, leading to the emergence of “consent fatigue,” which is neither good for consumers nor businesses.

Consent fatigue has led to consent losing its significance. There is a need for a solution that eases users’ privacy preference selection. That’s where browser privacy signals come into play.

Background on Browser Privacy Signals

In the early 2000s, a collaborative effort driven by a group of stakeholders, including individual researchers, advocacy groups like the Electronic Frontier Foundation (EFF), and the World Wide Web Consortium (W3C), proposed Do Not Track (DNT) as a technical standard, aiming to provide users with greater control over how websites tracked their online activity.

DNT was implemented as an HTTP header. When enabled in their web browser by users, it would transmit signals to websites about their preferences, whether they want to be tracked for advertising or analytics purposes or not. However, the final decision on whether to honor or ignore the signal relied on voluntary cooperation from websites. Ultimately, DNT failed to get widely adopted by websites for the reasons that there was no legal obligation for websites to honor the signal and also that clear guidelines on how to honor a signal and what the definition of “tracking” was missing.

The enactment of the GDPR in 2018 obliged websites to collect consent from consumers for processing their data. As the European Union required cookie consent banners as the primary compliant solution, the DNT signal became rather insignificant. The California Consumer Privacy Act (CCPA), which came into force in 2019, suggested another approach, obliging websites to provide users with a right to opt out of data processing by sending a “Do not sell my personal information” request.

The two approaches significantly differ, as the later one is a blanket request without specific control over individual uses. Had DNT been given the importance it deserved in the beginning, there would have been no need for customers to choose preferences on every visited website. Providing users with a single setting to represent their choices throughout the web, Global Privacy Control (GPC) is poised to take over. GPC is largely influenced by data privacy regulations, including CCPA, that prioritize the opt-out method.

What is a Browser-Based Privacy Signal?

To substitute the consent mechanism with a viable means, regulators and privacy advocates have been continuously exploring alternatives. One newly proposed solution is a browser-based privacy signal that integrates with users’ browsers as an extension and communicates the privacy preferences of users directly to websites they visit.

These signals are designed to ease and automate the process of opting out of data collection and sharing practices. Privacy signals enable users to conveniently express their privacy preferences across multiple websites, thereby eliminating the need for individual opt-outs. When a website identifies the preferences set by a user, it automatically opts out of targeted advertising or any such activity that involves the sale or sharing of personal data.

While existing signals (like DNT) employed diverse implementations, leading to an inconsistent user experience, the conception of GPC was hoped to establish a standardized signal for wider adoption. As a consumer-centric solution for opting out of data collection and sharing, GPC represents a concrete example of a browser-based privacy signal. Using GPC, users can set their preferences once, and these preferences are communicated to whichever services they use via their browser.

GPC under different regulations

Currently, GPC is not legally binding for websites to oblige in many jurisdictions. However, as it gains ground in global privacy laws, websites will be required to honor the signals set by users.

In the US, state privacy laws applicable to California, Connecticut, Colorado, Montana, Texas, Delaware, and Oregon reference the requirement to respect user privacy preferences set by users via Global Privacy Control.

On December 8, 2023, California’s data privacy watchdog, the CCPA Board, voted unanimously (5-0) to greenlight a proposal requiring browser vendors to offer built-in opt-out features for users to exercise their Californian privacy rights.

With this proposal adopted, California would emerge as the first state to require web browsers to include opt-out preference signals to allow users to exercise their privacy rights as part of the CPPA.

The materials comprising the Board review also showed that the major privacy browsers, including Google Chrome, Microsoft Edge, and Apple Safari, refused to offer GPCs. While browser giants remain hesitant, privacy-focused browsers like Mozilla Firefox, DuckDuckGo, and Brave—even though they collectively represent less than 10% of the global desktop browser market—offer native support for opt-out preference signals.

Global Privacy Control faces hurdles in aligning with specific legal requirements. In the European Union, the General Data Protection Regulation came into effect in 2018 and the GPC initiative was launched in 2020, so the law doesn’t have any specific reference to the universal opt-out signal. Concern about whether consent would still be informed and explicit with the use of GPC remains with GDPR. The debate around GPC’s compatibility with various regulations is likely to continue evolving.

Why businesses need to consider opt-out signals as part of their consent management strategy

With the data privacy landscape continuously evolving, companies cannot afford to view opt-out signals as mere afterthoughts in their consent management strategies. Businesses that fail to recognize and respect opt-out signals risk non-compliance penalties.

For instance, GPC violations have also been referenced in relation to the CCPA-related penalties against beauty retailer Sephora. Learn more about where Sephora went wrong.

No matter if a company isn’t legally required to process GPC signals, honoring user preferences set via GPC can boost brand trust. Individuals appreciate their choices being acknowledged and respected. On the contrary, disregarding opt-out signals can foster negative views about the brand’s reputation.

Also, for consent management, integrating opt-out signals into Consent Management Platforms (CMP) can help companies streamline their data handling practices. By honoring the preferences set by users, businesses can alleviate the burden of individual opt-out requests, saving time and effort. As data privacy regulations continue to rapidly evolve and users’ expectations for privacy continue to rise, businesses that adopt GPC early can solidify their reputation as responsible data stewards.

The GPC signal is a promising tool for empowering user privacy. Its wider adoption in the online world will prove to be an unprecedented tool for consumers to do away with consent fatigue and automate their privacy preferences. Currently, to exercise the opt-out right online, users need to surf the web on a browser that supports opt-out preference signals or download a third-party-built browser plugin to enable support for such signals. Early birds take the worm. Businesses that adopt GPC in their consent management strategy will likely gain a competitive edge in a privacy-friendly future.