I don’t think this article does a good job of explaining what this achieves.
> Web users want to have more autonomy over their data. They want to know who has it, where it's going and why, and they want to be able to consent to how their data moves between parties.
> It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.
Okay, so assuming a user has this enabled in their browser settings, and they register on a website. They tick the box that says “Add me to your mailing list”.
Common sense would indicate that ticking of the box overrides the browser setting. So I can share their details with my mail service provider. So by default opt-out and asking for their permission to opt-in is compatible with this setting, right?
Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?
Also, how does this tell the user “who has it, where it's going and why”? All I see is a boolean flag.
> At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA. There are also intentions to work with the European Union's GDPR
By default opt-out and asking for their permission is already required by the GDPR, so what is being worked on here exactly?
> Common sense would indicate that ticking of the box overrides the browser setting
In theory, the /.well-known/ file could have its timestamp updated to reflect to the browser that the situation has changed and the user may perhaps need to make another choice. In practice, every website with trackers will just always pretend things have changed and browser controls will be useless.
> Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?
This is why I prefer what Microsoft attempted to do with P3P instead. Of course no website ever bothered implementing it, but Microsoft came up with a protocol to at least list a display privacy policies for every partner website.
If browsers came with UI to manage which trackers the user accepts by default, with specific website overrides of course, this mechanism could be extended to in-browser privacy popups that can have their defaults be "no, fuck off" without the ambiguity.
The protocol could even be extended to permit the website to request changing the sharing setting, for instance when you sign up for a newsletter. As long as the UI is gatekept enough (say, once per x minutes after user interaction, up to y parties at once, otherwise the notification will be a little icon in the URL bar), it might just automate away the entire cookie popups.
Of course you'd need to convince the EU and California to declare these protocols as mandatory, but I think that's going to be a lot easier with a protocol where users have more choice than with this unary GPC header.
> Web users want to have more autonomy over their data. They want to know who has it, where it's going and why, and they want to be able to consent to how their data moves between parties.
> It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.
Okay, so assuming a user has this enabled in their browser settings, and they register on a website. They tick the box that says “Add me to your mailing list”.
Common sense would indicate that ticking of the box overrides the browser setting. So I can share their details with my mail service provider. So by default opt-out and asking for their permission to opt-in is compatible with this setting, right?
Except now apply that logic to the mess of “we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners” popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?
Also, how does this tell the user “who has it, where it's going and why”? All I see is a boolean flag.
> At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA. There are also intentions to work with the European Union's GDPR
By default opt-out and asking for their permission is already required by the GDPR, so what is being worked on here exactly?