Numerous tech companies have made headlines related to privacy in recent weeks. The director of the National Security Agency, amid congressional testimony about the data collection efforts of TikTok, an app created and operated by Beijing-based ByteDance, articulated his deep concern that the app could pass critical information to the Chinese government. Concurrently, the Federal Trade Commission turned up the heat on its investigation into Twitter’s data and privacy practices.
More than half of U.S. states have now introduced some kind of TikTok-related ban. Indiana, Rare Bird’s home state, was the first to file a lawsuit against the company—two lawsuits, in fact. The second is focused on how TikTok handles personal data and information.
A recent survey indicates that most Americans do not trust how online companies and services handle their personal data. The majority of the more than 2,000 American adults surveyed also failed a simple quiz about how websites, apps, and other digital entities gather and/or distribute their personal information.
According to the New York Times, “a majority [of survey respondents] seemed unaware that there are only limited federal protections for the kinds of personal data that online services can collect about consumers.”
Limited federal protections, perhaps, but some states have taken action. Perhaps you’ve noticed links on various websites that say “Do Not Sell” or “Object to Processing.” If you click these links on every website you visit, you can opt out and keep those websites from selling or sharing any personal information they may glean about you.
But that is hardly efficient.
Now, however, because of the California Consumer Protection Act (CCPA)—an effort similar to Europe’s Global Data Protection Regulation (GDPR)—anyone with the right browser (or browser extension) can exercise their legal privacy rights in a simple step thanks to a collective and ongoing effort called Global Privacy Control (GPC).
What Is GPC?
While more than a dozen founding organizations helped develop the Global Privacy Control specifications and guidelines—including tech companies such as Mozilla, organizations such as the National Science Foundation, and media outlets such as the Washington Post, New York Times, and Consumer Reports—there are now “hundreds of thousands of websites and blogs” throwing their support behind this endeavor.
I know, I know—Global Privacy Control does sound like something produced by a Random Band Name Generator. But GPC is just a browser setting that sends a signal to websites when a user has specific privacy preferences.
This setting clearly communicates the user’s preference to the entities behind every website they visit, asking them not to share or sell personal data without the user’s consent. It’s incredibly convenient. And, unlike earlier efforts along these lines, your articulated and recorded preferences can now play a significant role in court in states with laws on the books, should a company disregard such privacy preferences.
Then and Now: A Brief History
You might remember when the “Do Not Track” signal began to appear on browsers almost 15 years ago. Most companies simply refused to honor it, so it went away. But California and a few other states have blazed significant legal trails since then—and efforts like Global Privacy Control are now supported by actual legislation.
According to the California Department of Justice website, “the California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.”
This law allows California residents to avoid the tedium of clicking a box on every website to manage their personalized data requests. Essentially, Californians can now choose to outsource the effort of telling companies their preferences. Because the authorized agent communicating with those companies does not need to be a person, technological developments such as GPC can play an even bigger role.
The California Consumer Privacy Act (CCPA) has emerged as a turning point for state privacy laws. Once the California Privacy Rights Act (CPRA) was passed, extending and amending many of the CCPA’s provisions, others states began to follow. Virginia, Colorado, Utah, and Connecticut have since passed similar efforts.
Is GPC Legally Binding?
From the GPC website: “GPC is intended to serve as an expression of users’ intent to invoke their online privacy rights. Depending on the jurisdiction and applicable laws, a user’s expression through GPC may have legal impact. However, GPC on its own does not create any legally binding obligations.”
How Is Rare Bird Addressing Related Privacy Efforts?
Because some of our clients are large e-commerce businesses that use customer emails in a variety of ways and conduct business in states with privacy laws, it’s important for us to understand and review related compliance regulations as they evolve.
Pete Serguta, one of the excellent developers here at Rare Bird, is the most experienced member of our team in these matters. Because some of the details to curtail the misuse or abuse of personal information in certain states and in Europe sometimes differ, Pete favors a “better safe than sorry” approach for now.
“For a couple of our clients,” Pete says, “I’ve added GPC checks to limit data collection. I’ve also started eliminating our use of content delivery networks and third-party font hosting to satisfy the GDPR.” He’s also been reading through the GDPR to summarize some of the changes for clients who might need to update their privacy policies.
Steps Your Business Can Take
The California law passed in 2018 and went into effect two years later. At first, many e-commerce entities, as they had with “Do Not Track” efforts more than a decade ago, chose to ignore it. Some believed the law did not apply to them. Others feigned ignorance.
A few of the businesses that were more mindful of potential repercussions chose instead to focus on the European Union’s General Data Protection Regulation (GDPR), which has leveled hundreds of millions of dollars in fines against massive corporations like Amazon. But last year, when California fined makeup retailer Sephora more than a million dollars for exchanging website visitors’ information for various services, even less-than-massive corporations began to take notice.
Global Privacy Control isn’t as simple as clicking an ON/OFF button in WordPress. Does your business have a compliance strategy? Have you created a data map, or determined which, in any, of your company’s actions might involve selling or sharing information deemed personal or private? Those are some of the foundational steps to take in order to implement an effective compliance effort.
If the details of online privacy and personal data overwhelm you, remember the words of Henry David Thoreau in Walden: “Our life is frittered away by detail. Simplify, simplify, simplify!” (Or maybe tell Thoreau you get the gist and that one “simplify” is enough.)
Keep it simple. Allow consumers to make a choice. Honor and respect that choice. Embrace the idea that personal data might not always be yours to use for your benefit without first gaining people’s consent. Adopt a “better safe than sorry” approach. Make better use of the information you are allowed to legally have to better connect with customers. Refine your email marketing strategy, or explore others ways of using digital marketing to your advantage.
And if you want to talk to us about any of this, we’d love to hear from you.