Assistant Professor of Computer Science Sebastian Zimmeck is leading a major initiative to help consumers gain greater control of their personal data online.
On Oct. 7, Zimmeck and his collaborator, Ashkan Soltani of Georgetown Law, as well as a group of partner organizations that includes The New York Times, The Washington Post, Mozilla, and the parent company behind WordPress.com and Tumblr, among others, announced the beta launch of the Global Privacy Control (GPC), a new effort to standardize consumer privacy online.
As Zimmeck explains it, privacy regulations introduced in recent years such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) have given consumers more rights to limit the sale and sharing of their personal data than ever before. The CCPA regulations give California residents a legal right to opt out of the sale of their data, and requires businesses to respect their preferences through a signal from their web browser. Zimmeck applauds this progress, but says it “doesn’t amount to much if it is hard for people to take advantage of their new rights.” That’s because there had been little progress on developing standards that allow users to signal through their web browser that they wish to opt out of having their data sold or shared. An early standardization attempt, Do Not Track (DNT), suffered from a low rate of adoption due to its lack of enforceability. In practice, this means users generally need to manually opt out of each site or app they want to stop tracking their data—something most users don’t go through the trouble to do.
According to a WIRED article on the beta launch, “the CCPA includes a mechanism for solving the one-by-one problem. The regulations interpreting the law specify that businesses must respect a ‘global privacy control’ sent by a browser or device. The idea is that instead of having to change privacy settings every time you visit a new site or use a new app, you could set your preference once, on your phone or in a browser extension, and be done with it.”
The idea for the new global opt-out started with Zimmeck, who last spring began building an extension for the Chrome web browser with his students called OptMeowt. Initially, Zimmeck worked with Wesleyan computer science students Kuba Alicki ’22, David Baraka ‘21, and Rafael Goldstein ’21. As the effort gained momentum, Daniel Knopf ’22 and Abdallah Salia ’22 joined as well.
“My students are doing an excellent job,” Zimmeck says. “I am mostly taking on the role as an engineering manager and the students are really the ones implementing the various technologies. I think it is also nice that the students are exposed to how things are done in industry, and that they can acquire real-world software engineering skills.”
“As of today, users will be able to set a global browser opt-out in browsers including Mozilla, Brave, and DuckDuckGo, as well as the DuckDuckGo privacy extensions for Chrome,” the WIRED article further explains. “The code necessary for businesses to respond to the privacy control is publicly available. Publishers who have signed on, most notably The New York Times and The Washington Post, have agreed to honor the signal.”
“For California residents, the global privacy control, if enforced by the attorney general, would have a very different effect than existing privacy controls such as third-party cookie blockers. Those settings have no power over what a website or app does with the data it collects directly from you. The global control, by contrast, would issue a legally binding order that, if violated, would be punishable by major fines.”
Indeed, briefly after its release, California Attorney General Xavier Becerra tweeted that “[t]his proposed standard is a first step towards a meaningful global privacy control that will make it simple and easy for consumers to exercise their privacy rights online. #DataPrivacy is the future, and I am heartened to see a wave of innovation in this space.” As Zimmeck told WIRED, “The time is right to do this,” adding that the American public cares much more about privacy than during the earlier DNT effort, and now there is finally law on their side. “I think it’s really important to not just theoretically talk about how this could work,” he said, “but also to actually do it.”