A Universal Opt-out (& Opt-in) Mechanism.

A Universal Opt-out (& Opt-in) Mechanism.

Recently US states such as California and Colorado have introduced laws demanding websites respect browser opt-out signals, or “universal opt-out mechanisms” indicating that consumers do not want their personal data used commercially or more generally do not want to tracked across websites and services. 

Existing examples of such browser based mechanisms include the opt-out mode (DNT:1) of the Tracking Preference Expression (DNT), and the recently proposed Global Privacy Control 

Of the 2, Tracking Preference Expression (DNT) is the strongest contender because

  • it is supported by all the major browsers (other than Safari)
  • it is still by far the most utilised, even now over 5% of visitors to European consumer brand sites have DNT:1 set in their browser, more than 10 times the number with GPC set (and most of those have DNT:1 set as well).
  • it was painstakinglly developed over many years by a properly chartered W3C Working Group with wide-ranging industry and civil-society membership and, very importantly,
  • incorporates the European legal requirement laid down in 2009 (Recital 66 of Directive 2009/136/EC) for both an opt-in (DNT:0) and an opt-out (DNT:1)

On the other hand, GPC, while formulated with US laws in mind, is specifically designed to have no relevance in Europe because it cannot be used to either signal consent, or the right-to-object to processing.

"Note that this request is not meant to withdraw a person's consent to local storage as per the ePrivacy Directive ... nor is it intended to object to direct marketing under legitimate interest"

It will be interesting to see how Apple responds to the raised importance of opt-out mechanisms. Do they implement a new signal, or reverse their decision to remove the ability to set DNT:1 in Safari? The reason Apple gave at the time (2018), to minimise finger-printing, was specious - a single bit of entropy does not realistically enable finger-printing. Cookies, other browser storage & IP addresses already provide easily enough entropy to uniquely identify every human on the planet, 1 extra bit makes no difference. 

If Safari implements another signal, such as GPC, how will the reintroduction of the 1 bit of entropy be explained? Why does Apple consider that a recent US legal requirement in a handful of states trumps a privacy law that has been established across Europe for 14 years?

After the European legislators' failure to finalise the ePrivacy Regulation (which included a duty on browser providers to implement consent signals), the big-tech dominated membership of the W3C voted in 2018 to close down the Tracking Protection Working Group, so that the DNT specification, though effictively completed several years previously, could not be promoted to a full W3C Recommendation.

Some would say that these companies initially embraced DNT as a "default opted-in" alternative to European privacy and data protection law, but backed away when they realised an easy-to-use setting would be too popular. If DNT was easy to set then the situation would be little better for them than an opt-in mode.

Of course, there is room for improvement in the DNT specification, which was little changed from the 2014 concensus agreement. Many pointless elaborations, such as most of the response header values,  were added in a doomed attempt to keep the surveillance marketers on board, and these can be ditched. The Javascript consent API also needs updating to take into account its asynchronous nature, and importantly a browser-only viewable audit trail should be added so users can easily see a detailed description of what they have agreed to and when.

Even so, DNT remains the most widely recognised, available and utilised of the existing browser based opt-out signals, has recently been recognised as a valid indication of the right-to-object, and could become the basis of an internationally accepted Universal Opt-in & Opt-out Mechanism.

Check out our other blog posts