Privacy advocates have longed for a do not track system that is universally enforceable and legally binding for at least ten years. That dream is now a reality, at least in the US's most populous state. Why is Apple not a company that uses privacy as a selling point, helping its customers to take advantage of it?
California's 2018 California Consumer Privacy Act (CCPA), was marked with a large asterisk. The CCPA allows California residents to request that websites not sell their personal information. However, this means that you will have to go through a multitude of cookie notices and privacy policies on every website you visit. Only a paranoid privacy enthusiast or a masochist would bother to click through the cookie settings each time they look up a menu item or buy a vacuum. Privacy will be a fundamental right for most people until there is an easy way to opt-out of all tracking across the entire Internet.
This ideal is getting closer and closer to becoming a reality. Although the CCPA does not explicitly provide for a global opt out, regulations interpreting it issued in 2020 by the California attorney General stated that businesses would need to comply with one just like they do individual requests. Although the technology to enable universal opt-out was not yet available, a group of publishers, nonprofits and companies released a technical specification last fall for a global privacy control that could send a CCPA-enforceable, do not track signal to any device or browser.
If you are a California resident, you can now enable global privacy control using a privacy browser such as Brave, or by downloading a privacy extension like DuckDuckGo, or Privacy Badger in any browser you currently use. (Seriously, go do it. You can see the full list here. You will automatically tell websites you visit, "Do not sell my personal data" without needing to click anything. Unlike previous attempts to create an universal opt-out, all companies that do business in California are legally required to comply. This requires only a few lines of code.
Because of some business objections to the broad interpretation of CCPA law by the attorney general, the state of CCPA enforcement is still murky. California's government has made it clear that they intend to enforce the global privacy controls requirement. This requirement is made more explicit by the California Privacy Rights Act (which was passed in recent years and will take effect in 2023).
Digiday reported in mid-July that Attorney General Rob Bontas had sent at most 10 and possibly 20 letters to companies calling on them to honor GPC. Also, an item was found on a list of CCPA enforcement action on the attorney generals website indicating that a company had been forced into honoring the signal.
The bad news is here. Although it is easier to install a privacy browser or extension than to go through a million privacy pages manually, most people will not do this. It remains to be seen if DuckDuckGo will encourage a new generation of privacy connoisseurs by putting billboards on American highways and in cities.
This is important because online privacy rights are not individual but collective. Pervasive tracking can not only allow someone to view your personal location data and use it for their own purposes, as was the case with a Catholic priest who commercially available Grindr data showed a pattern of gay bar visits. Even if your opt out, you still live in a surveillance world. Advertising that is tracked-based contributes to the decline in quality publications, as it reduces the value advertisers pay to reach their audience. It is cheaper to reach these readers via social media, or on extremist news sites. This boosts the motivation to maximize social media engagement. All of this will continue until a significant number of people decide to stop being tracked.
It is why the one company that does not support global privacy control is so noticeable. Apple reaffirmed its reputation for privacy in the first quarter of this year with App Tracking Transparency. This setting flips the privacy default on iOS devices and requires apps to obtain permission from users before sharing their data. This is a significant step forward in privacy as the difference between being opted-out by default and opted-in is huge. Early reports indicate that many iPhone users are refusing to allow apps to track their data.
Apple has yet to integrate the global privacy control into Safari. Safari is the most used mobile browser in the US, and second-most popular desktop browser. It has not integrated it into iOS, which is responsible for over half the US mobile operating systems market. It is not doing enough to protect the data of tens of thousands of users. App Tracking Transparency is an important framework, but it depends on Apple catching developers who break the policy. Safari's tracking-prevention feature relies on technical approaches to block cookies and other trackers, which can often be bypassed.
Companies have been finding ways to bypass technical privacy protections for years. It's basically an arms race according to Ashkan Soltani (a privacy researcher who helped create the global privacy control). It is not enough to have technical tools. It is not enough to use technical tools. It is not just violating the terms of service, or evading certain codeits. Businesses could face severe penalties or fines if they ignore it.
However, the feature has not been implemented in the major browsers, preventing widespread adoption. Google is the only browser to not have it in Chrome or Android. Google is the world's largest surveillance advertising company and isn't known for its concern about privacy. Google declined to comment on this story. Mozilla spokeswoman said that the company was looking into global privacy controls and is actively considering the next steps in Firefox. She also stated that Apple has not yet joined the party, or whether it will in the near future. Multiple requests for comment were not answered by the company over the past week.
Apple has used App Store policies and software design in the past to protect users. This was in response to the absence of comprehensive privacy legislation. California, and all other states following its lead, will now require businesses to comply with the global privacy control beginning in 2024. The private sector will not be able to reap the full benefits of the technology until then. Even if Apple, a privacy-centric company, isn't interested, it could take longer than you think.
This story first appeared on wired.com