For at least a decade, privacy advocates have dreamed of a universal, legally enforceable “do-not-track” attitude. Now, at least in the most populous state of the US, that dream has become a reality. So why isn’t Apple, a company that increasingly uses privacy as a selling point, not helping its customers take advantage of it?
When California passed the California Consumer Privacy Act (CCPA) in 2018, the law came with a big asterisk. In theory, the CCPA gives California residents the right to tell websites not to sell their personal information. In practice, exercising that right means clicking through a countless number of privacy policies and cookie notices one at a time on every site you visit. Only a masochist or die-hard privacy enthusiast would bother clicking through to the cookie settings every time they look up a menu or buy a vacuum cleaner. Privacy will remain a paper-only right for most people until there’s an easy one-click way to disable tracking across the web.
The good news is that this ideal is getting closer and closer to reality. While the CCPA doesn’t explicitly state a global opt-out, regulations interpreting the law enacted in 2020 by the California Attorney General specified that companies should honor one just as they do individual requests. Universal opt-out technology didn’t really exist yet, but last fall a coalition of businesses, nonprofits and publishers unveiled a technical specification for a global privacy control that could send a CCPA-enforceable “do not track” signal to browsers – or device level.
If you live in California today, you can enable global privacy control by using a privacy browser like Brave or downloading a privacy extension like DuckDuckGo or Privacy Badger, whichever browser you already use. (Seriously, go do it. The full list of options can be found here.) Once you do that, you’ll automatically tell the sites you visit, “Don’t sell my personal information” without having to click anything — and, unlike If you make a universal opt-out, any company of reasonable size doing business in California is required by law to comply, meaning you only need to add a few lines of code to their website.
The state of enforcement of the CCPA remains murky as some companies object to the Attorney General’s broad interpretation of the law. But the California government has begun to make it clear that it intends to enforce the global privacy control requirement. (The more recently passed California Privacy Rights Act, which goes into full effect in 2023, makes this requirement more explicit.)
In mid-July, Digiday reported that Attorney General Rob Bonta’s office had “sent at least 10 and possibly more than 20 corporate letters calling on them to honor the GPC.” And an entry appeared on a recent list of CCPA enforcement actions on the Attorney General’s website, noting that a company had been forced to honor the signal.
Now the bad news. While it’s a lot easier to install a privacy extension or browser than clicking through a million privacy pages, the vast majority of people are unlikely to do so. (It remains to be seen whether DuckDuckGo, which plasters American highways and cities with billboards, will inspire a new wave of privacy connoisseurs.)
This is quite important because online privacy rights are collective, not individual. The problem with ubiquitous tracking isn’t just that it can give someone access to your personal location data and use it to ruin your life, as happened recently with a Catholic priest whose commercially available Grindr data revealed a pattern of frequent gay bars. . Even if you personally opt out of tracking, you still live in a world shaped by surveillance. Tracking-based ads contribute to the decline in quality publishing by eating away at the premium advertisers pay to reach their audiences. Cheaper to find those readers on social media or even extremist bottom-feeding news sites. It drives the incentive to relentlessly maximize engagement on social media platforms. None of that will go away until a critical mass of people choose not to be followed across the board.
That’s why one absence from the list of companies that support global privacy control is so striking. Earlier this year, Apple polished up its already strong reputation for privacy by introducing App Tracking Transparency, an institution that reverses the privacy standard on iOS devices by forcing apps to obtain user consent before sharing their data. That’s a really big step forward for privacy, as the difference between being logged out and logged in by default is huge — and indeed, early reports suggest that most iPhone users are refusing to allow apps to track them.
But despite its outspoken (and heavily advertised) commitment to privacy, Apple has not included global privacy control in Safari, the most popular mobile browser in the US and the second most popular desktop browser. It also doesn’t have it built into iOS, which accounts for more than half of the US mobile operating system market. That means it doesn’t do as much as it could to protect tens of millions of users from selling and sharing their data. The transparency framework for app tracking is important, but it relies on Apple catching app developers violating the policy. Safari’s tracking prevention feature, meanwhile, relies on a technical approach to block cookies and other trackers that can often be bypassed.
“For years, companies have found ways to circumvent technical privacy protections. It’s basically an arms race,” said Ashkan Soltani, a privacy researcher who helped develop global privacy control. “Technical tools are not enough. You have to have the force of the law behind it.” That’s where global privacy control differs substantially from existing tracking prevention. If a company ignores it, it’s not just violating the terms of service or evading a code — it’s breaking the law and risking being beaten with hefty fines or penalties.
Until now, however, none of the biggest browsers have the feature built in, which prevents it from being widely used. This isn’t shocking in the case of Google, which hasn’t added it to Chrome or Android: the world’s largest surveillance advertising company isn’t exactly known for caring much about user privacy. (Google declined to comment on this story.) A Mozilla spokesperson said the company is “examining global privacy controls and actively considering next steps in Firefox.” It’s not clear why Apple hasn’t joined the party yet or plans to do so in the future. The company has not responded to multiple requests for comment in the past week.
In the past, Apple has used software design and App Store policies to protect users, stepping into the vacuum created by the lack of comprehensive privacy laws. Now, in California and all the other states that follow suit — Colorado, for example, will require companies to respect global privacy controls by 2024 — the law is finally ahead of the technology. The public will not see the full benefits until the private sector catches up. If even a privacy-focused company like Apple isn’t interested, the wait might be longer than you might think.
This story originally appeared on wired.com.