Mozilla rolls out GPC for all Firefox users, but enforcement limited to two states
Mozilla has expanded its implementation of Global Privacy Control (GPC) to all users after rolling it out on a limited basis in October.
The feature – which tells websites not to sell or share your personal data – was only available in Firefox Nightly, their pre-release channel. But as of this week, GPC will be available for all Firefox users to turn on if they wish to.
Unfortunately for most US users, this feature may not have much effect. The GPC is required under the California Consumer Protection Act (CCPA) and Europe’s Global Data Protection Regulation (GDPR) as well as Colorado’s privacy law, but no other states have laws that will enforce it.
Even California and Colorado have faced backlash for loopholes in their laws that make it difficult to actually enforce the feature.
Mozilla told ZDNet that GPC complements technical anti-tracking features integrated into Firefox, like Enhanced Tracking Protection and Total Cookie Protection.
“By sending a signal to the websites that people visit, telling them that the person does not want to be tracked and does not want their data to be sold, it helps address the tracking conducted by websites through first-party cookies,” Mozilla said in a statement.
“We think it can play an integral role in making a right to opt-out meaningful and easy to use for consumers. GPC is getting traction both in California and in Colorado. Now that we expect websites to start honoring GPC, we want to start providing this option to Firefox users. Yet, the rules around the enforceability of GPC under the CCPA remain ambiguous and leave space for businesses to ignore the signal sent by the browser on behalf of consumers.”
The company noted that last month, they shared feedback with the California Privacy Protection Agency, encouraging the California AG and other privacy agencies globally to expressly require businesses to comply with GPC.
Jennifer Hodges, Mozilla’s head of US public policy, said the GPC signal is sent by Firefox to websites regardless of the state the user is in.
“However, the GPC may not be enforceable in jurisdictions without privacy legislation that include do not sell provisions which allow for the GPC signal to act as a universal opt-out,” Hodges explained.
“For someone in a state that does not have a privacy law, The GPC may not be enforceable. California and Colorado are two states that have GPC-like provisions at the moment.”
Hodges said history has shown that without a clear legal mandate, most businesses will not comply with consumer opt-out signals sent through browsers.
“This vacuum is the same reason that Do Not Track (“DNT”) failed to gain adoption. It was eventually removed by all major browsers because it created a false sense of consumer protection that could not be enforced,” Hodges added.
“The 2023 Colorado Privacy Law has taken this step, and the addition of California would pave the path for other global privacy regulators to similarly update their laws. In addition, we think that enforcement authorities should also expect businesses to interpret the GPC as governing both the direct sale of consumer’s information as well as the sharing of consumers’ information for programmatic advertising targeting purposes. Regulators, consistent with the intent of CCPA and CPRA, must step in to give tools like the GPC enforcement teeth and to ensure consumers’ choices are honored.”