> <i>The GPC signal will be intended to communicate a Do Not Sell</i><p>So, there is no tracking opt-out like DNT had.<p>Do Not Sell is classic regulatory capture: It allows incumbent players to continue their current bad behavior, and directs revenue streams from smaller players (data brokers) to existing monopolies.<p>Also, this opt out won’t interfere with Mozilla’s recently acquired ad business, which uses user data to sell ad real estate (invading their privacy with obtrusive ads).<p>(Sorry for the awkward sentence, but they claim it is a privacy preserving technology that doesn’t gather or sell user data, and there’s no way to be doublespeak compliant without using tortured grammar.)
The article ignores that the DNT header already had some regulatory backing, as in court decisions saying it ought to be respected. <a href="https://www.datev-magazin.de/nachrichten-steuern-recht/recht/gericht-untersagt-datenschutzverstoesse-von-linkedin-110935" rel="nofollow">https://www.datev-magazin.de/nachrichten-steuern-recht/recht...</a> references such a decision against LinkedIn.<p>Instead of using that, this new proposal seems to be exactly the same thing, just with more work for website hosters (having to add nonsensical files to /well_known/) and claims that this time, the regulatory backing will be good enough. Bullshit. They could have just tried to enforce the DNT header now, with the new regulations and the old case law. Instead they ripped it out of Firefox.
I was pleasantly surprised to learn that my state passed a law requiring businesses that serve 50k or more residents here respect this setting and opt me out of tracking by default.
Do I understand correctly that this means that browser will have to do yet another useless request to domains or website to know the GPC status in addition with the request required to retrieve the ressources ? In addition with OPTION requests that already have to be done?
> The main problem with DNT was the lack of legal and regulatory backing it received. Website owners could decide if they'd observe the DNT signal and there were no legal repercussions if they chose not to. This is where GPC is different.<p>This sounds like an attempt to regulate the entire internet.
For a while now I have been adding a "sec-gpc: 1" header in the forward proxy (client/browser agnostic). Thus, at least one person is using it.
I'm an absolite outsider to this, I use edge and would use chrome if need be.<p>It seems to me like mozilla appeals to paranoid users who don't pay for software and also don't want to see ads, and in exchange insane demands and revolt is placed upon them.<p>One thing you learn when providing services is that the demands don't ever stop. The more you provide for free, the more demands you get.<p>Would not want to be in this space, let's normalize paying for software, then you wouldn't need to worry about alternative monetization schemes.
I don’t think this article does a good job of explaining what this achieves.<p>> Web users want to have more autonomy over their data. They want to know who has it, where it's going and why, and they want to be able to consent to how their data moves between parties.<p>> It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.<p>Okay, so assuming a user has this enabled in their browser settings, and they register on a website. They tick the box that says <i>“Add me to your mailing list”</i>.<p>Common sense would indicate that ticking of the box overrides the browser setting. So I can share their details with my mail service provider. So by default opt-out and asking for their permission to opt-in is compatible with this setting, right?<p>Except now apply that logic to the mess of <i>“we respect your privacy, click here to allow sharing your data with our eleventy bajillion trusted partners”</i> popups on so many websites. So, again, by default opt-out and asking for their permission to opt-in. So this setting does absolutely nothing to stem that tide? What’s the point of it then?<p>Also, how does this tell the user <i>“who has it, where it's going and why”</i>? All I see is a boolean flag.<p>> At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA. There are also intentions to work with the European Union's GDPR<p>By default opt-out and asking for their permission is already required by the GDPR, so what is being worked on here exactly?
This article is intentionally misleading:<p><i>The main problem with DNT was the lack of legal and regulatory backing it received. Website owners could decide if they'd observe the DNT signal and there were no legal repercussions if they chose not to. This is where GPC is different.</i><p>....<p><i>What to do when receiving a GPC signal<p>It's up to the developer/business to decide how to treat the signal, for example, removing the user's details from third-party tracking or marketing, following a similar procedure as to when users opt out of sharing data for marketing purposes. If in CCPA jurisdiction, the signal must be observed to avoid legal repercussions.</i><p>So what's the difference? Without regulations, which is the real issue here, all this is meaningless just like DNT was. The system is solely based on trusting the site to comply. CCPA only applies in Europe. None of this would apply to users in the US but the article disingenuously implies it would:<p><i>At the time of writing, the Attorney General for California has recommended observation of GPC to comply with CCPA</i><p>That is not legally binding in any way. This is just DNT with extra step being sold as something it's not. I fail to see how this will benefit the user while making it harder for users to block trackers and advertisers. A site can't prevent you from blocking it's cookies because cookies are stored locally through the context of the browser. Site's can't prevent users from blocking, deleting or modifying cookies.<p>But GPC signals are sent via HTTP headers. Sites could prevent users from accessing the site by detecting if GPC is disabled by the user in the browser just by checking the HTTP headers, forcing users into sharing information with the site to be allowed to access the site.
these web frameworks for privacy always give me a chuckle. DnT didnt work, why would this?<p>Advertising is an economy worth more than 7.4 trillion USD. it has evaded <i>most</i> attempts to regulate or restrict it in any meaningful sense in the 21st century. the GDPR serving as a bureaucratic organ to which advertisers must subscribe, or quietly ignore with all but the most modest and encumbered window dressings for the illusion of choice by the user.<p>you cannot restrict, limit, control, or meaningfully impact a 7.4 trillion dollar economy with a voluntary framework. this market rivals the GDP of many developed nations. it will simply spend its way out of any legal problem. there exists no fine that can tame it.<p>The only thing you can reasonably do in the face of something that evades even governments themselves, is to ship a built-in version of uBlock and noscript, and a blacklist of advertising provider DNS, that is enabled by default for the user. make cookies whitelist-only, and make counter-fingerprinting technology default.<p>you must do things that cause, as an organism, marketing and advertising agencies to recoil in terror. DoH is a good example, which rallied nearly every telecom provider in the US to lobby the federal government until Mozilla and others acquiesced to letting them join the club.