California’s privacy law says businesses must respect universal opt-outs. Now the technology finally exists to put that to the test.
By Gilad Edelman
WHAT DO YOU call a privacy law that only works if users individually opt out of every site or app they want to stop sharing their data? A piece of paper.
Or you could call it the California Consumer Privacy Act. In theory, the law gives California residents the right to opt out of any business selling their data. In practice, it hasn’t seen much use. Most people don’t go to the trouble of opting out of every website, one at a time...
Change could be coming, however. The CCPA includes a mechanism for solving the one-by-one problem. The regulations interpreting the law specify that businesses must respect a “global privacy control” sent by a browser or device. The idea is that instead of having to change privacy settings every time you visit a new site or use a new app, you could set your preference once, on your phone or in a browser extension, and be done with it.
When the attorney general issued those regulations, the technology for a global opt-out didn’t exist. As of today, it does...
“This would provide a key component that’s called for in the California law, which is a simple way for consumers to invoke their right without having to go to each website and find the button,” said Ashkan Soltani, a privacy researcher who helped lead the effort. Soltani has spent as much time as anyone in the trenches of privacy controls. A decade ago, as a technologist at the Federal Trade Commission, he worked to develop the Do Not Track web standard, which was supposed to establish a universal opt-out. That effort was ultimately doomed, however, because companies were under no legal obligation to honor Do Not Track requests, and most chose not to.
Ashkan Soltani is a MIMS alumnus (2009), and an independent researcher and technologist specializing in privacy, security, and behavioral economics.