For at least a decade, privacy advocates dreamed of a universal, legally enforceable “Do not track” setting. Now, at least in the most populous state in the US, that dream has become a reality. So why isn’t Apple—a company that increasingly uses privacy as a selling point—helping its customers take advantage of it?
When California passed the California Consumer Privacy Act in 2018, it came with a large asterisk. In theory, the law gives California residents the right to tell websites not to sell their personal data. In practice, exercising that right means clicking through an interminable number of privacy policies and cookie notices, one by one, on every site you visit. Only a masochist or a die-hard privacy enthusiast would go to the trouble of clicking through to the cookie settings every time they’re looking up a menu or buying a vacuum. Privacy will remain, for most people, a right that exists only on paper until there’s a simple one-click way to opt out of tracking across the whole internet.
The good news is, that ideal is inching closer and closer to reality. While the CCPA doesn’t explicitly mention a global opt-out, the regulations interpreting the law issued by the California attorney general in 2020 specified that businesses would have to honor one just as they do individual requests. The technology for a universal opt-out didn’t actually exist yet, but last fall, a coalition of companies, nonprofits, and publishers unveiled a technical specification for a global privacy control that can send a CCPA-enforceable “Do not track” signal at the browser or device level.
Today, if you live in California, you can enable the global privacy control by using a privacy browser like Brave or downloading a privacy extension, like DuckDuckGo or Privacy Badger, in whatever browser you already use. (Seriously, go do it. The full list of options is here.) Once you do, you’ll automatically tell sites you visit “Do not sell my personal information” without having to click anything—and, unlike with previous efforts to create a universal opt-out, any decent-size company that does business in California will be legally obligated to comply, which requires adding just a few lines of code to their website.
The state of CCPA enforcement remains murky, because some businesses object to the attorney general’s broad interpretation of the law. But California’s government has begun making clear that it intends to enforce the global privacy control requirement. (The more recently passed California Privacy Rights Act, which goes into full effect in 2023, makes this requirement more explicit.)
In mid-July, Digiday reported that attorney general Rob Bonta’s office had “sent at least 10 and possibly more than 20 companies letters that call on them to honor the GPC.” And an item appeared on a recent list of CCPA enforcement actions on the attorney general’s website noting that a company had been forced to start honoring the signal.
Now, the bad news. While it’s a lot easier to install a privacy extension or browser than click through a million privacy pages, the vast majority of people are still unlikely to do so. (It remains to be seen whether DuckDuckGo papering America’s highways and cities with billboards will inspire a new wave of privacy connoisseurs.)
This matters quite a bit, because online privacy rights are collective, not individual. The trouble with pervasive tracking is not merely that it can allow someone to access your personal location data and use it to ruin your life, as recently happened to a Catholic priest whose commercially available Grindr data revealed a pattern of frequenting gay bars. Even if you personally opt out of tracking, you’re still living in a world shaped by surveillance. Tracking-based advertising contributes to the decline of quality publications by eating away at the premium that advertisers pay to reach their audiences. Cheaper to find those readers on social media or even on bottom-feeding extremist news sites. It turbocharges the incentive to relentlessly maximize engagement on social media platforms. None of that will go away until a critical mass of people opt out of being tracked across the board.
That’s why one absence from the list of companies supporting the global privacy control is so conspicuous. Apple burnished its already strong reputation on privacy earlier this year by introducing App Tracking Transparency, a setting that flips the privacy default on iOS devices by forcing apps to get a user’s permission before sharing their data. That is a genuinely big step forward for privacy, since the difference between being opted out by default and opted in is enormous—and indeed, early reports suggest that most iPhone users are declining to give apps permission to track them.
But Apple, despite its stated (and heavily advertised) commitment to privacy, has not incorporated the global privacy control into Safari, the most popular mobile browser in the US and the second-most-popular desktop browser. Nor has it built it into iOS, which accounts for more than half of the US mobile operating system market. That means it’s not doing as much as it could to protect tens of millions of users from having their data sold and shared. The App Tracking Transparency framework is important, but it relies on Apple catching app developers who violate the policy. Safari’s tracking-prevention feature, meanwhile, relies on a technical approach to blocking cookies and other trackers that can often be circumvented.
“For years, companies have found ways to circumvent technical privacy protections. It’s basically an arms race,” says Ashkan Soltani, a privacy researcher who helped develop the global privacy control. “Technical tools are not enough. You need to have the force of law behind it.” That’s where the global privacy control is crucially different from existing tracking prevention. If a business disregards it, it isn’t just violating terms of service or evading some code—it’s breaking the law and risks being slapped with major fines or penalties.
So far, however, none of the biggest browsers have incorporated the feature, keeping it from widespread adoption. This is not shocking in the case of Google, which hasn’t added it to Chrome or Android: The world’s biggest surveillance advertising company is not exactly known for caring much about user privacy. (Google declined to comment for this story.) A Mozilla spokesperson said the company is “looking into the global privacy control and actively considering next steps in Firefox.” It isn’t clear why Apple hasn’t yet joined the party or whether it plans to in the future. The company didn’t respond to multiple requests for comment over the past week.
In the past, Apple has used software design and App Store policies to protect users, stepping into the vacuum created by the lack of comprehensive privacy legislation. Now, in California and any other states that follow its lead—Colorado, for example, will require businesses to honor the global privacy control starting in 2024—the law has finally gotten ahead of the technology. The public won’t start seeing the full benefits until the private sector catches up. If even a privacy-centric company like Apple isn’t interested, though, the wait might be longer than you'd think.