The legal and policy community continues to debate the impact of General Data Protection Regulation (GDPR), the ins and outs of the California Consumer Privacy Act (CCPA), and how (or whether) Washington should regulate consumer privacy. While the debate rages on, we are seeing a stream of consumer-focused privacy-oriented product rollouts. It is interesting to look at what these controls actually do and how they might inform the policy debate.
In a concession to consumer privacy, Google recently announced that it would allow consumers to block companies from tracking them across the web when they are using Chrome. Specifically, they will differentiate between 1st party and 3rd party cookies. As such, they will allow consumers to delete 3rd party cookies while preserving the 1st party cookie, which, for example, allows a website to remember a consumer’s log-in information. In addition, Google will soon roll out features to prevent companies from identifying consumers via device fingerprinting, another method used to track consumers across the web.
Let’s be clear, Google is late to the privacy game given the long history of privacy protections offered by Apple and Mozilla. Apple has famously blocked 3rd party cookies by default in Safari and recently introduced Intelligent Tracking Prevention (ITP), restricting the ability of companies to access cookies when a consumer is not interacting with that company.
Services that care for consumers
When a consumer visits YouTube on Safari, Google can access the cookies they have set on their browser. However, as soon as the consumer navigates to another website, Google can no longer access those cookies. ITP essentially breaks the ability to track consumers around the web. Apple has also worked to block loopholes where cookies, set by companies like Google and Facebook, pretend to be 1st party but are then used for tracking and secondary use. Unfortunately, it is hard to muster much confidence that Google will be anywhere as diligent as Apple in closing loopholes, given its business model is built on its ability to expertly track consumers.
Mozilla, on the other hand, offers multiple ways for consumers to block third party tracking in Firefox. Mozilla is also considering rolling out a “Super Private Browsing” mode, which would incorporate Tor privacy features into Firefox.
Beyond the most commonly used browsers, a whole suite of new services have popped up. Duck Duck Go, a search engine, and Brave, a browser, offer strong privacy controls as their primary value proposition. As we’ve noted for several years now, more and more consumers are turning to ad blockers to protect themselves and/or improve their web experience. Forcing these massive platforms to once again compete on privacy will be good for everyone, particularly consumers. The question, of course, is whether some of these companies are simply too big to change at this point.
Policy implications
Back to my original question: What can policymakers learn from these new consumer privacy controls?
For starters, consumers increasingly demand more and stronger protections of their data and digital lives or the market wouldn’t be headed that direction. You can reasonably debate whether Google’s recent announcement went far enough. But the fact that a multi-billion-dollar company like Google did anything at all speaks volumes.
It’s also worth pointing out that all of these new controls, which curtail the ability of companies to collect consumer data at scale, are not actually breaking the internet despite the frequent claims of ad tech lobbyists. In fact, given this push to meet consumer demand for greater privacy controls, it’s funny and a little sad to look back at the hysteria from some of these lobbyists.
Meeting consumer demand
The big takeaway is how these companies and their engineers are designing services and features to meet consumer expectations for privacy. This new wave of privacy controls gives consumers the ability to stop companies from tracking them across the web. Yet, these services preserve the ability for websites and apps to collect and use consumer data when the consumer is interacting directly with that company.
This approach makes sense. Consumers share their data so that companies can use it to provide a service or content. In this fair value exchange, the consumer can choose to engage or not. Consumers do not expect companies to track them outside of that fair value exchange and doing so is simply bad business.
It isn’t a question of whether consumers want their privacy protected, these market moves demonstrate the demand and inevitability. And, as policymakers consider how best to craft consumer privacy protections, it’s worth noting how today’s best engineers have attempted to meet consumer demand and expectations for privacy.