Mozilla rolls out GPC for all Firefox users, but enforcement limited to two states

While all Firefox users will have access to Mozilla's implementation of Global Privacy Control, only users in California and Colorado can hope for enforcement.
Written by Jonathan Greig, Contributor

Mozilla has expanded its implementation of Global Privacy Control (GPC) to all users after rolling it out on a limited basis in October. 

The feature -- which tells websites not to sell or share your personal data -- was only available in Firefox Nightly, their pre-release channel. But as of this week, GPC will be available for all Firefox users to turn on if they wish to. 

Unfortunately for most US users, this feature may not have much effect. The GPC is required under the California Consumer Protection Act (CCPA) and Europe's Global Data Protection Regulation (GDPR), as well as Colorado's privacy law, but no other states have laws that will enforce it.

Even California and Colorado have faced backlash for loopholes in their laws that make it difficult actually to enforce the feature. 

Mozilla told ZDNet that GPC complements technical anti-tracking features integrated into Firefox, like Enhanced Tracking Protection and Total Cookie Protection. 

"By sending a signal to the websites that people visit, telling them that the person does not want to be tracked and does not want their data to be sold, it helps address the tracking conducted by websites through first-party cookies," Mozilla said in a statement. 

"We think it can play an integral role in making a right to opt-out meaningful and easy to use for consumers. GPC is getting traction both in California and in Colorado. Now that we expect websites to start honoring GPC, we want to start providing this option to Firefox users. Yet, the rules around the enforceability of GPC under the CCPA remain ambiguous and leave space for businesses to ignore the signal sent by the browser on behalf of consumers." 

The company noted that last month, they shared feedback with the California Privacy Protection Agency, encouraging the California AG and other privacy agencies globally to require businesses to comply with GPC expressly.

Jennifer Hodges, Mozilla's head of US public policy, said the GPC signal is sent by Firefox to websites regardless of the user's state. 

"However, the GPC may not be enforceable in jurisdictions without privacy legislation that includes do not sell provisions which allow for the GPC signal to act as a universal opt-out," Hodges explained.

"For someone in a state that does not have a privacy law, The GPC may not be enforceable. California and Colorado are two states that have GPC-like provisions at the moment."

Hodges said history has shown that most businesses will not comply with consumer opt-out signals sent through browsers without a clear legal mandate. 

"This vacuum is the same reason that Do Not Track ("DNT") failed to gain adoption. It was eventually removed by all major browsers because it created a false sense of consumer protection that could not be enforced," Hodges added.  

"The 2023 Colorado Privacy Law has taken this step, and the addition of California would pave the path for other global privacy regulators to similarly update their laws. In addition, we think that enforcement authorities should also expect businesses to interpret the GPC as governing both the direct sale of consumer's information as well as the sharing of consumers' information for programmatic advertising targeting purposes. Regulators, consistent with the intent of CCPA and CPRA, must step in to give tools like the GPC enforcement teeth and to ensure consumers' choices are honored."

Privacy expert Eli Grey, a security engineer for Transcend, disputed that assessment of DNT, telling ZDNet that not only is DNT still in Firefox, it's still in all major browsers except Safari.

"You can test if your browser supports DNT by typing this in a Javascript devtools console: 'doNotTrack' in navigator," Grey said. 

"While more enforceable, GPC is a much weaker signal than DNT. GPC implies a request to opt-out of the sale of personal information. DNT implies a request to opt-out of all unessential tracking. Transcend Consent auto-opts-out more tracking purposes when you have DNT enabled vs GPC."

Editorial standards