Just noticed that Brave on iOS/iPadOS recently added an “Enable GPC” toggle to Brave Shield settings (and it’s default on).
3 Likes
Brave has enabled GPC by default since late 2020 Source
The great thing about GPC, unlike DNT apparently, is that vendors can enable it by default, “on the assumption that users choose this browser for privacy”.
1 Like
Yeah, the combination of it being legally enforceable in some jurisdictions, and the fact that it is valid for ‘privacy-by-design’ software/services to enable GPC by default (at least in the largest jurisdiction to recognize GPC so far), makes me quite hopeful about the GPC.
In the case of California, the attorney general’s interpretation appears to be:
“The consumer exercises their choice by affirmatively choosing the privacy control […] including when utilizing privacy-by-design products or services”
California’s law is what led to the creation of the GPC, and seems to be the legislation other states are using as a rough template for their own.
The GPC FAQ gives a bit broader and more nuanced/conditional explanation:
The GPC preference expression should accurately reflect the users’ privacy preferences. The threshold for obtaining user consent differs between jurisdictions. GPC strives to honor those differences while still providing users with choice about how businesses use their data. In some jurisdictions, the presence of GPC in a nuanced/conditional user’s browser may constitute an adequate signal to not sell their data, while regulations in another jurisdiction may require the user’s explicit consent in order to send a GPC signal.
What constitutes a deliberate choice may differ between regional regulations. For example, regulations in one jurisdiction may consider the use of a privacy-focused browser to imply a GPC preference, such as under the CCPA Final Statement of Reasons - Appendix E #73 (“The consumer exercises their choice by affirmatively choosing the privacy control […] including when utilizing privacy-by-design products or services”), while regulations in another jurisdiction may require explicit consent from the user to send a GPC signal.
1 Like
I’d be in favor of recommending it be turned on in our browser guides. As was mentioned, it’s already enabled by default in some browsers anyway. Also it seems that it’s meant to replace those godawful “Opt Out” things a lot of websites have which is a great thing in my book.
Maybe we should ask Thorin-Oakenpants about how this change affects fingerprint first.
https://github.com/arkenfox/user.js/issues/1542#issuecomment-2010994733
https://github.com/arkenfox/user.js/issues/1818#issuecomment-2012831106
Would love something similar to be codified into Canadian 
law. GPC in a legal sense seems to be far superior to DNT. Would also be nice to have Apple iOS / Safari integration.
Based on my search from using the OptMeowt extension. A lot of mainstream websites do not have a GPC policy. Though I don’t believe there’s any harm being done for sending out these GPC signals and browser fingerprinting concerns is out of the question since most people won’t be using the Mullvad and Tor Browsers anyway. Furthermore other browsers we already recommend on the website sends a GPC signal by default.
On the same logic that you don’t reside and "
you want to send a statement (or hope that websites treat you the same as they treat Californians)
I would suggest that even if you are fingerprintable, taking actions toward not being fingerprintable can send a message as well.
I don’t understand though why is it not on by default on Mozilla? What’s the downside for them for switching it for all users?
I don’t know what their exact thinking is, But my best guess is that they are being cautious and trying not to unintentionally undermine GPC by enabling it by default.
The creators of the GPC have been pretty clear that GPC is intended to convey a user’s explicit preference for privacy. For that reason, they’ve cautioned major browsers not enable GPC by default. If Major browsers were to enable GPCt by default, that could be used by opponents of GPC to try to undermine its credibility by arguing it is no longer an expression of user preference and is an expression of the browser makers preference.
The best middleground I can see for both (1) respecting the wish of the creators of GPC and not accidentally undermining it’s credibility, while also (2) promoting GPC and growing the crowd of users that have opted into it, is to chain it to ETP strict mode. Anyone who enables Enhanced Tracking Protection in strict mode is making a conscious and deliberate choice to protect their privacy, which would satisfy the ‘user choice’ criteria of the GPC, and since there are millions of users using ETP strict and/or PBM, that’d significantly grow the pool of users opted in to GPC. This would also be inline with their current approach of enabling it by default in private browsing mode (because a user choosing a private browsing window is an explicit preference for privacy.
Personally I feel that Firefox could probably enable it by default, with the justification that it is a privacy-promoting browser, so users making an explicit choice to use Firefox are expressing a preference for privacy. But that is a somewhat weaker argument considering that a good portion of Firefox’s userbase use it primarily for reasons other than privacy.
3 Likes
An easy fix would just be to ask about what the user wants when installing the browser.
Would you like to turn on GPC?
[Definition of GPC]
3 Likes
It’s still experimental:
Maybe we should wait until it’s rolled out more fully.
2 Likes
It’s really not, mdn might say it is but Mozilla had no such warning, back in 2023 Global Privacy Control Empowers Individuals to Limit Privacy-Invasive Tracking - Open Policy & Advocacy, when they moved it out of experimenting.
1 Like