Consumer Reports’ Digital Lab recently announced the Data Rights Protocol (DRP), a cross-sector initiative that seeks to standardize data rights requests with a common protocol. This draft standard streamlines and formalizes the components of a data rights request and is a missing piece of the privacy stack; such a protocol would allow for more consistency and efficiency for both consumers submitting requests and businesses processing them.
Discussions of the data rights protocol in the privacy community frequently turn to the question: How does DRP relate to Global Privacy Control (GPC)? Are they the same thing; are they different? This post addresses the complementary relationship between DRP and GPC, outlines the major similarities and differences, and details why these technologies are essential for helping consumers exercise their data rights under the law.
Two solutions to a big problem
The advent of new state privacy laws, notably, in California, Virginia, and Colorado, is a victory for consumers in principle. But in practice these rights are hard for consumers to use and for businesses to honor. Submitting and handling rights requests tends to be a manual process –and, at that, a frustrating, time-consuming, and costly one – for both businesses and consumers.
GPC is a solution for consumers first and foremost. It presents an opportunity for privacy-minded publishers as well as browser and extension vendors to implement privacy-respecting consumer technology. At this point, GPC is available as part of several browsers, extensions, and websites. Under the California Consumer Privacy Act (CCPA) it communicates consumers’ preferences for whether businesses are allowed to sell their personal data.
DRP is a solution for businesses and, in turn, for consumers sending requests to businesses. It is a solution for exchanging data rights requests in a standardized format. Data rights requests touch four parties: (1) consumers, (2) businesses that make consumer privacy software, (3) businesses that receive requests from consumers, and (4) businesses that make enterprise software to help businesses comply with privacy laws. DRP must conform to the needs of all four of these parties. It does so by providing standardized API endpoints so that data rights requests can always have the same format and be sent and received consistently.
DRP is needed in addition to GPC, which is focused on website privacy. However, there are other important use cases in which businesses collect or use consumer data, and consumers need solutions to manage their data with the businesses involved in those as well. DRP works “beneath the surface” of what a consumer can see by specifying an interface for businesses to talk to each other as they work to process consumers’ data rights requests.
Similarities between GPC and DRP
Both GPC and DRP are technologies that automate the expression and processing of privacy rights starting with the specific rights of the CCPA. They can be used independently by consumers and implemented independently by businesses. For example, consumers can use either DRP or GPC to opt out of the sale of personal information per the CCPA. Businesses, i.e., organizations required to comply with the CCPA, must support GPC on their websites. They can also choose to implement DRP to ease the privacy rights process for consumers and their business. For example, Consumer Reports has committed to implement both GPC and DRP.
GPC and DRP are also similar in their strategic approaches; the organizations behind GPC and DRP have embraced similar coalition-building and adoption strategies to get their respective technologies to market. Both organizations have leveraged a consortium model by recruiting partners from industry and asking them to commit to implementing the technologies in production. Both technologies are being developed as open standards. By kickstarting adoption with an initial group of implementers and seeking regular input from a broad community, both GPC and DRP have developed in line with the feedback of diverse stakeholders. This multi-stakeholder process makes the solutions more viable and more likely to succeed compared to just putting out a draft standard or individual implementation.
Differences between GPC and DRP
Despite their similarities, GPC and DRP are two fundamentally different, albeit complementary solutions. While both liaise between consumers and businesses, GPC is primarily consumer-facing and DRP is primarily business-facing. They are different technologies: GPC is a browser signal and DRP is a set of API endpoints. As a browser signal, GPC aims to avoid an increase in browser fingerprinting surface, which could be misused for tracking, by just adding one bit of information: GPC is either on or off. DRP can be much more expressive as it connects non-consumer facing endpoints.
In essence, GPC is an on/off switch to exercise Do Not Sell and similar rights. However, the GPC draft standard itself does not prescribe what it means to receive a GPC signal. Specifying such meaning is deliberately left to legislators and regulators and can differ by jurisdiction. For example, the California Attorney General interprets a GPC signal as a Do Not Sell request. Other jurisdictions may interpret GPC differently. GPC is rights-agnostic. On the other hand, DRP is rights-specific. Its draft standard explicitly provides fields for encodings of specific rights, notably, for the CCPA’s Do Not Sell, Access, and Deletion rights. As these rights are spelled out, DRP communications have the exact meaning as the laws they refer to.
Adoption of DRP is voluntary while GPC adoption is mandatory for many California businesses. Just as GPC, DRP is starting with the CCPA in California, but aims to grow broader with time and enable users to exercise rights provided under a slew of privacy laws and regulations, including GDPR and others.
|Approach||Primarily consumer-facing||Primarily business-facing|
|Technology||Browser signal||API endpoints|
|Expressiveness||1 Bit||> 1 Bit|
|Technologies currently covered||Web||Internet (Web, mobile apps, IoT, …)|
|Rights currently covered||Do Not Sell, Do Not Share*||Do Not Sell, Do Not Share*, Access, Deletion|
|Legal scope||Determined by legislators and regulators||CCPA currently, GDPR and others planed|
|Legal Status||Mandatory in California and optional in other jurisdictions||Optional|
* Once the California Privacy Rights Act (CPRA) becomes operational.
Two different working groups develop GPC and DRP. These organizations follow their own release timelines and operate completely independently. The fact that they are not dependent on one another allows for continuous development on each technology without risking that one is blocking the other.
GPC and DRP are complementary in that they can be used in tandem in service of privacy rights. GPC only applies to online cases, whereas DRP covers offline cases as well. There may be situations where Do Not Sell requests will not be sent directly via GPC because the consumer has not interacted with the business on the web but instead offline or on IoT devices; DRP plays a crucial role in these scenarios. For example, a retailer may have collected data from a consumer in a physical retail store and passed it on to a data broker. The consumer can request that the data broker not share or sell the data obtained thanks to DRP and can also use DRP to send Access and Deletion requests to the data broker as desired.
To the extent that websites are respecting consumers’ GPC preferences, there is generally no need for the consumer to exercise Access or Deletion rights via DRP. However, DRP can help consumers exercise their Access and Deletion rights when necessary.
Finally, down the road DRP may prove a useful tool in the enforcement of GPC. For example, a California consumer who submitted an order on a web form with GPC turned on and later submits a data Access request via DRP uncovering the data they entered in the form would have proof that the business was not honoring GPC. The consumer now has an easy way to report this potential CCPA violation of GPC to California regulators thanks to DRP.
The future of privacy rights
In the coming months and years we anticipate more legislative and regulatory activity — both stateside and internationally — defining privacy rights on the internet. A more private internet is a safer internet. However, law on its own does not guarantee digital privacy .
Code makes law real. Usable privacy rights implementations are essential if users want to actually, effectively claim their privacy. This is the job of DRP and GPC. With the parallel strategy of implementing and standardizing privacy rights into usable technologies, these technologies offer the promise of bringing the law to life.
The author thanks Ginny Fahs, Dazza Greenwood, Don Marti, Boaz Sender, Maggie Oates, Ryan Rix, and Justin Brookman for comments on the draft of this blog post.