• by Wendy Davis  @wendyndavis, December 13, 2021

The newest version of Mozilla's Firefox browser now includes the “Global Privacy Control” tool, which aims to enable consumers to opt out of the sale or transfer or their data on a universal basis, as opposed to opting out site-by-site.

The tool, which Firefox began testing in late October, sends a “do-not-sell” signal to all websites consumers visit -- but only if they affirmatively turn on the control.

The Global Privacy Control, developed by privacy advocates, was released last year as a downloadable extension, and a setting in some browsers. Mozilla was among the original supporters of the initiative, but didn't take steps to incorporate the feature into Firefox until recently.

California's current privacy law, the California Privacy Protection Act, requires companies to honor consumers' requests to refrain from selling their data, and the state's top law enforcement official says companies that collect residents' personal data must comply with opt-out requests sent through the Global Privacy Control.

But an update to that law, the California Privacy Rights Act (slated to take effect in 2023), contains seemingly contradictory language about universal privacy controls.

That measure contains some language suggesting companies need not honor opt-outs made through tools like the Global Privacy Control, provided the companies post prominent opt-out links on their own websites.

But another section of that law provides that consumers can authorize others to opt out on consumers' behalf -- and that authorized opt-outs can be made via universal mechanisms.

The California Privacy Protection Agency, which is tasked with implementing and enforcing the state privacy law, could issue regulations that would clarify companies' obligations when they encounter “do-not-sell” signals.

Mozilla recently urged that agency to expressly require web companies to respect the Global Privacy Control.

“Consumers cannot reasonably be expected to opt-out of the sale or sharing of their information individually from every party they interact with on the Internet,” Jenn Taylor Hodges, head of U.S. Public Policy for Mozilla, said in a letter to the state Privacy Protection Agency. “That is why a universal opt-out mechanism, set by the user, sent by the browser to all websites, and then enforced by the regulators, is so critical.”

Colorado also recently passed a privacy law that requires companies to honor people's requests to opt out of targeted advertising -- including requests that consumers make through browser settings or other global mechanisms.

Most provisions of the Colorado law will take effect in July 2023, but the requirement to honor global privacy controls won't take effect until the 2024.