A simple browser signal may have the power to reshape online privacy.
Most websites and apps are now collecting, processing, and swapping information about their users in the blink of an eye. Laws such as the California Consumer Privacy Act (CCPA) seek to address this by creating a new set of privacy rights regarding consumers’ personal data, but exercising those rights can be cumbersome in practice.
Enter Global Privacy Control (GPC), which allows website visitors to exercise some of their privacy rights automatically.
The idea behind GPC is simple: consumers can enable an option in their web browser that sends a signal to every site they visit indicating their privacy preferences. If GPC is turned on and the site recognizes the signal, the visitor is automatically opted out of targeted advertising and anything that could be considered “selling” their personal information.
Global Privacy Control was developed in response to the passing of the CCPA, which contemplated the possibility of a universal opt-out signal. Though it is far from universally adopted, GPC is now available on Firefox and several other privacy-centric browsers, and is recognized by major publishers like the New York Times and the Washington Post.
Depending on which privacy laws apply to a particular business, it may be required to recognize the GPC signal as a valid request to opt out.
According to the latest regulations from the California Privacy Protection Agency, all businesses required to comply with the CCPA must treat “opt-out preference signals” as valid requests to opt out of the sale or sharing of personal information. (“Sharing” in this context means the disclosure of personal information for cross-context behavioral advertising.) While GPC is not specifically named in the regulations, it has been mentioned favorably on multiple occasions by the California Attorney General and is almost certain to be considered an opt-out preference signal.
Businesses that fully process opt-outs via GPC in a frictionless manner are exempt from having to include a “Do Not Sell or Share My Personal Information” link on their website. “Frictionless” means the business may not charge a fee, change the user’s experience on the site, or display any pop-up or notification in response to the opt-out.
However, this exemption only applies if the GPC signal opts the consumer out of all selling or sharing practices without requesting additional information.
Virginia’s privacy law does not currently require businesses to respond to the GPC signal.
Businesses have one year from the Colorado law's effective date to implement GPC and recognize any “user-enabled universal opt-out mechanism” as a valid request to opt out of targeted advertising.
Utah’s privacy law does not currently require businesses to respond to the GPC signal.
Businesses have 18 months from the Connecticut law's effective date to implement GPC and recognize “opt-out preference signals” as valid requests to opt out of targeted advertising.
The GDPR’s legal framework is different from the US data privacy laws, so GPC is not an exact fit for submitting a data subject request. For example, there is no specific right to opt-out of targeted advertising. Also, under the ePrivacy Directive (the “Cookie Law”), websites may not place marketing cookies on a person’s computer without first obtaining consent.
Privacy compliance is complicated, and implementing Global Privacy Control isn’t as simple as flipping a switch (just ask Sephora). It needs to fit into a larger compliance strategy that includes creating a data map, determining which of your information practices amount to “selling or sharing,” and figuring out which of those practices can be linked to the GPC signal.
TrueVault simplifies privacy compliance so that small and medium-sized businesses can handle it on their own. Designed by attorneys, TrueVault is a SaaS platform that guides you every step of the way, from onboarding vendors to adding GPC code to your website. Contact our team to learn more.