IDC Names Securiti a Worldwide Leader in Data PrivacyView
It is no secret today that all interactions, activities, and details of users on the internet can often be tracked.
From the type of browser a user is using to the webpages they visit and how much time they spend on each one, to the exact battery percentage on their device - all this information is collected, processed, sold, transferred, and often combined to triangulate users' likes and dislikes to aid online targeted advertising.
Privacy activists have long argued that widespread tracking of users' data and opaque data collection practices infringe upon users' right to privacy. Most global data protection regulations aim to protect users and give them choices on how and by whom their data is being collected, used, and received.
Due to these laws and rising awareness amongst people about the right to privacy, various privacy tools and mechanisms are being developed or have been developed, most recently, that facilitate users in exercising their rights over their data.
One tool that now promises to be of particular significance is the Global Privacy Control (GPC). At its core, the GPC aims to empower individuals with the option to opt-out of the “sale” and “sharing” of their data across websites by communicating users' privacy preferences to websites.
What is the significance of the GPC, how does it operate, and most importantly, does it have any valid legal status as a legitimate way for users to exercise their privacy rights? Read on to learn more.
The Global Privacy Control (GPC), introduced at the World Wide Web Consortium (W3C) Privacy Community Group (Privacy CG) in April 2020, is an initiative to create a global technical specification designed to communicate a consumer’s privacy preferences to data controllers and processors. The GPC accomplishes this by being a browser-based opt-out tool or mechanism that automatically sends out users’ opt-out consent signals to websites, advertisers, and publishers on the world wide web.
The technology lets users signal their privacy preferences to browsers or devices via HTTP headers. It was developed by some of the world’s leading technology companies, web publishers, browser vendors, and civil rights activists such as the Electronic Frontier Foundation (EFF), the National Science Foundation, The New York Times, Mozilla, The Washington Post, and Consumer Reports, among others.
Moreover, in January 2021, GPC announced that it had achieved a significant milestone on the path to making the GPC legally binding under the California Consumer Privacy Act (CCPA). This happened after the then California Attorney General (AG), Xavier Becerra, in January 2021, tweeted that the GPC, a browser-based privacy signal, would be recognized as a valid and legal opt-out/do-not-sell request as per CCPA Section 1798.120 and thus would need to be mandatorily detected and honored by businesses to whom the CCPA applies.
This was significant because, as the CCPA is an opt-out regime, the requirement to recognize and honor GPC as a global opt-out would greatly strengthen the privacy rights of California consumers as consumers would no longer have to go and individually opt-out of the sale of their personal information on all the websites they will visit - the GPC shall do it for them once they have set it up.
In July 2021, GPC was added to the CCPA FAQ stating that covered businesses “must treat user-enabled global privacy controls as a valid opt-out request.” Additional guidelines related to the treatment of the “request to opt-out” were released later on under CCPA Regulation section 999.315.
With 40 million users utilizing a browser or extension with GPC support—such as Abine, Brave, DuckDuckGo, Disconnect, and Privacy Badger as well as The Washington Post, Meredith Digital (People.com, Allrecipes.com, etc.), Automattic (WordPress.com), and CafeMedia committing to recognize the GPC signal as a valid opt-out of sale under CCPA, the GPC was now a valid means for California consumers to opt-out of the sale of their personal information with significant support.
The GPC has since been growing in popularity. Since its inception, the GPC has had broad industry support with over 50 million users. But what exactly makes it so important? Since the General Data Protection Regulation (GDPR) came into effect in the European Union (EU), numerous countries have followed suit and adopted their own versions of data protection and privacy regulations.
Naturally, one of the byproducts of this is the evolution of mechanisms that would provide a uniform manner to allow users to opt-out of having their data sold or shared without having to individually request websites, businesses, devices, browsers, and other software about their privacy preferences.
Currently, under the CCPA and GDPR, many websites host Do Not Sell (DNS) or Object to Processing links to ensure they comply with the respective privacy obligations. While somewhat effective, this can often be jarring, requiring users to tick the right boxes on each website they visit. The GPC represents a consolidated one-step solution that would let users exercise their privacy rights and indicate they do not wish their data to be sold or shared.
Once enabled, this signal would be a uniform indicator of a user's privacy preference. It doesn't run or store any scripts on your browser. It doesn't require consent authentication. And most importantly, it is fully compliant with all major privacy regulations.
For a more detailed overview of associate regulations, as well as other relevant information related to GPC, view our whitepaper on the subject.
Being the first privacy law of its kind in the US, CCPA has particular significance since it would, in one way or another, have a lasting impact on similar regulations to follow in other US states.
One of the aspects that have garnered CCPA attention and praise across the globe is its privacy rights, particularly Section 1798.120, “Consumer right to prohibit the sale of their information,” more popularly known as ‘Do not sell’.
This section gives consumers the right to opt-out of selling their personal information (PI) to any third parties. The “sale” of PI is defined as renting, disclosing, releasing, making available, or transferring a consumer’s personal information either orally, in writing, or through electronic means for monetary or other beneficial purposes.
Under the CCPA Section 1798.135, businesses must provide users with the following appropriate mechanisms to exercise their right to opt-out of the sale of their PI:
Businesses that sell consumers’ personal information to third parties must display a “Do Not Sell My Personal Information” link on their website, particularly on the home page (or California-specific homepage) and within their privacy notice.
While the CCPA requires organizations to verify the consumers' identity in exercising their rights, this is not required when making an opt-out of sale request.
When clicking on the DNS link, the user should be able to see a notice that provides a description of the consumer’s right to opt-out, a form for the consumer to use opt-out, and information about any other opt-out mechanisms that are available to the consumer.
The CCPA requires that 2 designated methods be provided to consumers to be able to opt out. Other acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, or a form submitted through the mail.
CCPA Regulations Section 999.305(a) obligates businesses to provide notice at or before the point of collecting PI and the purposes for which the PI will be used.
Additionally, the banner/notice should be in plain and straightforward language and accessible format that is easy to read and understand by the consumers.
One mechanism to operationalize this requirement is by including information required by CCPA AG Regulation 999.305(b) within the cookie banner that is displayed before websites can drop cookies - this information includes:
The mechanism that makes GPC so effective is fairly complicated, as you would expect it to be. But it essentially boils down to the same binary 0s and 1s that comprise the rest of the internet.
Whenever a user connects to the internet, their outgoing internet traffic requests begin with bits of information known as "headers." These headers include information such as the user's browser, the default language, their device's screen size, location, and other information. Information that is considered vital for site analytics and behavioral targeting.
Once the GPC signal is enabled, all outgoing data from a user's device will be preceded by a Sec-GPC-field-value = "1" header. The "1" represents that the user has denied all permissions for their data to be sold or shared with any third parties. After this, the first information the website's server will read is this header whenever a user accesses a website.
How servers respond to headers like the Do Not Track has traditionally been up to the websites themselves. However, as the recent Sephora case illustrates, organizations subject to the CCPA may find themselves legally obligated to honor all GPC signals.
The GPC signal has been in the news most recently because of the Sephora case, where the company faced a record $1.2 million fine because of its non-compliance in detecting and honoring consumer’s GPC signals.
The California Attorney General, Rob Bonta, has been relatively vocal about reiterating the fact that the organizations subject to the CCPA must honor browser signals such as the GPC that constitute a valid consumer request to stop the sale of personal information.
Even before the news of the fine on Sephora broke, the California Attorney General's office has been contacting several other organizations subject to the CCPA to demonstrate and elaborate on how they've been honoring GPC signals. GPC detection remains mandatory for covered businesses as per the CPRA and CPRA Draft Regulations - we have detailed expanded GPC requirements under the CPRA in our white paper.
However, there are also certain limitations. Within the US, organizations in other jurisdictions that do not fall under the CCPA's scope have no legal or regulatory obligation to honor GPC signals from non-Californian residents.
Virginia's data regulation stated to come into effect on January 1st, 2023, doesn't mention the GPC or any similar mechanisms. On the other hand, Colorado's Privacy Act requires the state's attorney general to undertake the relevant technical specifications to ensure universal opt-out mechanisms. While the law comes into effect on July 1st, 2023, the universal opt-out mechanism requirement won't be enacted until a year later.
Naturally, there's a belief within the privacy advocacy circles that the obligation towards universal opt-out mechanism requirements will result in businesses having to honor GPC signals.
Things in Europe are different as Europe functions on the opt-in regime.
The Information Commissioner's Office in the United Kingdom published an opinion piece in 2021 on how it considers the GPC to be more of a "general request" related to the sale of users' personal data and not "meant to withdraw a user's consent to local storage as per the ePrivacy Directive."
It further stated that the tool currently "does not at this time appear to offer a means by which user preferences can be expressed in a way that fully aligns" with data protection requirements in the UK per the GDPR, the Data Protection Act of 2018, or the Privacy and Electronic Communications Regulations 2003.
The obvious question at this point is, what’s the way forward, for both organizations and users? In an era where users are more educated and informed about their data rights than ever, organizations can use the GPC to demonstrate their commitment to users’ privacy. The GPC shouldn’t have to result in a hostile relationship between the users and the website itself.
More importantly, the GPC does not mean the end of organizations being able to process their users’ data at all. Several studies have indicated that most users do not mind a certain amount of tracking and behavioral targeting as long as it is done in an informed manner.
As such, organizations may find the GPC a highly effective way of improving user experience online by streamlining the entire process of requesting and managing customer privacy preferences.
In any case, with more than 60% of the world’s population likely to have some form of data protection by 2023, organizations may feel they have little choice when coming to terms with the GPC. It is up to the organizations themselves if they want to use this as an opportunity to display their commitment to users’ privacy in a genuine manner.
Make no mistake, privacy regulations have changed the way organizations do business permanently. The GDPR and its impact on how businesses adapt their practices is undeniable proof of that. While not all regulations are as strict or comprehensive as the GDPR, the obligations placed on organizations to ensure users' privacy and provide greater control over their data remain consistent.
For regulations that adopt the opt-out mechanism, the GPC signal promises to be one of the most comprehensive mechanisms designed that empower users to ensure their data is only collected, shared, or sold after appropriately eliciting their consent.
Compliance with all significant data regulations with a unique set of requirements can prove difficult for organizations unless they opt for automated solutions.
Securiti is a market leader providing enterprise solutions related to data compliance and governance. Its artificial intelligence and machine learning algorithms-based solutions ensure an organization can effectively comply with any and all international obligations set forth by data regulations.
One such solution is its Universal Consent Management module. It supports and automates GPC signal detection on browsers and extensions that support it while keeping a record of it as proof of compliance. Additionally, this module helps classify both first-party and third-party cookies while automatically updating the privacy notices on a website if any new cookies are detected.
Global privacy control (GPC) is a mechanism that allows individuals to communicate their privacy preferences by sending a signal to websites and online services, indicating their desire to opt out of certain tracking or data collection.
Enabling a global privacy control usually involves configuring settings within your web browser or using privacy-oriented browser extensions that support sending the "Do Not Sell" signal.
The global privacy control code refers to the standardized signal that a browser sends to websites when a user enables a "Do Not Sell" or similar privacy preference.
Several modern web browsers, such as Mozilla Firefox, Privacy Badger by EFF, and Brave, support the global privacy control signal that allows users to indicate their preference for not being tracked.
The principles of global privacy often include transparency, user consent, data minimization, purpose limitation, user rights, and ensuring accountability of data processing activities.
You can test global privacy control by enabling the privacy signal in a compatible browser and visiting websites that support the signal. You can verify whether the websites respect your privacy preference.
GPC (Global Privacy Control) is a more standardized and comprehensive signal for expressing privacy preferences compared to DNT (Do Not Track), which was an earlier attempt to allow users to signal their desire to opt out of tracking but lacked uniform enforcement.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.