What is Global Privacy Control (GPC) & How Does it Work?

It is no secret today that all interactions, activities, and details of users on the internet can often be tracked.

From the type of browser to the webpages users visit and how much time they spend on each one to the exact battery percentage on their device - all this information is collected, processed, sold, transferred, and often combined to triangulate users' likes and dislikes to aid online targeted advertising.

Privacy activists have long argued that widespread tracking of users' data and opaque data collection practices infringe upon users' right to privacy. Most global data protection regulations aim to protect users and give them choices on how and by whom their data is being collected, used, and received.

Due to these laws and rising awareness amongst people about the right to privacy, various privacy tools and mechanisms are being developed or have been developed, most recently, that facilitate users in exercising their rights over their data.

One tool that now promises to be of particular significance is the Global Privacy Control (GPC). At its core, the GPC aims to empower individuals with the option to opt out of the “sale” and “sharing” of their data across websites by communicating users' privacy preferences to websites.

What is the significance of the GPC, how does it operate, and most importantly, does it have any valid legal status as a legitimate way for users to exercise their privacy rights? Read on to learn more.

What is the GPC?

The Global Privacy Control (GPC), introduced at the World Wide Web Consortium (W3C) Privacy Community Group (Privacy CG) in April 2020,  is an initiative to create a global technical specification designed to communicate a consumer’s privacy preferences to data controllers and processors. The GPC accomplishes this by being a browser-based opt-out tool or mechanism that automatically sends out users’ opt-out consent signals to websites, advertisers, and publishers on the World Wide Web.

The technology lets users signal their privacy preferences to browsers or devices via HTTP headers. It was developed by some of the world’s leading technology companies, web publishers, browser vendors, and civil rights activists such as the Electronic Frontier Foundation (EFF), the National Science Foundation, The New York Times, Mozilla, The Washington Post, and Consumer Reports, among others.

Moreover, in January 2021, GPC announced that it had achieved a significant milestone on the path to making the GPC legally binding under the California Consumer Privacy Act (CCPA). This happened after the then California Attorney General (AG), Xavier Becerra, in January 2021, tweeted that the GPC, a browser-based privacy signal, would be recognized as a valid and legal opt-out/do-not-sell request as per CCPA Section 1798.120 and thus would need to be mandatorily detected and honored by businesses to whom the CCPA applies.

This was significant because, as the CCPA is an opt-out regime, the requirement to recognize and honor GPC as a global opt-out would greatly strengthen the privacy rights of California consumers as consumers would no longer have to go and individually opt out of the sale of their personal information on all the websites they will visit - the GPC shall do it for them once they have set it up.

In July 2021, GPC was added to the CCPA FAQ, stating that covered businesses “must treat user-enabled global privacy controls as a valid opt-out request.” Additional guidelines related to the treatment of the “request to opt-out” were released later on under CCPA Regulation section 999.315.

With 40 million users utilizing a browser or extension with GPC support—such as Abine, Brave, DuckDuckGo, Disconnect, and Privacy Badger as well as The Washington Post, Meredith Digital (People.com, Allrecipes.com, etc.), Automattic (WordPress.com), and CafeMedia committing to recognize the GPC signal as a valid opt-out of sale under CCPA, the GPC was now a valid means for California consumers to opt-out of the sale of their personal information with significant support.

Why is Global Privacy Control Important?

The GPC has since been growing in popularity. Since its inception, the GPC has had broad industry support with over 50 million users. But what exactly makes it so important? Since the General Data Protection Regulation (GDPR) came into effect in the European Union (EU), numerous countries have followed suit and adopted their own versions of data protection and privacy regulations.

Naturally, one of the byproducts of this is the evolution of mechanisms that would provide a uniform manner to allow users to opt out of having their data sold or shared without having to individually request websites, businesses, devices, browsers, and other software about their privacy preferences.

Currently, under the CCPA and GDPR, many websites host Do Not Sell (DNS) or Object to Processing links to ensure they comply with the respective privacy obligations. While somewhat effective, this can often be jarring, requiring users to tick the right boxes on each website they visit. The GPC represents a consolidated one-step solution that would let users exercise their privacy rights and indicate they do not wish their data to be sold or shared.

Once enabled, this signal would be a uniform indicator of a user's privacy preference. It doesn't run or store any scripts on your browser. It doesn't require consent authentication. And most importantly, it is fully compliant with all major privacy regulations.

How to Enable GPC on a Website or Application? What Are the Ways to Configure It?

The prominent aspect of GPC is that it comes as an extension for a number of browsers. According to the GPC website, GPC can be enabled or configured in 8 different browsers. Collectively, there are over 50 million users that are using GPC browser extensions. However, there are a few browsers that may require manual configuration, such as the Firefox browser. To learn more about the list of browsers that support GPC, visit the GPC official website.

GPC Under CCPA

Being the first privacy law of its kind in the US, CCPA has particular significance since it would, in one way or another, have a lasting impact on similar regulations to follow in other US states.

One of the aspects that have garnered CCPA attention and praise across the globe is its privacy rights, particularly Section 1798.120, “Consumer right to prohibit the sale of their information,” more popularly known as ‘Do not sell’.

This section gives consumers the right to opt out of selling their personal information (PI) to any third parties. The “sale” of PI is defined as renting, disclosing, releasing, making available, or transferring a consumer’s personal information either orally, in writing, or through electronic means for monetary or other beneficial purposes.

Under the CCPA Section 1798.135, businesses must provide users with the following appropriate mechanisms to exercise their right to opt out of the sale of their PI:

Do Not Sell My Personal Information link

Businesses that sell consumers’ personal information to third parties must display a “Do Not Sell My Personal Information” link on their website, particularly on the home page (or California-specific homepage) and within their privacy notice.

While the CCPA requires organizations to verify the consumers' identity in exercising their rights, this is not required when making an opt-out of sale request.

CCPA Opt-out Notice 

When clicking on the DNS link, the user should be able to see a notice that provides a description of the consumer’s right to opt out, a form for the consumer to use opt-out and information about any other opt-out mechanisms that are available to the consumer.

Other Designated Methods

The CCPA requires that 2 designated methods be provided to consumers to be able to opt-out.  Other acceptable methods for submitting these requests include but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, or a form submitted through the mail.

Cookie Banner

CCPA Regulations Section 999.305(a) obligates businesses to provide notice at or before the point of collecting PI and the purposes for which the PI will be used.

Additionally, the banner/notice should be in plain and straightforward language and accessible format that is easy to read and understand by the consumers.

One mechanism to operationalize this requirement is by including information required by CCPA AG Regulation 999.305(b) within the cookie banner that is displayed before websites can drop cookies - this information includes:

• A list of the categories of personal information about consumers to be collected from them.
• The purposes for which the personal information will be used.
• The link titled “Do Not Sell My Personal Information.”
• A link to the business’s privacy policy (it should redirect to the section on the sale of personal information).

How Does GPC Work?

The mechanism that makes GPC so effective is fairly complicated, as you would expect it to be. But it essentially boils down to the same binary 0s and 1s that comprise the rest of the internet.

Whenever a user connects to the internet, their outgoing internet traffic requests begin with bits of information known as "headers." These headers include information such as the user's browser, the default language, their device's screen size, location, and other information. Information that is considered vital for site analytics and behavioral targeting.

Once the GPC signal is enabled, all outgoing data from a user's device will be preceded by a Sec-GPC-field-value = "1" header. The "1" represents that the user has denied all permissions for their data to be sold or shared with any third parties. After this, the first information the website's server will read is this header whenever a user accesses a website.

How servers respond to headers like the Do Not Track has traditionally been up to the websites themselves. However, as the recent Sephora case illustrates, organizations subject to the CCPA may find themselves legally obligated to honor all GPC signals.

Difference Between GPC and Do Not Track?

GPC is a browser-based tool that prompts opt-out requests. Due to the complex regulatory landscape and provisions, the tool seems to be on the right track to succeed where the Do Not Track (DNT) fails. However, the DNT was introduced way before the GPC, i.e., in 2009. Unlike the GPC, DNT is a browser-based feature that informs users about the visitor’s interest regarding not being tracked. Regardless, the feature didn’t get much traction since many websites ignored the DNT requests.

GPC's Legal Status

The GPC signal has been in the news most recently because of the Sephora case, where the company faced a record $1.2 million fine because of its non-compliance in detecting and honoring consumer’s GPC signals.

The California Attorney General, Rob Bonta, has been relatively vocal about reiterating the fact that the organizations subject to the CCPA must honor browser signals such as the GPC that constitute a valid consumer request to stop the sale of personal information.

GPC Under CPRA

Even before the news of the fine on Sephora broke, the California Attorney General's office had been contacting several other organizations subject to the CCPA to demonstrate and elaborate on how they've been honoring GPC signals. GPC detection remains mandatory for covered businesses as per the CPRA and CPRA Draft Regulations - we have detailed expanded GPC requirements under the CPRA in our whitepaper.

However, there are also certain limitations. Within the US, organizations in other jurisdictions that do not fall under the CPRA's scope have no legal or regulatory obligation to honor GPC signals from non-Californian residents. 

GPC Under Other State Laws

There are other regulations, such as the ones in Virginia and Colorado, but much akin to the initial days of the CCPA, there's a degree of ambiguity about the GPC's status within them.

Virginia's data regulation stated to come into effect on January 1st, 2023, doesn't mention the GPC or any similar mechanisms. On the other hand, Colorado's Privacy Act requires the state's attorney general to undertake the relevant technical specifications to ensure universal opt-out mechanisms. While the law comes into effect on July 1st, 2023, the universal opt-out mechanism requirement won't be enacted until a year later.

Naturally, there's a belief within the privacy advocacy circles that the obligation towards universal opt-out mechanism requirements will result in businesses having to honor GPC signals.

GPC Under European Laws

Things in Europe are different as Europe functions on the opt-in regime.

The Information Commissioner's Office in the United Kingdom published an opinion piece in 2021 on how it considers the GPC to be more of a "general request" related to the sale of users' personal data and not "meant to withdraw a user's consent to local storage as per the ePrivacy Directive."

It further stated that the tool currently "does not at this time appear to offer a means by which user preferences can be expressed in a way that fully aligns" with data protection requirements in the UK per the GDPR, the Data Protection Act of 2018, or the Privacy and Electronic Communications Regulations 2003.

What Next?

The obvious question at this point is, what’s the way forward for both organizations and users? In an era where users are more educated and informed about their data rights than ever, organizations can use the GPC to demonstrate their commitment to users’ privacy. The GPC shouldn’t have to result in a hostile relationship between the users and the website itself.

More importantly, the GPC does not mean the end of organizations being able to process their users’ data at all. Several studies have indicated that most users do not mind a certain amount of tracking and behavioral targeting as long as it is done in an informed manner.

As such, organizations may find the GPC a highly effective way of improving user experience online by streamlining the entire process of requesting and managing customer privacy preferences.

In any case, with more than 60% of the world’s population likely to have some form of data protection by 2023, organizations may feel they have little choice when coming to terms with the GPC. It is up to the organizations themselves if they want to use this as an opportunity to display their commitment to users’ privacy in a genuine manner.

How Securiti Can Help

Make no mistake, privacy regulations have changed the way organizations do business permanently. The GDPR and its impact on how businesses adapt their practices is undeniable proof of that. While not all regulations are as strict or comprehensive as the GDPR, the obligations placed on organizations to ensure users' privacy and provide greater control over their data remain consistent.

For regulations that adopt the opt-out mechanism, the GPC signal promises to be one of the most comprehensive mechanisms designed that empower users to ensure their data is only collected, shared, or sold after appropriately eliciting their consent.

Compliance with all significant data regulations with a unique set of requirements can prove difficult for organizations unless they opt for automated solutions.

Securiti is a market leader providing enterprise solutions related to data compliance and governance. Its artificial intelligence and machine learning algorithms-based solutions ensure an organization can effectively comply with any and all international obligations set forth by data regulations.

One such solution is its Universal Consent Management module. It supports and automates GPC signal detection on browsers and extensions that support it while keeping a record of it as proof of compliance. Additionally, this module helps classify both first-party and third-party cookies while automatically updating the privacy notices on a website if any new cookies are detected.

Request a demo today to learn more about how Securiti’s products, including the universal consent management module, help you comply with all major global data compliance regulations.