What is Global Privacy Control? Frequently Asked Questions
February 15, 2022
Global Privacy Control (GPC) wants to make it easier for people to exercise their privacy rights. Much like the Do Not Track plug-ins of the past, GPC helps users communicate a desire to not be tracked online. More specifically, they are focused on enabling users to opt out of the sale of their personal information at the browser level.
First introduced in October 2020, GPC announced in January 2021 a milestone in adoption and the support of major publishers and consent management platforms, including Sourcepoint. They later received the backing of California attorney general Rob Bonta, with his office issuing letters to several companies in July 2021 to reinforce the requirement under CCPA to honor the GPC signal.
What is Global Privacy Control?
Global Privacy Control is a technical specification for transmitting universal opt-out signals. The initiative is backed by a consortium of privacy-focused organizations such as the Brave browser and DuckDuckGo, as well as well-known publishers like the New York Times and The Washington Post. For now, the signal is tailored for California’s Consumer Privacy Act (CCPA), which gives Californians the right to opt-out of the sale of their data. But the group behind GPC also has hopes to develop a global standard compatible with other privacy regimes like the EU’s GDPR.
How does Global Privacy Control work?
To take advantage of the GPC tool, users need to download a browser or extension that supports the signal. Similar to managing an ad-block extension, users can turn on the GPC signal for all websites they visit or each individual website. When visiting a website that supports GPC, that website will automatically register the browser request to Not Sell Info. Here’s what that experience looks like with the Blur extension by Abine.
There is definite room for improvement, as it currently doesn’t collect identifiable data, which limits the ability to link users to the rest of their data. And websites that don’t support the signal are not yet legally obligated to do so.
How is Global Privacy Control different from Do Not Track (DNT)?
Do Not Track was a plug-in offered by major browsers that, when turned on, added a header to browser metadata when initiating a connection with servers. However no servers knew how to interpret the header, nor were they required to, so they often ignored it. With lack of legislative action, it became clear that it would fail. The nail in the coffin was when Apple disabled DNT on Safari because websites could single out its users, making it (ironically) particularly useful for fingerprinting.
The main difference with GPC is that browser-level user-enabled requests could be made legally binding: CCPA final regulations already require all businesses to honor user requests via user-enabled global privacy controls. But ambiguity remains among companies in the absence of formal technical specifications from the AG’s office. And while enforcement actions are currently the responsibility of the attorney general, they will transition to the California Privacy Protection Agency created under CPRA.
What’s next for Global Privacy Control?
The group behind GPC said that their short-term focus is working with the California AG’s office to make GPC legally binding under CCPA. With the support of AG Bonta, they have a better chance at increasing adoption and creating a set of legally binding technical specifications. They are also exploring GPC’s applicability and functionality with regard to other privacy laws, such as GDPR.
In Nov 2021, the California Privacy Protection Agency made a request for comments on CPRA rulemaking. The recently published comments include ongoing debate around the mandatory nature of GPC, with one side supporting clearer language and the other for completely repealing the regulation. The industry continues to await technical specifications for honoring the signal.
GPC is an important step towards improving experience for consumers who want to exercise their data rights. If you’re interested in learning more about enabling support for GPC in your CMP implementation, or how to optimize your privacy UX, get in touch.
Latest Blog Posts
The U.S. Department of Justice announced a $115,054 settlement...
The consultation, which ran for 10 weeks ending in...
Privacy for America, a coalition that includes several ad...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.