Articles
Privacy 101
Understanding Global Privacy Control (GPC)
Privacy 101
new

Understanding Global Privacy Control (GPC)

Published  

8/8/2024

by 

Peter Oladimeji

6
min read

Published  

August 8, 2024

by 

Peter Oladimeji

10 min read
Summary

When Global Privacy Control (GPC) launched in October 2020, it laid the groundwork for a shift towards easier, frictionless mechanisms for users to exercise their privacy rights.

The initiative promises this much, at least. But is it just a "Do Not Track signal" 2.0? Or a universally recognized signal that can drive actionable change for data privacy? 

In this primer on GPC, we help you understand what it is, how it works, what regulations take it into account, and how to get started.

What is Global Privacy Control (GPC)?

GPC is a specification that allows you, an Internet user, to express your privacy preferences to websites, publishers, and advertisers on the Internet. It operates on the browser level, hosted on a browser or a browser extension, which you can turn on to opt out of data sharing or sale—at scale. 

GPC is a coalition of academics, privacy advocates, and for-profit organizations created to actualize the shared vision of a future where users can protect their data’s privacy more easily and with less friction. 

GPC has the industry backing of over 50 organizations (including Didomi). It was first announced in April 2020 at the World Web Consortium (W3C) Privacy Community Group (Privacy CG). 

As of this writing, this industry tool is baked into browsers like DuckDuckGoBrave, and Mozilla. Browser extensions that support the feature include AbineDisconnectOptMeowtPrivacy Badger (by Electronic Frontier Foundation), and the GPC Chrome Extension for Google Chrome users. 

Other organizations, such as The Washington Post, Automattic (WordPress.com), Meredith Digital, Checkmyads, and yours truly are also founding members. The complete list can be found here

Why is Global Privacy Control (GPC) important? 

The introduction of Global Privacy Control signals (pun intended) a shift towards a more streamlined approach that eliminates the need for users to individually opt-out on each website they visit. 

Additionally, it’s a way for companies to showcase their commitment to comply with user privacy preferences. 

Regulators are not left out of the compliance loop — the universal opt-out mechanism provided by GPCs serves to future-proof businesses’ compliance in the face of evolving laws like the California Privacy Rights Act (CPRA)

Many prominent figures in the United States have advocated for GPC as a viable opt-out solution. In fact, some regulators have stated that a universal opt-out mechanism—implicitly referring to GPC—should be recognized and implemented by all companies. 

Beyond the promise of an easier opt-out (on the user side) and compliance (on the business side), GPC also caters to the groundswell of opinion among privacy-conscious users: Users should not have to depend on the self-help measures they may or may not take to exercise their opt-out rights.

How does the GPC signal work?

A GPC signal is attached to an HTTP request made to a given site to alert it of the user’s choice to opt out of any sale or sharing of their data. 

When users turn on GPC settings, their browser or device automatically transmits this GPC privacy signal, communicated through an HTTP header or an object that Javascript can read. Sites can process either of both. 

Once turned on, you can think of GPC as a robot that selects the “Do Not Sell My Personal Information" preference on each web visit, so you don’t have to. The solution is lightweight and free from intrusive scripts running on your browser that may cause unnecessary data storage issues.  

Didomi - How GPC works

Comparison between GPC and other opt-out options

When comparing the GPC with traditional opt-out mechanisms, what are some of the differences you should note?

  • GPC and the Do Not Track (DNT): DNT is a browser setting that informs websites of the user’s desire to opt out of online tracking used for targeted advertising.

    Compared to the GPC signal, the DNT signal has a narrower scope, primarily focusing on user tracking preferences. GPC, however, extends to the sale and sharing of consumer data. While GPC has a more robust framework with legal backing, DNT is a voluntary signal with no agreed-upon or legally required response.
  • GPC and the "Do Not Sell My Personal Information" links (DNS): DNS are links and toggles that websites operating under privacy laws like the CCPA must provide. While they allow users to opt-out on a per-website basis, GPC enables users to opt-out at scale (across all GPC-compliant sites and services).

To put it all into practice, let's now look at various regulations and how they relate to GPC.

Regulations (in & outside the U.S.) and GPC compliance 

Enforcement will play a crucial role in making GPC truly universal. We only need to look at similar opt-out projects like Do Not Track (DNT) to see why. 

Despite best efforts to drive global adoption for DNT (including the U.S. Federal Trade Commission’s endorsement in 2010 and the W3C working group's recommendation to websites receiving the signal), it failed to reach the heights of universal adoption.  

For one, implementing the DNT was made optional, which stalled any adoption prospects. Moreover, there was no uniform method for implementing the standard. This lack of consensus on how to interpret DNT signals led most websites to abandon it altogether.

Widely regarded as the spiritual successor to the DNT, GPC is clearly learning from its predecessors' failures. Support for the initiative is gathering steam. A strong user base of over 50 million, with buy-in from industry stakeholders and special recognition and enforcement action from regulators like the California Attorney General, will only work to reinforce GPC’s position as a gold standard. 

Beyond enforcement sweeps, regulators are now drumming up support for GPC while sounding warning bells against non-compliant data controllers and processors.  For example, starting in 2022, California's Attorney General Rob Bonta made it clear that enforcement in his state was a priority:

"My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

- California Attorney General Rob Bonta
 (Source: California Department of Justice, August 2022)

More recently, during the IAB 2024 Public Policy and Legal Summit, the California Privacy Protection Agency (CPPA) hinted at increasing regulatory activity to enforce GPC. 

Let’s look at how privacy laws across jurisdictions make it obligatory for businesses to honor GPC signals:

California Consumer Privacy Act (CCPA) and CPRA regulations

California pretty much sets the tone for privacy law legislation in the US. Notably, Section 1798.129 of California’s CCPA upholds the “Consumer[s] right to prohibit the sale of their information”.

It then grants GPC the statutory flavor it desperately needs to become a truly ‘global’ standard in Section 999.315. Requests to Opt-Out subsection (c)

“If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.

 

  1. Any privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to opt out of the sale of personal information. 
  2. If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.”

 

The CCPA mandates businesses to make two opt-out methods available to California Residents. It then lists appropriate mechanisms businesses may choose from. 

Ignoring GPC requests is not the only violation that may land you in hot waters. Many companies that received 30-day warning letters from the AG in the past were found not to have followed the two-method requirement.

Depending on how you communicate with users, you can rely on any of these mechanisms: 

  • The “Do not Sell My Personal Information” link (to be placed visibly on the business’ website or mobile app); and
  • Other designated methods include a toll-free number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled global privacy controls.

The Office of the Attorney General (OAG) enforces the CCPA together with the California Privacy Protection Agency (CPPA), so there can be no uncertainty on expectations regarding compliance. 

Given that the generous 30-day cure letters no longer exist under the CCPA (a notice of violation usually served on offenders to allow them an opportunity to cure their violation, failing which the Attorney General commences enforcement action), the stakes are higher. 

So, if you’re a "covered entity" under the CCPA, your compliance efforts must include processing GPC signals.

Colorado Privacy Act (CPA)

From July 1, 2024, the Colorado Privacy Act (CPA) mentions GPC as one of the opt-out options businesses must provide customers with. This affirms the user’s right to opt-out.



According to the law, in Colorado, a GPC signal would be interpreted as the use of a “...universal opt-out mechanism that clearly communicates a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data...”

Connecticut Data Privacy Act (CTDPA)

Much like Colorado's CPA, Connecticut’s CTDPA not only grants users opt-out rights but legally permits them to exercise said rights through an “authorized agent by way of, among other things, a technology, including, but not limited to, an Internet link or a browser setting, browser extension or global device setting.”

This confirms that GPC has legal effect in Connecticut. 

Nevada Revised Statutes Chapter 603A (NRS 603A)

For the purpose of compliance with user opt-out rights, the NRS 603A would also interpret a GPC signal as a “Do Not Sell My Personal Information” request. 

Other States in the US

 Virginia and Utah’s privacy laws affirm users’ rights to opt out. However, they fail to mention GPC as a recognized legal mechanism for exercising this right. 

Other U.S. privacy state laws with a similar stance are Montana, Oregon, Texas, and Delaware. 

Notwithstanding the regulators' silence on GPC’s status as a legally recognized mechanism in these states, the climate of opinion is that they are almost all certain to equate it to an opt-out preference signal. 

How to implement Global Privacy Control with Didomi

Since the GPC specification is either on or not present, you must enable it in your web browser or device settings. 

Browsers like Mozilla’s Firefox, Brave, and DuckDuckGo have GPC built in, while others like Safari and Chrome offer extensions that enable GPC in a few clicks. Once on, your browser will automatically broadcast this signal to websites. This would indicate your desire to opt out.

Of course, it's still good practice to review privacy policies and adjust settings as needed, but GPC provides a streamlined way to assert your data privacy rights across multiple platforms.

In Didomi, Global Privacy Control (GCP) is automatically supported when setting up a consent banner in relevant regulations. As soon as the signal is detected, your banner is adjusted to respect the user choice via GPC:

  • A "GPC signal detected" icon is displayed in the notice
  • All personal information will be set to Do Not Sell / Do Not Share.
  • All SPI will be set to Disagree. 
  • Instead of Agree and Close, there will be a Close button. 

To learn more about how Didomi can help you with your GPC implementation, check out our GPC support documentation and book a call with the team to ask any further questions:

{{talk-to-an-expert}}

Global Privacy Control (GPC): Frequently Asked Questions

Can I still target users with ads if their GPC settings are enabled? 

The GPC specification allows users to easily object to sharing/selling their data with third parties. It does not provide a channel for users to exercise every privacy rights. 

Thus, users cannot rely on GPC to trigger data deletion requests. Likewise, it cannot restrict a business’ use of data within its own controlled environment. (in a first-party context). 

So, if you’re targeting ads to users based on their activity on your website (in a first-party context), you are still GPC-compliant as long as no third-party sharing or sale is involved. 

How much does it cost to implement GPC? 

The cost implications are almost nil. If you're already CCPA-compliant, chances are you already have a system that recognizes the control. 

How can I test Global Privacy Control? 

Enable the GPC signal in a compatible browser. As you browse sites supporting GPC, you will be able to know if they honor your preferences regarding data sharing and selling to third parties.

How can I honor GPC signals? 

A good place to start is to check that your website can capture the GPC signal. After confirming, ensure that your website blocks all third-party data-sharing channels, such as scripts, tags, pixels, cookies, etc., for any users with GPC enabled.  

Also, integrate that signal into your marketing systems and consent management setup. This helps you ensure consistent, cross-platform compliance with users’ opt-out preferences.

What is the Global Privacy Control Code?

This is a standardized signal your web browser sends to websites on your behalf. 

When you enable a "Do Not Sell My Personal Information" or similar privacy preference, the GPC code activates. It then transmits to every website you visit and automatically notifies them of your wish to exercise your opt-out rights.