Global Privacy Control (GPC) is a mechanism that allows consumers to easily opt out of the sale or sharing of their personal information across multiple websites, ensuring their data privacy preferences are respected.
How does global privacy control work?
GPC provides a universal opt-out signal, allowing consumers to express their privacy preferences across all websites they visit.
The California Consumer Privacy Act (CCPA) and and other global privacy laws, recognize GPC signals as a valid expression of consumer privacy preferences.
Together, and with other organizations that have followed suit, they have brought privacy rights back to the consumer. Consumers can now control these privacy preferences within their web browsers and apps.
This means that instead of consumers opting out of selling or sharing personal information for every website they visit, global privacy control communicates privacy preferences directly to the website visited.
It serves as an expression of user intent to invoke their online privacy rights.
Background on Global Privacy Control
Global privacy control emerged as a response to growing concerns over data privacy and data collection practices. Consumers became increasingly aware of how companies track their online behavior for targeted advertising and other purposes.
The origins of global privacy control can be traced back to the shortcomings of the “Do Not Track” (DNT) initiative. Although DNT allowed users to express their privacy preferences, it lacked enforcement, and many websites simply ignored the signal.
Unlike DNT, which was merely an optional request, GPC signals are designed to be legally recognized, particularly under global privacy laws like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). This means that a consumer request to opt out using GPC signal opting carries more weight, as certain jurisdictions require businesses to treat it as a binding preference.
How is Global Privacy Control different from Do Not Track (DNT)?
Global privacy control (GPC) and Do Not Track (DNT) may seem similar at first glance, but they differ significantly in their effectiveness and legal implications.
Limitations of Do Not Track (DNT)
DNT was introduced as a browser setting that allowed users to signal their desire not to be tracked. However, it was purely voluntary, and websites were under no legally binding obligation to honor it. Consequently, most websites continued their data collection practices and targeted advertising regardless of the DNT setting.
Why GPC was developed
The failures of DNT highlighted the need for a more robust solution, leading to the development of global privacy control. Unlike DNT, GPC signals are recognized under several global privacy laws, making them enforceable in specific jurisdictions. For example, under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), businesses must honor opt out preference signals sent by users.
How does global privacy control impact you and your customers?
A growing number of organizations, both web browser and browser plugin providers, have adopted GPC and now allow consumers to enable the signal if they want to.
Websites should detect and honor this signal. They should receive it as a ‘do not sell or share’ universal opt out mechanism setting and, voilà – the consumer’s information is safe and secure.
Xavier Beccera, the former California Attorney General, has referenced global privacy control regarding the California Consumer Privacy Act (CCPA).
Does global privacy control have legal implications?
The short answer? It depends. GPC on its own does not create any legally binding obligations.
However, laws in some jurisdictions may mean a consumer’s expression through global privacy control has a legal impact.
For example, following the lead of the California Consumer Privacy Act (CCPA), in 2021 Colorado passed the Colorado Privacy Act (CPA).
That same year, Virginia passed the Virginia Consumer Data Protection Act (VCDPA). Both go into effect in 2023 and, like the CCPA, they require honoring browser settings and opt-out controls.
Acts like these continue to be passed in the U.S. and around the world, and that’s great news for privacy and consumer rights.
What global privacy control-compliant software should I use?
Let’s face it, things change fast in the world of consumer privacy, privacy laws, and data protection.
So, how can you and your business stay on top of these ever-changing laws and regulations regarding global privacy control?
The easiest way is to implement software that allows for GPC detection. TrustArc Cookie Consent Manager Advanced (CCM) allows this setting to be enabled in a way that is simple and stress free.
This is important for your business but also for your customers, who increasingly expect a seamless and branded consent management experience.
Ensuring visible user consent goes a long way to building customer trust, confidence and loyalty.
Detailed legal implications by region
Legal implications of Global Privacy Control (GPC) vary by region, with some jurisdictions requiring businesses to honor GPC signals as legally binding opt-out requests.
California Privacy Rights Act (CPRA)
Under the California Privacy Rights Act, businesses must honor GPC signals as a valid opt out preference signal. This applies to the sale of their data and sharing with third parties for targeted advertising. The California Privacy Protection Agency enforces these rules.
Colorado Privacy Act (CPA)
The Colorado Privacy Act also mandates that companies respect GPC signal opting. This law applies to businesses collecting data from Colorado residents, regardless of where the company is based.
Connecticut Data Privacy Act
Similarly, the Connecticut Data Privacy Act requires companies to acknowledge GPC signals as a form of consumer request to opt out of data collection.
Other jurisdictions and global privacy laws
Other states are following suit, with global privacy laws evolving rapidly. In some regions, businesses are required to process opt out requests received through GPC signals or browser settings. Non-compliance can lead to legal penalties.
Implementing Global Privacy Control for your business
Businesses are increasingly wondering how to implement global privacy control effectively. Here’s a step-by-step guide:
Enable Global Privacy Control detection: Ensure your consent management platform supports GPC. This involves configuring your site to detect GPC signals and respect opt out preference signals.
Process opt out requests: Implement a system to efficiently process opt out requests received via GPC. This includes updating data collection practices and ensuring compliance with consumer privacy act CCPA requirements.
Communicate User’s Privacy Preferences: Clearly inform users about how their user’s privacy preferences are being honored.
What is cookie consent?
Cookie consent, or cookie compliance, is permission consumers give websites to place a cookie into their browser to gather specific data about them.
Cookie consent is required to obtain most of the different types of data businesses and third parties collect via cookies.
Since GPC emerged, TrustArc’s Cookie Consent Manager has expanded its functionality to comply with it.
If you’re already using the CCM advanced solution, you can activate GPC functionality now (if you haven’t already).
If you aren’t using our solution and would like to learn more about it and how it can support global privacy control and your organization – contact us.
How soon do I need to take action?
Google intends to phase out third-party cookies on Chrome in 2024. Since 65% of browser users use Chrome, this will impact most businesses, and cookie marketing.
If you have TrustArc Cookie Consent Manager, you are in good hands. It does not require third-party cookies to work and will remain compliant.
TrustArc will also continue to work with industry partners to ensure our products continue to adapt to ongoing changes to the digital landscape.
Whats next for Global Privacy Control?
Upcoming Legal Changes
Expect continued growth in global privacy laws, with more states adopting regulations similar to the California Privacy Rights Act and the Colorado Privacy Act. Other countries are also exploring similar rules, impacting businesses worldwide.
Impact on Digital Marketing Strategies
The decline of third party cookies and the rise of GPC signals will reshape targeted advertising. Marketers must adapt by leveraging first-party data and respecting user’s privacy preferences to maintain customer trust.
Key global privacy control takeaways
- By understanding what is GPC and how to implement global privacy control, businesses can not only comply with evolving privacy laws but also build consumer trust.
- Global privacy control (GPC) allows consumers an easy way to opt out of organizations selling or sharing their personal information under specific privacy laws.
- A growing number of organizations, both web browser and browser plugin providers, have adopted GPC.
- TrustArc Cookie Consent Manager allows company websites to detect these browser or plugin settings and offer consumers the opt-out option.
