Consumers who want to opt-out of the sale or sharing of their personal information can find it hard to exercise this important privacy right.
An extensive study by Consumer Reports about compliance issues related to the California Consumer Privacy Act noted:
“Consumers struggled to locate the required links to opt-out of the sale of their information. For 42.5% of sites tested, at least one of three testers was unable to find a DNS (Do Not Sell) link. All three testers failed to find a “Do Not Sell” link on 12.6% of sites, and in several other cases, one or two of three testers were unable to locate a link.
The Global Privacy Control (GPC) was designed to address this issue.
GPC gives users a universal privacy control in a web browser extension, allowing them to store their choice to opt-out of having their data collected for sale or sharing before they interact with any business online.
GPC was developed by a collective of technologists, researchers, civil rights activists, web publishers and representatives of several technology businesses (ranging from browser vendors and extension developers to software companies).
Under the California Consumer Privacy Act (CCPA), California consumers’ privacy right to opt-out was meant to be streamlined by requiring businesses to get consent from California consumers to share and/or sell their personal information. CCPA includes a provision for opt-out to be signaled via Global Privacy Control settings in consumers’ browsers, saving them from having to go through opt-out processes with every business they interact with online.
Global Privacy Control: Key dates
- November 14, 2011 – A first draft of a “Do Not Track” (DNT) standard for online privacy, also known as Tracking Preference Expression, is published by the World Wide Web Consortium (W3C), an organization developing open standards and guidelines for the web based on the principles of accessibility, internationalization, privacy, and security. A Tracking Protection Working Group is established to standardize DNT and the DNT header for browsers is supported in major web browsers including Chrome, Firefox, Internet Explorer, Opera and Safari.
- January 18, 2019 – the W3C Tracking Protection Working Group is closed, with a statement from the group noting “since its last publication as a Candidate Recommendation, there has not been sufficient deployment of these extensions (as defined) to justify further advancement, nor have there been indications of planned support among user agents, third parties, and the ecosystem at large.”
- October 2020 – Global Privacy Control is introduced.
- January 28, 2021 – the GPC organization announces the browser signal is being used by more than 40 million users and honored by major publishers such as The New York Times as “a valid opt-out of sale under the CCPA”.
- August 14, 2022 – the Office of the California Attorney General Rob Bonta, announces a CCPA enforcement settlement with Sephora, which is “part of ongoing efforts by the Attorney General to enforce California’s comprehensive consumer privacy law that allows consumers to tell businesses to stop selling their personal information to third parties, including those signaled by the Global Privacy Control (GPC) … There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
Lack of trust motivates opt-outs and GPC signals
Most people are now very aware they’re tracked online and are becoming more active in adjusting privacy settings to exercise their personal privacy rights.
Arguably the main reasons people opt-out of allowing their personal information to be collected, processed, sold and/or shared are related to a lack of trust.
Worse case: people don’t trust a business to protect their privacy at all. High profile data breaches have made them fearful, so some people lock down privacy settings whenever they’re online, such as using a browser in private mode or connecting via a virtual private network.
Worst case: people don’t trust a business to only use their personal information for relevant and useful purposes – and only then at times that suit the consumer.
As a consumer, no doubt you’re frequently targeted with supposedly ‘relevant’ offers or suggestions that miss the mark.
Irrelevant intrusions from businesses you’ve previously connected with can be irritating, but they’re especially annoying when they’re from businesses you have no relationship with at all. No one likes nuisance calls, spam, and other unsolicited communications from organizations you never wanted to share your contact information with, let alone allow them to know information that’s more personal.
So, it’s not surprising more and more consumers actively seek and select stricter privacy settings – or choose GPC – in their efforts to stop apparently unsolicited and/or irrelevant intrusions from businesses.
However, GPC can mean consumers might inadvertently block themselves from the benefits of loyalty schemes and other financial incentive programs when they’ve previously opted-in.
Businesses can build trust by demonstrating the benefits of opt-in
In our 2023 TrustArc Global Privacy Benchmark Report we highlighted how more businesses are now onboard with maintaining brand trust through robust privacy efforts: the link between brand trust and proactive privacy measures rose in importance from 2022 to 2023, up seven points to 62%).
Trust can be built by continually demonstrating how consumer information is used for purposes that are relevant and beneficial for your customers.
Under privacy regulations such as CCPA and General Data Protection Regulation (GDPR), consumers have a right to know what personal information is collected by a business and how it is used, shared or sold.
When you ask customers to consent (via an opt-in mechanism) to having their data used, shared, or sold you must prove to them the relationship is worth maintaining. Financial incentive programs are one way to achieve this – if what you offer is genuinely useful and appealing to your customers.
TrustArc’s financial incentive notice service
TrustArc can help your business design and implement a Financial Incentive Notice triggered by a customer’s GPC signal that is easy for them to understand and act on.
Our aim is to ensure your business complies with privacy regulations such as CCPA at the same time as creating opportunities to keep customers enrolled in loyalty offers and other financial incentive programs.
Your Financial Incentive Notice must be simple and offer genuine choice for customers who have previously opted-in to a financial incentive program and now use GPC.
When a GPC opt-out signal is detected from the browser of a customer who is enrolled in a financial incentive program (such as a loyalty points program), it should clearly acknowledge both facts:
- The customer now has a GPC opt-out signal from their browser; and
- The signal conflicts with their existing participation in your business’ financial incentive program, which requires opt-in to tracking technologies.
- Next, it should explain to the customer they can choose not to be tracked and, therefore, not participate in your incentive program anymore or continue to be tracked so they can receive offers without disruption.
TrustArc will then ensure the customer’s choice is immediately actioned in your TrustArc customer consent and preference management solution.