What is the Global Privacy Control (GPC)?

More than ever before, consumers are aware of their rights when it comes to their privacy online. Whether they understand the letter of the law exactly or not, the reality is that as privacy rapidly evolves, so do the responsibilities of businesses and companies who collect, sell, or share data.  

Every person who has used the internet has seen their fair share of popup privacy banners asking them to accept cookies. Some are fairly simple and notify users of their collection of cookies, while others have more detail about why they’re collecting data. Depending on the governing law, these popups may provide links to full privacy policies, settings, and where to learn more.  

In the past, this fairly intrusive method was the only way to secure consent from website users, who were forced to interact with popups for each new website they visited. If a consumer wanted to restrict the sale of their information, they had to submit a “do not sell” request to each business, which wasn’t always easy to do. A 2020 study showed that many consumers struggled to locate the link to opt out of the sale of their information and that many businesses’ opt-out process was so onerous, it seriously impaired consumers’ control over what happened to their data.  

Today, technology enables consumers to set their privacy preferences a single time and certain web browsers will automatically send a signal to each new website the user visits. Because there’s no federal data privacy law, businesses are left wondering how to comply with various state’s laws, and how to manage these universal opt-out preference signals. This blog will highlight the Global Privacy Control (GPC) and how businesses can ensure they remain compliant even in a changing privacy landscape.  

What is the Global Privacy Control?  

The GPC is an example of a universal opt-out preference signal, in which an “authorized agent” (i.e., a technology that users have authorized to give data collection consent on their behalf) shares a users privacy settings with the websites they visit. In the GPC’s case, it does so as an extension on the user’s browser. 

For consumers, the GPC is a way to automate opting out of the sale or sharing of their data. This means that even people who aren’t technologically savvy can set their preferences once and let the GPC do the rest. In other words, users no longer need to hunt for an opt-out link on every website they visit. This is good news for consumers, who have more ways to manage their privacy in a virtual world. But for businesses, it can complicate things. 

Why does the Global Privacy Control matter to businesses?  

In the not-so-distant past, a “Do Not Track” signal tried (and failed) to gain traction. The idea was similar to GPC in that it provided consumers with a way to opt out of being tracked across websites, as well as limit the use and sharing of data. Companies didn’t honor it, though—there was nothing to compel them to honor it. Ten years after its proposal, in 2019, the WC3 disbanded the project because of “insufficient support and adoption.”  

That’s changed. The GPC and universal opt-out signals, now have state laws backing them—and they have teeth.    

The CCPA/CPRA requires businesses to treat the signals as a valid request to opt out of the sale or sharing of personal information, including for cross-context behavioral advertising. 

In 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora, Inc. for violating the CCPA. There was a variety of violations, but chief among that was the failure to process opt-out requests via the GPC. Attorney General Bonta highlighted this violation in a press release on the enforcement.

Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale. 

I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. [...] Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls. 

Other states are following  

A handful of other states—Colorado, Connecticut, Utah, and Virginia, have passed privacy laws that went or will go into effect this year.  

The Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CDPA) both go into effect July 1, 2023, and, like the CPRA, require companies to honor GPC.  

The Utah Consumer Privacy Act (UCPA), which goes into effect Dec. 31, 2023, and Virginia Consumer Data Protection Act (VCDPA), effective Jan. 1, 2023, do not require companies to honor universal opt-out signals like the GPC. 

How to process GPC signals 

Even if your company isn’t legally required to process GPC signals, doing show helps build trust and show consumers you care about their data preferences.

A consent management platform, such as Osano, can help your company meet compliance regardless of the jurisdiction, honor privacy opt-out requests, and avoid serious consequences of failing to honor GPC opt-out requests.  

When Osano’s “Support Global Privacy Control (GPC)” toggle is switched on, Osano listens for consent preference signals coming from visitors using a browser extension that supports GPC and automatically acts on and records that preference signals, keeping you in compliance.  

If you’re wondering how to contend with universal opt-out signals and other requirements for 2023’s new data privacy laws, check out our action plan for 2023’s state data privacy laws. Or, find out whether Osano is a fit for your company by scheduling a demo today.