What is Global Privacy Control?

Global Privacy Control (GPC) is a specific open-source technical specification that helps consumers voice objections to privacy-sensitive data practices through their browser or device.

For example, with GPC users can opt-out of businesses:

• Selling their data to third parties for monetary or other valuable consideration
• Sharing their data with targeted ad providers
• Targeting them with behavioral/interest-based ads
• Using or sharing sensitive personal information out-of-context

By broadcasting a signal – via the browser itself or a specialized plug-in – users can communicate an opt-out for that browser or device to any website ‘listening’ for such signals.  This can significantly reduce the need to manually opt-out at each and every website the user visits.

So, what do opt-out signaling frameworks like GPC mean for consumers, web developers, and businesses?

Why Was GPC Created?

Governments increasingly enact laws and regulations protecting individuals’ data privacy rights, and consumers increasingly prioritize doing business with companies respecting their data privacy. Among the rights becoming established in the US, Americans increasingly have the right to opt out of the selling or sharing of their personal data by website operators.

In turn, website operators must provide users with ways to voice their objections, and to honor requests in a timely and demonstrable manner. The typical user experience includes accepting or rejecting advertising cookies, filling out forms or making selections in a provided preference center, among other interactions. With GPC, users can opt-out globally in a set-it-once-and-forget-it way.

Further:

• Per California’s Attorney General (AG), the ease with which companies can collect and sell or share consumer data should be matched by consumer capabilities to readily opt-out.
• Many websites begin collecting consumers’ data before consumers can provide preferences.
• Requiring consumers to notify websites individually is “impractical.”
• Differences between privacy law and regulation complicate businesses’ compliance efforts.

To address these factors, concerned stakeholders developed the GPC specification.

How Does GPC Work?

With GPC, users automatically provide their “do-not-sell-or-share” preference to websites via the signal, which is mediated by their browser. The signal provides an opt-out instruction by default, and like with ad-blockers and similar such browser-based tools, users can make exceptions for specific sites.

An HTTP header or document object model (DOM) delivers the signal. It communicates with website opt-in/opt-out forms, cookie consent tools, triggers for PageView tags, and other mechanisms that initiate data collection, sharing, or selling.

How Can Consumers Use GPC?

To enable GPC, a user must use a web browser that offers native support (e.g., Brave, DuckDuckGo, Mozilla’s Firefox) or add an extension to their browser (e.g., Privacy Badger, DuckDuckGo’s extension for Chrome).

For consumers, it’s as simple as downloading a new browser or adding an extension to their current one (and maintaining any site-specific preference changes).

How Can Web Developers Use GPC?

Web developers can use GPC to improve the browser setting and a website’s privacy settings, streamline business’ compliance, and provide users with a seamless experience that respects their preferences. And they can do so easily by leveraging the tag managers they’re already using to insert code snippets or tracking pixels on websites.

How To Honor GPC With Tags, Triggers, and Variables

DataGrail’s elegant solution for recognizing GPC signals involves three easy steps:

1. Create a Custom JavaScript variable – Start by creating a user-defined variable defined as “true” if a global privacy control signal is sent using the following Custom JavaScript:
   

   function() {
   return navigator.globalPrivacyControl === true;
   }

2. Create or modify PageView triggers – Next, create or modify any PageView triggers that initiate tag insertion for data collection, sharing, or selling. Configure the trigger(s) to only “fire” (i.e., insert tags) if the GPC variable is defined as “false.” If the variable is defined as “true,” the trigger won’t fire.
3. Add triggers to data collection, sharing, and sale tags – Finally, add the configured trigger to all tags used for data collection, sharing, and selling.

It’s quick, simple, and effective.

And companies already using DataGrail’s “Do Not Sell” form can seamlessly integrate GPC signal recognition to further bolster their compliance. This merely requires creating a new condition that prevents tags from firing unless DataGrail’s cookie-based variable is set and the GPC signal variable is defined as “false.”

Note: The steps provided above are specific to Google Tag Manager, as it’s the preference for 97% of businesses using these tools. However, the same will work for other tag managers with minor adjustments.

How Does GPC Affect Businesses?

Depending on applicable data privacy laws and regulations, a business may be obligated to recognize GPC signals. For example, this applies to companies doing business with residents of the following states:

• California – Per the CCPA and its implementing regulations as amended by CPRA, businesses must recognize opt-out preference signals in addition to honoring opt-out requests submitted through other prescribed opt-out mechanisms. (The CA AG’s $1.2 million settlement with Sephora centered on the cosmetics giant failing to honor GPC signals.)
• Colorado – The Colorado Privacy Act creates similar obligations for businesses to honor so-called “universal opt-out mechanisms” which include signals like GPC – as of July 1, 2023.
• Connecticut – The Connecticut Data Privacy Act (CTDPA) requires compliance with any global opt-out requests made by an “authorized agent,” which includes opt-out signals like GPC— as of  July 1, 2023.

Since California frequently paves the way for other states’ (and eventually federal) laws, businesses should expect obligatory global privacy signal recognition to become a defacto national requirement.

Adopting specifications like GPC can also lead to a better user experience for consumers, and a streamlined compliance approach for Internet-native businesses. Per the California Privacy Protection Agency’s modified CCPA regulations, a business can interpret GPC signals in an automated way behind the scenes.

Prepare for Data Privacy Compliance with DataGrail

As GPC is a relatively new specification (younger than the California Consumer Privacy Act), businesses may not be aware of these global privacy signals or any obligations to recognize them. But that’s why businesses partner with DataGrail to navigate the continually shifting landscape of data privacy law and data protection regulation.

Our extensive experience, data privacy platform solutions, and guidance will help your business track and honor Do Not Sell/Do Not Sell opt-out requests – including those sent as GPC signals.  Our platform is supported by seamless integration with popular customer data and targeted advertising platforms to cover every compliance angle.

Contact us today to get started.

Sources: 

GPC. Global Privacy Control (GPC). https://privacycg.github.io/gpc-spec/ 

State of California Department of Justice Office of the Attorney General. California Consumer Privacy Act (CCPA). https://oag.ca.gov/privacy/ccpa#collapse1b 

State of California Department of Justice Office of the Attorney General. CCPA Final Statement of Reasons. https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-fsor.pdf

IAPP. Is GPC the new “do not track”? https://iapp.org/news/a/is-gpc-the-new-do-not-track/ 

GPC. Global Privacy Control (GPC). https://privacycg.github.io/gpc-spec/ 

Wappalyzer. Tag managers technologies market share. https://www.wappalyzer.com/technologies/tag-managers/