close
close
Ditch the manual workflows and spreadsheets
Reduce the staff required to process consumer privacy requests down to 1 person.
See retail solution
request manager icon
close
Replace OneTrust
Reduce risk and build customer trust in less time, with less effort, and at a fraction of the cost of OneTrust.
Compare to OneTrust
request manager icon
View other resources
header image

Honoring GPC Signals

Global Privacy Control (“GPC”) is an open-source technical standard for signaling Do Not Sell or Share opt-outs in a frictionless or near-frictionless way.

“GPC is a way users can universally express, to all sites, their preference not to be tracked on the web. It is a browser-level signal, maintained either by a browser or browser extension, that a user or privacy-focused technology can set. The easiest way to think of GPC is as a robot that selects the Do Not Sell preference on a site on behalf of a user.”

The steps requires to honor GPC using GTM are:

  1. Create a Custom JavaScript Variable.
  2. Create or modify relevant Page View triggers.
  3. Add triggers to tags which may be involved in the exchange and/or sale of data.

Custom JavaScript Variable

We will start by creating a simple Javascript variable in Google Tag Manager. See User-defined variable types for web for details on how to create variables. Here’s the very simple Custom JavaScript you’ll need:

GTM configuration screenshot

function() {
return navigator.globalPrivacyControl === true;
}

You can name the variable GPC or something that is easily referenceable, and we recommend converting null and undefined values to false, though it is not strictly necessary.

laptop icon

Add or Update Triggers

With a GPC variable created, you can now add it to Page View and/or custom triggers. Here’s a very basic Page View trigger which will suppress tags unless the GPC signal is off (or not true).

GPC trigger configuration screenshot

The remaining configuration will vary greatly depending on your current setup. Below we provide guidance to questions that may come up during Implementation.

What if I have existing triggers I’d like to add this variable to?

Click on the + in your trigger to add it accordingly (see screenshot above). Note that for the trigger to fire and render any applicable tags, all conditions must be true. Hence, if you don’t want to load certain tags, you’ll want to ensure that the GPC signal is off with the configuration displayed above.

What If I use a cookie consent tool?

California-facing businesses are expected to provide prescribed opt-out links and to recognize opt-out signals.

  • §7026(4) of the CPPA’s modified regulations state that “a notification or tool regarding cookies, such as a cookie banner or cookie controls, is not by itself an acceptable method for submitting requests to opt-out of sale/sharing because cookies concern the collection of personal information and not the sale or sharing of personal information. An acceptable method for submitting requests to opt-out of sale/sharing must address the sale and sharing of personal Information.”
  • Further, the California AG’s enforcement case examples indicate that redirecting a user to a “third-party trade association’s tool designed to manage online advertising” or serving a “pop-up option that only [discusses] how to manage cookies and similar technologies” is not compliant.⁴

In collaboration with your privacy and legal teams, you’ll want to identify the best implementation approach that both respects the GPC signal and provides the best user experience to your website visitors.

  • You may, if supported by your Customer Success Manager, suppress loading of the cookie consent tool for browsers with the signal turned on until they engage with properties on your site which would benefit from a more personalized, site-specific experience.

⁴ The former adds unnecessary friction, and the latter does not address data “sales”.

⁵ See §7025(c)(3) of the CPPA’s modified regulations. “If the opt-out preference signal conflicts with a consumer’s business-specific privacy setting that allows the business to sell or share their personal information, the business shall process the opt-out preference signal as a valid request to opt-out of sale/sharing, but may notify the consumer of the conflict and provide the consumer with an opportunity to consent to the sale or sharing of their personal information.

What if I already use/or want to use DataGrail’s Do Not Sell intake forms?

Simply add a new condition alongside the cookie-based variable that DataGrail enables to ensure that tracking tools only fire when the cookie isn’t set and the GPC signal is off. You can work with your Customer Success Manager to get detailed instructions. For more information, see the question about existing triggers above.

Add Triggers to Tags

With the help of your privacy and legal teams, as well as with any marketing site scanning tools, your team will want to first identify any tools or services that are loaded which may be involved in the exchange of sale of data via tracking or otherwise.

Having identified those tools, you’ll want to load these, if you are not already, via GTM by using native or custom tags.

continue reading