Global Privacy Control is an effort by over 50 organizations that run tens of thousands of websites to make it easier for people to use the internet and protect their data privacy regarding cookies. Many online businesses still wrongfully assume that serving website visitors with a privacy notice is all they need for compliance, but that’s not true. Using cookies and handling data subject requests are important for data protection compliance.
What is Global Privacy Control?
Global Privacy Control, commonly known as GPC, is a browser setting that notifies the website about the user’s privacy preferences - like the novel ADPC. If you set up your web browser settings properly to protect your online privacy, every time you land on a website that respects your choices, your browser will send the GPC signal to that website. The website operator must honor your opt-out preference signals and comply with them.
The GPC signal means you opt out of selling personal data and object to processing your data. It has the same meaning as if you clicked the "Do Not Sell My Personal Information" link or sent an objection consumer request to the business.
That way, consumers do not have to send opt-out and objection requests to each business separately. Setting the web browser once is enough to inform them all.
How Do the CCPA and CPRA Regulate Global Privacy Control?
In recent years, California has taken a proactive stance on data privacy. It is worth mentioning that GPC is being enforced in California, making it crucial for businesses operating in the state to comply with this regulation. This step ensures that users' privacy preferences are respected and honored by websites.
Businesses covered by the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and California Online Privacy Protection Act (CalOPPA) must comply with the Global Privacy Control and honor the consumers’ requests sent through the GPC signal.
In 2021, California Attorney General Rob Bonta, announcing the Sephora-CCPA settlement, clarified that businesses must respect GPC. A few months before, they published the modified CCPA regulations, stating that consumers can opt-out by using several universal opt-out mechanisms, including "user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or another mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information."
CalOPPA, California’s oldest data privacy law, requires businesses to inform consumers how they react to "Do Not Track" signals, but it doesn’t require them to respect the signal. That has changed.
Ensure your website or app adheres to the GPC signal if your business is subject to the CCPA or the CPRA.
GPC could also help you comply with some of the other recent consumer privacy laws passed in the US. The Colorado Privacy Act and the Virginia Consumer Data Protection Act have similar requirements for businesses, so businesses would have to follow more than one law simultaneously if they honored the opt-out preference signals.
How Does the EU's GDPR Regulate Global Privacy Control?
Before collecting and using a user's personal data, the EU General Data Protection Regulation (GDPR) and the ePrivacy Directive require businesses to get user opt-in.
Once a business has a data subject’s data, the subject can submit requests. No matter the request submission method, the data controller must honor the request.
As a result, every business must conform to the GPC signal. It signals the controller that the user has withdrawn consent or objects to the processing.
How to Set Up the Global Privacy Control Signal
Here’s a list of the web browsers that support GPC, with links to technical specifications and instructions on how to activate the GPC signal from your browser, as well as some browser extensions and plugins that can do the work:
(Note: Google Chrome is not currently part of the GPC initiative)
You can also find a helpful handbook for free on the GPC website. The handbook, authored by Aram Zucker-Scharff from The Washington Post and Sebastian Zimmeck from Wesleyan University, provides valuable guidance on implementing GPC on your website.
What Is the Difference Between Global Privacy Control and a Consent Management Platform (CMP)?
The GPC and the CMP are necessary to comply with data protection laws but have distinct purposes. A consent management platform helps you collect data only after receiving explicit consent. Laws such as the GDPR, ePrivacy, Brazilian LGPD, and others require you to obtain explicit consent before data collection. It also helps you honor your customers’ requests to withdraw consent easily. CMPs come with functionalities that ease the requesting, obtaining, and withdrawing of consent.
On the other hand, GPC informs websites of users’ preferences regarding data tracking and allows them to opt out of the processing. It provides a method for opting out of the sale of personal information, sharing data with third parties, objecting to the processing, and withdrawing consent. By implementing GPC and a CMP, businesses can ensure compliance with data protection regulations and prioritize user privacy.
Secure Privacy Supports GPC Out-Of-The-Box
At Secure Privacy, we prioritize the privacy and security of our customers. Our platform supports GPC out of the box, requiring no additional configuration. This commitment enables us to uphold the highest privacy standards and ensures that our customers' data is always protected. By implementing Secure Privacy, businesses can effortlessly comply with GPC requirements and safeguard user privacy.
