Announced in 2020, the Global Privacy Control (“GPC”) is a new standard that web browsers and websites can use to simplify making and handling online privacy requests – particularly requests like “Do Not Sell” (do not sell my data to third parties without my consent).
Such online privacy requests have recently been possible due to new consumer privacy laws like the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). Still, consumers have lacked tools and standards to invoke their newly-won privacy rights.
Now, rather than having to click on individual links across many websites, internet users can invoke their privacy settings in one step via the “Global Privacy Control” (GPC), which is required under the California Consumer Protection Act (CCPA). Europe similarly empowers citizens to object to third-party processing under the General Data Protection Regulation (GDPR).
In 2022, a number of major publishers and consent management platforms adopted the GPC, including The New York Times and the Washington Post.
“Tracking” refers to the many different methods websites, advertisers, ad networks, and others use to learn about your browsing behavior. This includes information about what sites you visit and for how long; things you like, dislike, and comment on; what you search for; and what you buy. They then share this consumer data across the web to show you ads, products, or services specifically targeted to you.
Here’s an example: after you search for “Texas barbeque” in Google, you start seeing ads for Dallas restaurants and Lone Star State barbeque contests on all the pages you visit. Your search told the advertising networks that you’re at least somewhat interested in Texas bbq, and now they’ll follow you around the web throwing related ads at you.
In the past, people could use the “Do Not Track,” or DNT for short, browser control to let sites know they don’t want to be tracked.
Originally proposed in 2009, the DNT project was disbanded in 2019 due to insufficient adoption and support. DNT failed because sites rarely honored users’ opt-out preference signals. Nor did they have to—DNT was totally optional.
Experts seem to be of the opinion that the GPC technical specification might succeed where DNT failed. This is for one core reason: enforcement.
GPC is legally enforceable under data privacy legislation like the CCPA and California Privacy Rights Act (CPRA), which amends the former. Other state privacy laws that respect universal opt-out mechanisms like GPC include the Colorado Privacy Act and Connecticut Data Privacy Act.
In 2022, the California Attorney General concluded that the beauty product retailer Sephora took no steps to block sharing user personal information even when GPC opt-out requests were made, thus violating CCPA regulations. The brand ultimately received a $1.2 million fine for breaking California’s privacy law.
To make it easier for companies to adhere to privacy regulations and user-enabled GPC signals, the Interactive Advertising Bureau has created a privacy compliance framework called the Multi-State Privacy Agreement.
In the future, it is not unlikely that other state laws, such as the Virginia Consumer Data Protection Act, will also require businesses to respond to the GPC signal.
Global Privacy Control lets users opt out of tracking and the sale of personal data at the browser level.
For this to happen, individuals need to use a supported browser or extension and turn on the GPC signal for specific/all sites. Sites that support GPC will register the consent and not collect any data about that specific user.
This is in direct contrast to most opt-out consent management frameworks, where users’ information is collected even before they can opt-out.
As a consumer, you can enable Global Privacy Control by installing a supported browser or browser extension such as:
The launch of GPC is a meaningful step in changing how the industry accepts and handles privacy requests, ensuring consumers have more control over what is done with their private data.
As more users assert their rights using Global Privacy Control tools and more websites adopt the standard handling these requests, pressure will increase on other websites to adopt the GPC standard.
At present, the Global Privacy Control signal is intended to communicate two privacy preferences – a specific Do Not Sell request, as protected by the CCPA, and a general request to limit the sale of data, as protected by GDPR. However, with time, the GPC signal may evolve to communicate additional rights in other jurisdictions.
Even after you enable GPC, data brokers will still track you. These companies collect your personal data from online and offline sources like social media and public records, compile this data into a detailed profile about your life, and then sell it to whoever wants to buy them.
Want to learn more about data brokers? Read our ultimate guide.
Then, follow our opt-out guides to remove your name from these databases (or let us do it for you).
DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.
© 2023 Abine, Inc. All rights reserved.