What is Global Privacy Control?

The Chop-O-Matic, the Giant Dehydrator, and the Showtime Rotisserie & BBQ—all of these popular kitchen items sold on TV in the 20th century. They were all also the brainchild of Ronald Popeil, an American inventor and marketing guru from the 1980s and 1990s. 

Popeil was a powerhouse in the infomercial space, where his memorable deliveries vaulted him to pop culture prominence at the time. Most people don’t specifically recall Popeil by name these days (he passed away in 2021), nor do his products still widely circulate, but one creation of his still remains in frequent usage—the ubiquitous phrase, “set it and forget it.”

Although he exclusively used the phrase alongside his rotisserie machine, it turns out it can apply to a long list of things. Who doesn’t want to “set it and forget it,” after all? We’ve all got a million items on our to-do lists. The mental load of juggling professional and personal responsibilities can be downright exhausting. It’s no wonder we look to solutions that automate our workloads.  

Thankfully, there is no shortage of them. You can set-and-forget your banking, your laundry detergent delivery, your doctor’s appointments, and your prescriptions at home. At work, you can automate reports, emails, project management, and more. 

But what about privacy practices? When it comes to personal information, it’s decidedly less set-it-and-forget-it. Until recently, that is. 

Global privacy control: the who, what, when, and why

If your users are looking to set-and-forget their privacy preferences, global privacy control (GPC) is a big step in that direction for them. 

But what is global privacy control to begin with?  

As per Global Privacy Control: Global Privacy Control (GPC) is “a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user’s browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification.”

In short: GPC acts like a control panel that communicates a user’s privacy preferences (specifically, whether they consent to have their personal information sold or shared) to a website. 

The result: a set-it-and-forget-it strategy for privacy that makes it easier and more user-friendly for users. 

Although it’s still very much gathering steam, GPC is intent on establishing these privacy controls as a universal technical specification—in short, a universal opt-out for consumers looking to efficiently safeguard their personal data. Parties involved in developing GPC include the World Wide Web Consortium (W3C), Privacy Community Group (Privacy CG), privacy-focused companies including the Electronic Frontier Foundation and Automattic, and tech luminaries such as the former Chief Technologist of the Federal Trade Commission Ashkan Soltani. 

As of right now, it’s only been implemented by a handful of web browsers, though. (More on that below.) That being said, GPC has received vocal support from major privacy players, including the California attorney general, Rob Bonta, and has been embraced by digital publishers and consent management platforms

How does global privacy control work?

Global privacy control has unique implications for both consumers and businesses. Here’s how it works for each party. 

For consumers

To put GPC to work, users download a browser extension that supports GPC specifications. Once they’ve installed it, they can implement privacy controls (i.e., which websites to send a Do Not Sell/Share request to). GPC allows for a high degree of customization; users can apply GPC settings across all websites or activate it for specific ones.

If the GPC signal is turned on and, crucially, the website is set up to recognize the signal, the user automatically opts out of targeted advertising and anything that could be seen as “selling” their personal information.

Which web browsers support global privacy control?

Some, but not all, web browsers support the GPC signal. The list currently includes:

 

  • Brave
  • DuckDuckGo 
  • Firefox
  • Mozilla 

For businesses

As GPC becomes more widely adopted, businesses will need to identify strategies for recognizing and upholding requests that come through the GPC signal. To start, businesses will need to track which privacy regulations have indicated support for GPC and make sure their privacy practices align with regulatory requirements. (See below for the current relationship status between GPC and state privacy regulations.)

 

As they wrap their heads (and privacy strategies) around what privacy regulations require for GPC, businesses may need to adapt current privacy workflows, particularly if they use third-party systems to track users for ad targeting or other commercial purposes.  

Cookie consent, GPC, and privacy strategies

The basic purpose of GPC is to help users safeguard their privacy by keeping unwanted cookies at bay. Typically, these preferences are delivered via a cookie consent management tool. GPC removes the need for users to engage with the cookie banner. 

This means less work for the user—but not necessarily for website owners. Businesses will need to adopt cookie and consent management platforms that support the GPC signal, as well as update privacy notices and other public-facing privacy communications. 

What’s the difference between Do Not Track and Global Privacy and control

If you’ve been following the privacy industry for some time, GPC may sound strikingly similar to the Do Not Track plug-in. Conceived in the 2000s, the Do Not Track (DNT) plug-in was intended to help users opt out of tracking on websites. Initially supported by Firefox, Internet Explorer, Safari, Opera, and Chrome, efforts ran aground because of anemic technical support and lack of legislative backing. 

The landscape for GPC is considerably different. Unlike the pre-GDPR, pre-CCPA DNT plug-in, GPC is legally binding. GPC meets the definition of “user-enabled global privacy controls” as defined by major privacy regulations and has already passed legal muster in a 2022 court case regarding Sephora’s $1.2 million violation of the California Consumer Protection Act. 

Global privacy control and privacy regulations

Although DNT lacked robust legislative support for its specification, GPC has started off on a much more promising foot. Read on for which privacy regulations are already recognizing GPC—and which ones still have yet to acknowledge it. 

US privacy regulations that honor GPC

California Consumer Protection Act/California Privacy Rights Act

All businesses required to comply with the CCPA/CPRA must accept “opt-out preference signals” as valid requests to opt out of selling or sharing personal information. 

GPC isn’t listed in the regulations, but the California Attorney General has been an advocate of the technology, and, as noted above, it’s been battle-tested in court.  

Businesses that process opt-outs via GPC in a frictionless manner are exempt from including a “Do Not Sell or Share My Personal Information” link. “Frictionless” indicates the business can’t charge a fee, modify the user’s site experience, or display a pop-up or message. This exemption applies only if the GPC signal opts the consumer out of any selling or sharing without demanding more information.

Colorado Privacy Act  

When the law goes into effect in Colorado in July 2023, businesses obligated to comply with CPA will have one year to implement GPC and accept any “user-enabled universal opt-out method” as a valid request to opt out of targeted advertising.

Connecticut Data Privacy Act

After the Connecticut law goes into effect, businesses have 18 months to implement GPC and recognize “opt-out preference signals” as valid requests to stop receiving targeted advertising.

US privacy regulations that don’t honor GPC (yet)

Utah Consumer Privacy Act  

Under Utah’s privacy law, businesses do not have to honor the GPC signal right now. 

Virginia Consumer Data Protection Act  

Under Virginia’s privacy law, businesses do not yet have to honor the GPC signal at this time.

GDPR  and GPC

The legal framework of the General Data Protection Regulation (GDPR) is different from the US’s data privacy laws. As such, GPC isn’t an exact match for submitting a data subject request. For example, users don’t have a specific right to opt out of targeted ads. Also, the ePrivacy Directive (also called the “Cookie Law”) says that websites can’t put marketing cookies on a person’s computer without first getting their permission.

Position your business for global privacy control 

Privacy compliance is difficult, and turning on GPC—at least for businesses—isn’t as simple as setting-and-forgetting. While GPC has yet to become a widely adopted privacy tool for consumers, it’s a significant development to track. 

But with privacy, it can pay off to be an early adopter. If you’re looking to get ahead of this privacy trend, keep in mind that GPC will need to be integrated into a larger compliance strategy that includes critical privacy activities like:

  • Creating user-friendly privacy notices that reflect how the business handles the GPC signal
  • Updating cookie consent banners and other consent management tools where users manage their cookie settings

And, of course, you can never go wrong with: 

If you have questions or are ready to get started, schedule a call with our team of experts today.