71% of adults worldwide have taken proactive measures to protect their privacy online, according to a study by Norton. For users, these involved changing privacy settings on their devices, disabling third-party cookies, adding multi-factor authentication or even using a VPN. The evolving requirements of privacy laws like the EU’s GDPR or the various US state laws don’t make the process any easier.
Users are now often required to also engage with cookie banners, opt-in checkboxes, and accept privacy or cookie policies, to mark their privacy preferences. Clearly, handling privacy on the internet is not a one-click solution.
This is where Global Privacy Control (GPC) comes in, offering a simple solution to implement a universal opt-out signal for an easier and more cohesive privacy experience for users.
What is Global Privacy Control (GPC)?
The Global Privacy Control (GPC) is a browser signal or extension that facilitates the process for users to indicate their privacy preferences while navigating the internet. At its core, GPC allows users to enable privacy preferences in their web browsers. This preference is then transmitted as a signal to every website they visit, indicating their respective choices, including the choice to either opt in or opt out of cookie usage, data sharing, data sale, and targeted advertising.
When a user enables their preferences via GPC and it is recognized by a website, the visitor is automatically opted out of targeted advertising and any activities that involve the sale or sharing of their personal data.
Many web browsers, browser extensions and tools have adopted GPC. These include browsers like Firefox, Brave, Privacy Badger and DuckDuckGo (Full list here). Browsers like Chrome that do not have an in-built GPC feature also support GPC extensions.
Background on GPC
Global Privacy Control or GPC was developed in response to the CCPA, which envisioned the concept of a universal opt-out signal. An informal consortium of over dozen organizations including the Electronic Frontier Foundation (EFF), the National Science Foundation, Mozilla, The New York Times, and The Washington Post back the GPC.
In 2022, CCPA initiated its first-ever enforcement action of $1.2 million against Sephora and referenced the company’s alleged failure to honor a user opt-out through GPC.
What does GPC mean for businesses and publishers?
GPC is increasingly recognised by global privacy laws as a requirement for a valid mechanism for honouring opt-out requests. Let’s take a closer look at how GPC is treated under different regulations:
California Privacy Rights Act (CPRA)
Under the CCPA/CPRA, the California Privacy Protection Agency mandates that businesses treat opt-out preference signals as valid requests to opt out of the sale or sharing of personal information. The CCPA regulations note that:
“If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or another mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted…for that browser or device, or, if known, for the consumer.”
The CCPA’s implementing regulations also state that:
- Global privacy signals must clearly show a consumer’s intent to opt out of the sale of their personal information.
- In cases where there are conflicting signals between a user’s GPC signals and their preferences made through a cookie banner, businesses should the GPC signal over any other user-stated preferences.
Colorado Privacy Act
From July 1, 2024, onwards, the Colorado Privacy Act (CPA) requires businesses to allow consumers to exercise their rights to opt out of the processing of their personal data for purposes of targeted advertising or sale through a “universal opt-out mechanism.”
- Unlike California, CPA’s requirement to honor the universal opt-out mechanism is mandatory from July 2024.
- The CPA Rules clarify the technical specifications for facilitating an opt-out through universal signals, what disclosures businesses need to make and how businesses must respond to user signals.
- The Colorado Department of Law will publish a list of all Universal Opt-Out Mechanisms that have met the specified technical criteria on or before January 1, 2024.
Connecticut Data Privacy Act
Starting from January 1, 2025, the Connecticut Data Privacy Act (CTDPA) extends the existing opt-out obligations and requires businesses to facilitate consumers to opt out of the processing of their personal data for targeted advertising or sale via an opt-out preference signal. This signal should clearly indicate a consumer’s intention to opt out of any such data processing or sale.
Rules of universal opt-out mechanism
Both the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) require that the opt-out signal must:
- Be based on clear and unambiguous choices made by consumers, rather than on default settings.
- Not unfairly disadvantage other businesses.
- Should be user-friendly and straightforward to use.
- Be consistent with similar mechanisms required by other legislations.
- Enable businesses to accurately verify whether a consumer is a resident of the state and has made a valid opt-out request.
Other US state privacy laws
US state privacy laws such as Virginia’s Consumer Data Protection Act (VCDPA) and Utah Consumer Privacy Act (UCPA) do not require businesses to respond to the GPC signal.
GDPR
The General Data Protection Regulation (GDPR) has an opt-in framework for consent, meaning users must specifically take action to give consent before their data is processed by any business. So, organizations subject to the GDPR are not legally obligated to honor universal opt-out mechanisms like GPC. However, GDPR requires that “Natural persons should have control of their own personal data” (Recital 7). The use of a GPC signal can help to communicate the user’s intention to restrict their data processing, which businesses are required to respect.
GPC website also notes that it is “possible that a GPC signal opting out of processing could create a legally binding obligation for data processors” under GDPR in the future.
Implementing Global Privacy Control for your business
Implementing GPC within your business requires consideration of your overall privacy compliance strategy. Here are some key things to note:
Determine applicability of privacy laws: Evaluate which privacy laws apply to your business. Depending on the applicability, you may be required to comply with specific requirements for opt-out preference signals like GPC.
Enable GPC for consent management: GPC signals are often enabled by users to restrict the use of cookies, especially third-party tracking cookies. If you are using a consent management platform (CMP) on your website, ensure that it supports the GPC signals.
CookieYes CMP allows websites to detect these browser or plugin settings and honour the visitor’s signal preferences. You can enable the GPC feature on your banner, without any additional configuration.
Integrate with GPC signal: Identify the data collection practices within your business that can be linked to the GPC signal. Ensure that you can receive GPC signals, transmit them to your backend systems and respond in accordance with the user’s privacy preferences.
Even if your company isn’t obligated by a regulation to handle GPC signals, your business can demonstrate a commitment to respecting users’ privacy preferences and nurture their trust in your business.
How CookieYes can help with Global Privacy Control
Honour GPC signal – enable the option to respect Global Privacy Control and our CMP will automatically accept the visitor’s signal preferences. Your site visitors will also be informed of honouring the GPC signal via our opt-out banner.
Custom opt-out banner – display a fully customizable opt-out banner to support your compliance with CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), & UCPA (Utah) and other US privacy laws.
For compliance with GDPR (EU & UK), LGPD (Brazil) and other global opt-in laws, you can utilise our cookie consent banner.
Do not sell/share link – add the Do Not Sell/Share (DNS) link to your website footer. With this link, your site visitors can easily access the opt-out preference centre and mark their privacy preferences.
Integrate with tech stack – implement CookieYes on any CMS/HTML website and integrate with existing standards such as Google Consent Mode, Google Tag Manager and IAB TCF version 2.2.
FAQ Global Privacy Control
How do I turn on global privacy control?
To enable Global Privacy Control (GPC) you need to configure it on your browser or use browser extensions that support GPC.
For browsers that have built-in support:
- Firefox: Access about:config from your browser and search for globalprivacycontrol, and enable the options.
- Brave: GPC is a default feature.
- DuckDuckGo: GPC is enabled by default.
For browsers that don’t have built-in support, use browser extensions or add-ons that implement GPC.
What is the global privacy control in California?
The GPC is a web browser setting that allows users to signal their preference for enhanced privacy controls when they browse websites. California’s state-level privacy laws, the California Consumer Privacy Act (CCPA) and its amendment California Consumer Privacy Act (CPRA) require businesses to respect Global Privacy Control signals set by users as a valid opt-out mechanism.
What is a global opt-out?
Global opt-out typically refers to mechanisms like the Global Privacy Control (GPC) that enable users to make a universal request for privacy control when browsing the internet.
Instead of having to individually configure privacy settings on each website they visit, users can employ a global opt-out mechanism to streamline the process and ensure consistent privacy preferences across the web.
Does CCPA require global privacy control?
Yes. A global privacy control signal must be honored by businesses in California as a valid consumer request to opt out of the sale or sharing of personal information. This obligation falls under the scope of both the California Consumer Privacy Act (CCPA) and the amended California Privacy Rights Act (CPRA) that grant California residents the right to opt out of the sale/sharing of their personal information.
What is the universal opt-out mechanism in Colorado?
Colorado Privacy Act (CPA) provides consumers the right to opt out of the sale of their personal information and targeted advertising. The CPA provides for a “user-selected universal opt-out mechanism” that businesses are required to implement beginning July 1, 2024.
Universal opt-out mechanisms are browser settings/extensions that enable users to send a standardized signal to websites they visit, indicating their preference to opt out of data collection and sharing, such as tracking for targeted advertising
What is an example of an opt-out preference signal?
Global Privacy Control (GPC) is an example of an opt-out preference signal, also referred to as a universal opt-out mechanism. The GPC is a standardized signal sent from a user’s web browser to the websites they visit. When a user enables the GPC in their browser settings, it sends a signal to websites, indicating the user’s intention to opt out of certain data collection and sharing practices.
