The Global Privacy Control (GPC) is a technical specification that allows users to signal their cookie preferences across websites. It’s a data privacy standard that has been initiated by some organizations with the aim of adding another layer of data protection for internet users. It’s supported by some of the challenger browsers like Brave and DuckDuckGo, publishers such as the New York Times and Washington Post as well as other organizations involved in data protection.
When enabled in a browser or browser extension, the GPC transmits an opt-out signal to websites, informing them that the user does not wish to have their personal information “sold.”
We’re using the word “sold” here as it’s defined in the California Consumer Privacy Act (CCPA). This law requires businesses to allow consumers to opt out of the sale of their personal information—and “selling” includes using third party cookies for marketing purposes.
Can consumers use the GPC as a CCPA “Do Not Sell” method?
Yes, consumers can use the GPC to opt out of the sale of their personal information. And if you’re covered by the CCPA, recognizing an opt-out request from the GPC is a legal requirement.
The CCPA Regulations first mentioned that consumers might use a “browser setting” to signal an opt-out request. Then on July 15, 2021, the California Attorney-General’s office updated its CCPA FAQs to clarify that the GPC constitutes a valid opt-out method.
The FAQs state that:
“For businesses that collect personal information from consumers online, one acceptable method for consumers to opt-out of sales is via a user-enabled global privacy control, like the GPC.”
Furthermore, the FAQs state that “Under law, (the GPC) must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”
What about the GDPR?
The GPC isn’t actually relevant to the EU General Data Protection Regulation (GDPR).
Here’s why: The GDPR requires you to obtain “affirmative” or “opt-in” consent for all but essential cookies (used for things like load-balancing, user-requested UI settings, or sign-in).
The GPC operates on an “opt-out” basis. Opt-out consent isn’t valid under the GDPR.
Therefore, if you’re hoping to set cookies for analytics, advertising, or some other non-essential purposes, you’ll need to get opt-in consent from any visitor from the European Economic Area (EEA) and the UK.
Isn’t the GPC just like “Do Not Track” (DNT)?
Yes, the GPC is very similar to the DNT signal that has been integrated into browsers for many years.
Unfortunately, however, many websites ignored DNT signals. The previous legal obligation, under the California Online Privacy Protection Act (CalOPPA) was not to obey DNT signals—just to let consumers know whether you obeyed them.
As such, the DNT project has not really succeeded in its goal of promoting a more private internet. But with the legal backing of the CCPA, and the GPC is a far more promising standard.
How do I configure my site to recognize the GPC?
CCPA-covered businesses are now legally required to respect opt-out requests conveyed via GPC. This means configuring your site to enable this should be a top priority.
You can set up Cassie to respond to the GPC in respect of your Californian users’ opt-outs, while requesting opt-in consent from your website’s European visitors for GDPR compliance.
To see how Cassie can work for your organization, contact us today.