What Is the Global Privacy Control--and Why Does It Matter?

What Is the Global Privacy Control (GPC)?

The Global Privacy Control is an update to the "Do Not Track" browser signal that the ad world successfully killed 10 years ago. According to globalprivacycontrol.org, it is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user’s browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification.

In short, it's an easy way for consumers to exert their privacy rights automatically whenever they visit a website. They can inform tell enterprises they do not want their data sold without having to repeatedly express their preference at each different website they visit. When a consumer sets their web browser to transmit the GPC, every website they visit receives this signal and is required to honor the consumer’s request to protect their privacy.

Why Is GPC Important?

On August 24, 2020, California’s Attorney General Rob Bonta announced the first major enforcement of CCPA against the luxury retailer Sephora. Among other compliance failures, Bonta pointed out that Sephora’s web sites did not properly handle the GPC signal, which directly equates to a violation of CCPA. This was the first time the GPC was explicitly included as part of privacy compliance, as it has only been a “recommendation” since it was proposed in 2020. The term “Global Privacy Control” appears 11 times in the press release, clearly indicating the AG’s focus on it.

Along with the announcement of the Sephora enforcement, Bonta included some general remarks to guide enterprises that are striving to comply with CCPA (added emphasis ours). “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

How Can Consumers Use GPC?

GPC is built into a number of different browsers, including Brave, DuckDuckGo, and Firefox, and available as an extension through a variety of other technology providers. Consumers can download one of the browsers and/or extensions and activate it easily to start transmitting their privacy settings. 

A list can be found here. 

Why Is GPC Compliance Important?

Not every privacy law requires businesses to comply with the GPC signal, but multiple state privacy laws do, including CCPA (California), the Colorado Privacy Act, and the Connecticut Data Privacy Act. Failure to comply can result in fines or other enforcement actions, but there are business reasons why complying with consumer privacy requests just makes sense. 

Here are several ways that organisations can benefit from adopting a privacy-centric approach.

• Enhanced customer experience: By being transparent about their data practices and giving customers control over their data, advertising companies can ensure they are meeting customers’ expectations.
• Cost savings: Reduce the risk of costly privacy violations and legal liabilities, resulting in avoiding fines, legal fees, and reputational damage.
• Increased revenue: When customers' data is being used in a responsible manner, they are likely to engage more, leading to more business, customer loyalty and repeat business.
• Competitive advantage: Companies can differentiate themselves from competitors and position their brand and products as responsible and trustworthy.
• Increased brand reputation: Valuing and respecting user data can establish a positive reputation beyond a company’s customer base, leading to increased brand awareness and loyalty.

How Does Exterro Consent Work with GPC?

The short answer is “When it has been integrated into a website, Exterro Consent handles GPC exactly as required by CCPA/CPRA.”

Web sites are just one way that modern enterprises ingest data – Exterro Consent must be integrated into every data ingestion point to connect it to the central server. Once connected, Exterro Consent is a complete enterprise consent management service that displays the proper privacy notice and gather users’ privacy preferences as required by regulations.

When Exterro Consent is integrated into customer websites, GPC sensing code should also be added. If the GPC code is detected, the “Do Not Sell” opt out signal will be posted to Exterro Consent via the API, exactly the same as if the customer clicked on “Do Not Sell My Data.” From that time on, any data processing activity within the enterprise that queries Exterro Consent for the user’s opt out preference will receive the “Do Not Sell” signal.

By contrast, a cookie banner that registers the user’s GPC signal has no way of informing the enterprise that the user has set GPC. If the user is reading an email, viewing a text message campaign, using a native mobile app, being telemarketed, or video surveilled, the user’s GPC signal is not being properly honored. Cookie banner systems do not offer GPC compliance beyond the current browser session.

For a handy guide to Exterro Consent and the GPC, download our FAQ here.