What Is GPC (Global Privacy Control), And why does it matter?
The California Attorney General has been issuing dozens, if not hundreds, of letters asserting violations of the CCPA’s Do Not Sell requirement based on the failure to recognize signals from a new third-party plugin called GPC. There is only a 30-day window to cure if you receive a letter before an enforcement action is initiated.
What is Global Privacy Control?
Global Privacy Control (GPC) is a proposed specification designed to allow internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user’s browser or mobile device and acts as a mechanism that websites can use to indicate they support the specifications. (Source from GlobalPrivacyControl.org)
GPC is an industry tool produced as a plugin to browsers like Chrome and Firefox. GPC is a mechanism for people to tell websites to respect their privacy rights under the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) and legislation in other jurisdictions.
Under the CCPA regulations, § 999.315. Requests to Opt-Out subsection (c):
If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.
(1) Any privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to opt-out of the sale of personal information.
(2) If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.
What is Do Not Track?
DNT is a web browser setting that requests that a web application disable its tracking of an individual user. When you choose to turn on the DNT setting in your browser, your browser sends a special signal to websites, analytics companies, ad networks, plug in providers, and other web services you encounter while browsing to stop tracking your activity. (Source from Allaboutdnt.com)
There is no consensus on how companies you interact with should interpret a DNT. Most sites do not respond or change their current practices when they receive the DNT signal. Some companies may refrain from personalizing ads they show you. Other companies may send users a message and limit the use of their site until you allow them to track.
What is Do Not Sell/Share?
The Do Not Sell Rule, also known as the Do Not Sell Requirement, is a stipulation of the CCPA that gives consumers the right to opt-out of the sale of personal information. Specifically, California residents have the right to direct businesses to stop selling/sharing their personal information.
Under the CCPA regulations, § 999.315. Requests to Opt-Out subsection (a):
A business shall provide two or more designated methods for submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” on the business’s website or mobile application. Other acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.
GPC is included in methods of fulfilling a DNSS.
What’s the difference?
GPC
- Signal sent by a browser or plugin to a website and business indicating a user preference
- User does not need to create an account for a website.
- Defined response by websites
- Legal requirement to respond
DNT
- Signal sent by a browser or plugin to a website and business indicating a user preference
- User does not need to create an account for a website
- No defined or agreed upon response by website
- No legal requirement to respond (just to disclose)
DNSS
- A business must provide notice to consumers that it sells consumers’ personal information to third parties and that consumers have the right to opt-out of such sales.
- The business’s website must post a “Do Not Sell My Personal Information” link that takes consumers to a web page where they can exercise the right to opt-out of the sale of their personal information.
- The business must provide this link on its homepage and any page that collects personal information, or on its application’s platform or download page.
- Users must be able to submit opt-out requests without having to create an account.
- The business must inform consumers of their right to opt-out and provide the do not sell link in its online privacy policy or any other California-specific description of rights.
- The business must respect the consumer’s decision for at least 12 months. After this time the business can ask the consumer to authorize the sale of personal information.
- The business must train individuals responsible for handling customer rights inquiries and processing consumer rights requests.
- Legal requirement to respond
How does this relate to CCPA compliance?
In an update to its CCPA FAQs, the California Attorney General’s office has stated that businesses that sell personal information must honor GPC signals. Relying on § 1798.120 of the CCPA, businesses are required to honor consumer requests to opt out of the sale of their personal information. The AG’s office proclaimed that § 999.315 of the CCPA regulations (Requests to Opt-Out), requiring businesses to provide two or more methods for submitting opt out requests, and GPC signals is one of those methods that must be honored.
What action has the CA AG Taken?
On August 24, 2022, the AG of California, announced the enforcement and settlement of $1.2 million for violations pertaining to Sephora’s “Do Not Sell” policies and procedures.
Sephora failed to tell customers that it was selling their personal information, failed to allow customers to opt out of that sale and didn’t fix the problem within 30 days as required by the law, even after it was notified of the violation. The company agreed to pay $1.2 million and immediately correct the problem under the settlement. (See Clarip’s blog post for more details)
Other actions by the AG of California:
- Hundreds of 30-day warning letters were sent to companies
- All appear to include the failure to respond to GPC
- All appear to include the failure of two methods of Opt Out
- Loop in any other possible DNS violations
What does the future hold?
The new proposed regulations of the California Privacy Rights Act (CPRA) GPC signal requirements is extended into Opt-Out Preference Signal requirements.
This Opt-out preference signal requirement is defined as “a signal that is sent by a platform, technology, or mechanism, on behalf of the consumer, that communicates the consumer choice to opt-out of the sale and sharing of personal information and that complies with the regulations”.
Potentially honoring GPC signals, and indicating as such in your privacy notice, may help companies avoid offering other more complicated forms of DNS respond methods.
It’s nice that the California AG is sending out so many 30 day cure letters, because on January 1, 2023, the 30 day cure warning letter requirement is going away. With California continuing to lead the US privacy law trend, Colorado and Connecticut also contain Opt-out preference signal requirements. Both states go into effect on July 1, 2023.
Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations, including “Do Not Sell”. Allow customers to submit, revoke and update granular consent with Clarip Consent Management. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com