What Is Global Privacy Control?
The idea behind GPC is simple: consumers can enable an option in their web browser that sends a signal to every site they visit indicating their privacy preferences. If GPC is turned on and the site recognizes the signal, the visitor is automatically opted out of targeted advertising and anything that could be considered “selling” their personal information.
Global Privacy Control was developed in response to the passing of the CCPA, which contemplated the possibility of a universal opt-out signal. Though it is far from universally adopted, GPC is now available on Firefox and several other privacy-centric browsers, and is recognized by major publishers like the New York Times and the Washington Post.
Are Businesses Required to Recognize GPC?
Depending on which privacy laws apply to a particular business, it may be required to recognize the GPC signal as a valid request to opt out.
CCPA
According to the latest regulations from the California Privacy Protection Agency, all businesses required to comply with the CCPA must treat “opt-out preference signals” as valid requests to opt out of the sale or sharing of personal information. (“Sharing” in this context means the disclosure of personal information for cross-context behavioral advertising.) While GPC is not specifically named in the regulations, it has been mentioned favorably on multiple occasions by the California Attorney General and is almost certain to be considered an opt-out preference signal.
Businesses that fully process opt-outs via GPC in a frictionless manner are exempt from having to include a “Do Not Sell or Share My Personal Information” link on their website. “Frictionless” means the business may not charge a fee, change the user’s experience on the site, or display any pop-up or notification in response to the opt-out.
However, this exemption only applies if the GPC signal opts the consumer out of all selling or sharing practices without requesting additional information.
Virginia Consumer Data Protection Act
Virginia’s privacy law does not currently require businesses to respond to the GPC signal.
Colorado Privacy Act
Businesses have one year from the Colorado law's effective date to implement GPC and recognize any “user-enabled universal opt-out mechanism” as a valid request to opt out of targeted advertising.
Utah Consumer Privacy Act
Utah’s privacy law does not currently require businesses to respond to the GPC signal.
Connecticut Data Privacy Act
Businesses have 18 months from the Connecticut law's effective date to implement GPC and recognize “opt-out preference signals” as valid requests to opt out of targeted advertising.
GDPR
The GDPR’s legal framework is different from the US data privacy laws, so GPC is not an exact fit for submitting a data subject request. For example, there is no specific right to opt-out of targeted advertising. Also, under the ePrivacy Directive (the “Cookie Law”), websites may not place marketing cookies on a person’s computer without first obtaining consent.