Explainer: What is Global Privacy Control?

On August 24, 2022, the California Attorney General (AG), Rob Bonta, announced a settlement with Sephora, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to process requests by consumers to opt out of having their data processed. Seems straightforward, except that Bonta made reference to something called global privacy controls, noting that his office was “watching” and looking to hold businesses “accountable” for failure to “[f]ollow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls [(GPC)].”

According to this Forbes article, these statements by Bonta “are a sign of the way the world is moving, and companies that collect and use data . . . should pay close attention.”

GPC was created in October of 2020 and it gained traction in January of 2021, when it became legally binding under the CCPA. It is a browser setting that has been described in this article by the International Association of Privacy Professionals (IAPP), as a “technical specification for transmitting universal opt-out signals that uses binary options to allow users to opt-out of the sale of personal information at the browser level.”

The GPC’s purpose is to act in conjunction with existing legal frameworks to enable consumers to exercise their privacy rights, such as asking “websites and services to not sell or share their personal information with third parties.” The control is currently available via a downloaded browser, such as DuckDuckGo, Brave, Mozilla Firefox, or use of a supporting extension, such as Abine's Blur, Disconnect, privacy-tech-lab's OptMeowt, Electronic Frontier Foundation's Privacy Badger.

GPC’s History

According to IAPP, these controls differ from opt-out consent management frameworks, because no data is collected without a consumer first being prompted to select or reject their right to opt-out, which makes GPCs a “more effective tool.”  However, according to the IAPP, the GPC is not the first effort to establish a universal browser-based choice signal.

In fact, in 2009, an HTTP header field known as a “do not track” (DNT) header, was created to allow consumers to opt-out of information tracking across multiple websites. However, despite receiving the support from several major web browsers since 2012 and a 2010 endorsement from the U.S. Federal Trade Commission, the DNT headers project was terminated “due to insufficient support and adoption.”

According to IAPP, the “rise and fall” of DNT headers has led many technologists and privacy professionals to “be wary of the sudden support behind the GPC.” However, despite the fact that DNT Headers and GPCs both act as a binary function, there are many key differences in the functions.

The primary difference between GPCs and DNT headers is that GPCs do not inhibit the profitability of a website. According to IAAP, DNT headers were not widely received or supported by advertisers and site publishers as there was no “consistent solution to respond to a browser's do not track signal.” This ultimately resulted in these parties taking their marketing funds elsewhere. The GPC, by contrast, permits a consumer to select their data preferences and advertisers to promote their interests without tracking the consumer’s data—which has been beneficial to all parties. In fact, the ability to promote advertised goods while maintaining consumer preferences results in consumer trusts in the browser, which, in turn, results in consumer support for the products being advertised thereon.

Applicability and Alternatives

Although the GPC is currently only mandated by the CCPA, Colorado has followed suit in issuing these protections. Under the Colorado Privacy Act (CPA), the Colorado attorney general will be required to adopt technical requirements for at least one universal opt-out mechanisms by July 1, 2024. 

Being that the GPC is not specifically mentioned in the CPA, businesses might consider alternative opt-out mechanisms, such as permission vaults. According to Forbes, “a personal permission vault is a hub that allows an individual to clearly articulate how their data may be used, plus a mechanism that allows data processors to reference a subject’s decisions to control the way they access, use and share their data.”

Permission vaults, apparently, “go much further” than the GPC’s practice of using “browser-based signals to broadcast a subject’s privacy preferences out into the world” and hoping that the website providers comply because they allow a consumer to possess a “much more granular, flexible and robust ongoing control.” Permission vaults permit the data to be circulated “freely” across platforms, which the “comprehensive permissions architecture defines how it can be accessed and used.” This benefits both the consumer and the website provider as both parties can freely exchange data for the purpose of the transaction—which access “the full potential of our data economy”—without a consumer needing to be concerned that their data preferences will not be observed.

Whichever approach your organization elects, it should be considering accommodating consumers’ opt-out preferences as U.S. legislators and governing bodies have made clear that it will be at the forefront of regulatory enforcement.