Modern consumers are aware of how their personal data gets used by websites online, and new and evolving data privacy laws are giving them more control to opt out of such processing.
Global Privacy Control, or GPC, is a browser setting that indicates a consumer’s opt-out preferences automatically.
You can set your website up to honor user GPC preferences, which helps you meet requirements outlined by data privacy laws like the California Consumer Privacy Act (CCPA).
Keep reading to learn about Global Privacy Control and opt-out mechanisms, how they work, and what laws require sites to support this type of technology.
What Is Global Privacy Control (GPC)?
Global Privacy Controls or GPC is a browser setting that sends users’ consent preferences to a website when they navigate to the page.
Many upcoming data privacy laws in the U.S. include provisions requiring websites to honor browser technology like GPC on their users’ devices.
Are GPCs the Same as Universal Opt-Out Mechanisms?
GPC is a type of universal opt-out mechanism (UooM) — UooM refers to browser settings or technology users can configure to communicate privacy preferences regarding data processing to the websites they visit.
UooM is not configured per website but is a standardized signal sent to all visited websites.
Technically, GPC is the brand name of a specific UooM signal, and universal opt-out mechanism is the catch-all term encompassing this type and other similar digital technologies.
Global Privacy Control vs. Consent Management Platforms (CMP)
GPC is different from a consent management platform (CMP).
On the other hand, individuals use GPC to communicate their desire to opt out of the selling or sharing of their information by websites that fall under the CCPA while they browse the internet.
However, some CMPs are compatible with GPC or other opt-out mechanisms, which helps make it easier for websites to implement the technology.
GPC vs. Do-Not-Track (DNT) Requests
Universal opt-outs like GPC are different from do-not-track or DNT requests.
DNT is also a browser setting, but it informs websites that users don’t want to be tracked for advertising or analytics purposes.
It gained notoriety when the California Online Privacy Protection Act (CalOPPA) was amended in 2013, obligating covered entities to clearly state how they respond to DNT requests in their privacy policies.
Because the internet — and data privacy laws — have evolved rapidly since 2013, DNT technology is considered somewhat outdated, possibly being replaced by technology like GPC.
Are Businesses Required to Honor Global Privacy Controls?
If the CCPA applies to your business, you must acknowledge Global Privacy Control signals as a valid way for consumers to opt out of the selling or sharing of their personal information.
The CCPA recognizes the Global Privacy Control signal as a valid way to opt out of the sharing or selling of information.
The recommendation to treat GPC signals this way came from the Office of the California Attorney General in an update to the FAQ section.
Since then, a few recently passed U.S. state data privacy laws have also included guidelines about UooMs, although they are currently not in effect.
U.S. Data Privacy Laws and GPC
Several upcoming U.S. data privacy laws will require websites to honor technology like the Global Privacy Control browser settings, which you can read more about in the table below.
|Data Privacy Law
|California Consumer Privacy Act (CCPA)
|Businesses with websites must honor GPCs as a method allowing users to opt out of the selling or sharing of their personal data. This requirement is currently in force.
|Colorado Privacy Act (CPA)
|The Colorado Attorney General provided technical requirements relating to universal opt-out mechanisms, which must be implemented by July 1, 2024.
|Connecticut Data Privacy Act (CTDPA)
|Controllers under Connecticut’s privacy law must honor universal opt-out mechanisms by January 1, 2025.
|Delaware Personal Data Privacy Act (DPDPA)
|Protected users under this law can designate their privacy choices via a browser setting, browser extension, or global device setting, and websites must respond by January 1, 2026.
|Montana Consumer Data Privacy Act (MCDPA)
|Businesses under this law must recognize and respect global device settings indicating a desire to opt out of data processing by January 1, 2025.
|Oregon Consumer Privacy Act (OCPA)
|As long as it’s commercially feasible, covered entities must recognize browser extensions and global privacy device settings by January 1, 2026.
|Texas Data Privacy and Security Act (TDPSA)
|Covered entities must honor consumer universal opt-out mechanisms by January 1, 2025.
The requirement to honor GPC browser settings exists only in U.S. state privacy laws because EU legislation like the General Data Protection Regulation (GDPR), requires opt-in consent as one of the legal bases for data processing.
Currently, GPC is not used to signal a consumer’s desire to opt into any data collection, rather, it communicates their desire to opt out, making it unnecessary for GDPR-protected users.
How To Implement GPC on Your Website
There are a few ways websites can support GPC signals, which include the following implementation methods:
How Users Can Implement GPCs on Their Browsers
Users can turn on GPCs by using a browser or downloading an extension that supports the technology, which includes the following:
- Brave Browser
- Privacy Badger
Turn on GPCs by enabling it in your browser’s settings or by adding a GPC-enabled extension, and it will automatically send a signal to websites denoting that you don’t want your web data tracked or sold and shared with third parties.
If your business falls under the CCPA, your website should acknowledge universal opt-out mechanisms like GPC to assist with legal compliance.
For many other businesses, it’s vital to start familiarizing yourself with GPC technology and other universal opt-outs to prepare for the upcoming U.S. state-level data privacy laws.