Privacy regulations such as Europe's General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) create responsibilities for organizations in their collection and use of personal information. These and other data privacy laws require that organizations receive consumers' consent for the collection and sharing of their personal information.

One of the many challenges companies face to ensure compliance with privacy regulations is how to demonstrate that they have received the "specific, informed and unambiguous"¹ consent of data subjects. A new feature available in several browsers and browser plug-ins allows consumers to deny consent for the selling and sharing of their private data automatically and unambiguously.

The Global Privacy Control² (GPC) notifies sites when the browser initially loads the page that the person doesn't want their private data to be sold or shared. The GPC specification defines a mechanism by which browsers send a signal to the sites that a person visits indicating their choice not to have their private information sold or shared via a single value.

Tracking these preferences and meeting other data governance requirements becomes an automated part of your workflows via the live data inventory and mapping features found in Relyance AI’s one-stop privacy compliance solution.

How GPC Automates Do Not Sell and Do Not Share Requests

GPC automates opting out of the sale or sharing of a person’s private data by sending a signal via HTTP and the Document Object Model (DOM) when connecting to the site. It uses the Sec-GPC header field: a field value of “1” indicates that the GPC value is set in the browser. All other field values are ignored.

The JavaScript property “globalPrivacyControl” allows a client-side script to read the Sec-GPC header value when the top-level browsing context active document loads:

• If the “globalPrivacyControl” property has a value of “true,” the person’s preference is for their private data not to be sold or shared.
• A value of “false” indicates that no Sec-GPC header field was sent, so the server need not abide by any GPC requests not to sell or share the person’s private information.

Sites demonstrate their support for GPC by using a JSON object. This object contains two members: a “gpc” member that is either true (supports GPC) or false (doesn’t support GPC), and a “lastUpdate” member that shows the date the statement of support was made.

When Is Compliance with the Global Privacy Control Mandatory?

Previous efforts to automate users’ privacy-related requests, such as Do Not Track (DNT), failed because businesses weren’t required by law to comply with DNT requests. By contrast, GPC is designed to be applicable to existing laws, technologies, and business processes.

For example, the California Consumer Privacy Act³ (CCPA) requires that when a GPC signal conflicts with a person’s privacy settings recorded by a business previously, the company must abide by the GPC signal but can make the person aware of the conflict so they can confirm their preferences for the firm’s handling of their private data.

The GPC specification satisfies the CCPA requirement for a global privacy control that meets three criteria:

1. It is “global” in that it applies automatically to “all online services, websites, and mobile applications.”
2. It clearly communicates the person’s intention to opt out of the sale or sharing of their personal information.
3. It is technology-neutral and adaptable to accommodate future innovations in privacy settings.

Recent prosecutions⁴ of violations of the CCPA by California Attorney General Rob Bonta include those for failing to honor GPC signals of consumers' do-not-sell and do-not-share requests. In addition, the Colorado Privacy Act⁵ (CoPA), which will go into effect on July 1, 2023⁶, requires that by July 1, 2024⁷, sites recognize consumers' preferences for selling and sharing their information via GPC.

It is possible that use of the GPC signal to opt out of sharing or selling a data subject’s personal information creates a legally binding obligation for data processors and controllers under GDPR⁸. For example, the GDPR allows people to object to a company’s processing of their private data. GPC’s signal serves as a mechanism for indicating this objection to data controllers and processors. This may create a legally binding obligation for organizations that process personal information, according to organizations promoting the GPC standard.

Preparing for GPC and Other Forthcoming Data Privacy Standards

Companies doing business in California will need to be ready for the expiration of the CCPA’s 30-day notice and cure provision on January 1, 2023, when the CPRA takes effect. California AG Bonta determined that retailers’ use of third-party cookies is considered a sale. These companies must therefore be able to receive and honor opt-out requests made via signals such as those broadcast by GPC⁹. All organizations that use third-party tracking cookies must also describe the practice as a sale in their communications with visitors.

The California data privacy regulations mandate that data sellers provide adequate notice of the sale, offer adequate opt-out mechanisms, and honor consumers’ opt-out requests, including those transmitted via GPC. Depending on a company’s data collection and processing activities, it may be safest to assume that aspects of the firm’s data handling would be considered a sale under CCPA and CPRA.

A data-privacy compliance approach similar to GPC has been developed by Consumer Reports’ Digital Lab^10. The Data Rights Protocol (DRP) is intended to streamline the process of accepting and processing consumers’ data rights requests. DRP creates a standardized format that meets the needs of all four parties involved in a data rights request: the consumer making the request, privacy software vendors, the companies that receive the requests from consumers, and enterprise software vendors.

Like GPC, DRP works behind the scenes, allowing the businesses involved to coordinate the request response without engaging the consumer. However, the two technologies accomplish distinct tasks:

• At the time of this writing, GPC is a browser signal currently supported by three browsers¹¹: Mozilla Firefox, Brave, and the DuckDuckGo Privacy Browser for iOS/Android. The technology is also supported via browser plug-ins such as Abine, Disconnect, the Electronic Frontier Foundation’s Privacy Badger, and DuckDuckGo’s Privacy Essentials desktop browser extension for Chrome, Firefox, and Edge¹². More browsers and browser extensions are expected to add GPC support in the future.
• By contrast, DRP is a set of API endpoints, which allows much more expressiveness than GPC’s simple true/false value.

Risk Detection Keeps You One Step Ahead of Potential Trouble

The best way to avoid violations of contract terms and policies governing data privacy is through the continuous compliance monitoring available with the Relyance AI platform. Our upcoming consent management platform will integrate with the GPC signals to opt users out automatically. The platform also automatically creates a live  data inventory and map that is the foundation of data subject requests, ROPAs, and more.

Learn more about how the Relyance AI Continuous Compliance Monitoring and Management Platform’s can benefit your organization by booking a demo.

‍

----------------------

1. https://gdpr.eu/gdpr-consent-requirements/
2. https://globalprivacycontrol.github.io/gpc-spec/
3. https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-fsor.pdf
4. https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement
5. https://www.jdsupra.com/legalnews/global-privacy-signaling-the-8680753/
6. https://www.huschblackwell.com/industries_services/colorado-privacy-act
7. https://www.bclplaw.com/en-US/insights/global-privacy-signaling-the-trendsetting-opt-out-mechanism.html#:~:text=Under%20CoPA%20
8. https://globalprivacycontrol.org/faq
9. https://www.mayerbrown.com/en/perspectives-events/publications/2022/09/ca-attorney-general-says-the-kid-gloves-are-coming-off-announces-12m-settlement-with-retail-co-for-ccpa-sales-violation
10. https://digital-lab-wp.consumerreports.org/2022/01/13/data-rights-protocol-and-global-privacy-control/
11. https://cookie-script.com/blog/all-you-need-to-know-about-global-privacy-control#:~:text=As%20of%20October%20of%202022,DuckDuckGo
12. https://help.duckduckgo.com/duckduckgo-help-pages/privacy/gpc/