What is Global Privacy Control? Frequently Asked Questions

According to their website, Global Privacy Control (GPC)‘s aim is to make it easier for consumers to exercise their privacy rights. Much like the Do Not Track plug-ins of the past, GPC helps users communicate a desire to not be tracked online. More specifically, they are focused on enabling users to opt out of the sale of their personal information at the browser level. 

First introduced in October 2020, GPC announced in January 2021 a milestone in adoption and the support of major publishers and consent management platforms, including Sourcepoint. They later received the backing of California attorney general Rob Bonta, with his office issuing letters to several companies in July 2021 to reinforce the requirement under CCPA to honor the GPC signal.

On August 24, 2022, AG Bonta announced a $1.2 million settlement with retailer Sephora, resolving allegations that it violated CCPA, including failure to process opt-out requests via user-enabled global privacy controls

What is Global Privacy Control?

Global Privacy Control is a technical specification for transmitting universal opt-out signals, also sometimes referred to as a universal opt-out mechanism. The initiative is supported by a consortium of privacy-focused organizations such as the Brave browser and DuckDuckGo, as well as well-known publishers like the New York Times and The Washington Post. For now, the signal is tailored for California’s Consumer Privacy Act (CCPA), which gives Californians the right to opt-out of the sale of their data. But the FAQs on the GPC website says that it is “possible that a GPC signal opting out of processing could create a legally binding obligation for data processors,” making it potentially relevant to GDPR in the future.

How does Global Privacy Control work?

To take advantage of the GPC tool, users need to download a browser or extension that supports the signal. Similar to managing an ad-block extension, users can turn on the GPC signal for all websites they visit or each individual website. When visiting a website that supports GPC, that website will automatically register the browser request to Not Sell Personal Info. Here’s what that experience looks like with the Blur extension by Abine. 

How is Global Privacy Control different from Do Not Track (DNT)? 

Do Not Track was a plug-in offered by major browsers that, when turned on, added a header to browser metadata when initiating a connection with servers. However no servers knew how to interpret the header, nor were they required to, so they often ignored it. With lack of legislative action, it became clear that it would fail. The nail in the coffin was when Apple disabled DNT on Safari because websites could single out its users, making it (ironically) particularly useful for fingerprinting.

The main difference with GPC is that browser-level user-enabled requests could be made legally binding: CCPA final regulations already require all businesses to honor user requests via user-enabled global privacy controls.

Enforcement actions are the responsibility of the attorney general (who has sent enforcement letters to companies that did not honor GPC), as well as the California Privacy Protection Agency created under CPRA. In October 2021, the newly created California Privacy Protection Agency (CPPA) announced that Ashkan Soltani, former chief technologist at the FTC and one of the leading advocates for the GPC initiative, would be the CPPA’s first executive director.

What’s next for Global Privacy Control?

The group behind GPC said it has been working with the California AG’s office to make GPC legally binding under CCPA. With the support of AG Bonta, they have a better chance at increasing adoption and creating a set of legally binding technical specifications. They are also exploring GPC’s applicability and functionality with regard to other privacy laws, such as GDPR.  

In 2023, CPRA continued to mandate respect of universal opt-out mechanisms, with options for creating friction.

Meanwhile, as of July 1, 2024, Colorado requires that the GPC and other Universal Opt-Out Mechanisms (UOOMs) be respected, with Connecticut, Nebraska, Minnesota, Maryland, New Jersey, New Hampshire, Montana, and Texas to require respect of opt-out requests via UOOMs in 2025. Delaware and Oregon will follow suit in 2026.

Learn more

As one of the first consent management platforms to support GPC in the market, we think we can shed some light on the topic. 

Watch our webinar on demand to learn:

• The relationship between GPC and universal opt-out
• Relevant jurisdictions and effective deadlines
• Use cases for creating friction
• Market adoption of GPC so far
• Best practices for respecting the GPC signal 
• How to set up the Sourcepoint CMP to respect the signal

As always, you can read our product documentation about how to respect Global Privacy Control (GPC) signals or get in touch.