Consenteo Logo
Back to Knowledge Hub

What is Global Privacy Control and Universal Opt-out?

Learn about Global Privacy Control (GPC), a browser signal that allows users to universally opt-out of cookie usage, data sharing, and targeted advertising across websites.

Doğancan Doğan
CONSENT
What is Global Privacy Control and Universal Opt-out?

According to a Norton study, a significant majority of global adults (71%) actively take steps to protect their online privacy. These actions range from adjusting device settings and disabling third-party cookies to implementing multi-factor authentication and using VPNs. However, the evolving landscape of privacy regulations, such as the EU's GDPR and various US state laws, introduces further complexities. Users are frequently required to interact with cookie banners, opt-in checkboxes, and privacy or cookie policies to convey their preferences. It's evident that managing online privacy is far from a simple process. This is where Global Privacy Control (GPC) offers a streamlined approach, providing a universal opt-out signal for a more user-friendly and consistent privacy experience.

What is Global Privacy Control (GPC)?

Global Privacy Control (GPC) is a browser-based signal or extension designed to simplify the process of users indicating their privacy preferences online. Essentially, GPC allows users to enable specific privacy settings within their web browsers. This preference is then transmitted as a signal to each website they visit, communicating their choices, including whether to opt in or opt out of cookie usage, data sharing, data sale, and targeted advertising.

When a user enables their GPC preferences and a website recognizes the signal, the visitor is automatically opted out of targeted advertising and any activities involving the sale or sharing of their personal data. Many popular web browsers, extensions, and tools have adopted GPC, including Firefox, Brave, Privacy Badger, and DuckDuckGo. Browsers without built-in GPC functionality, like Chrome, can still support GPC through extensions.

Background on GPC

Global Privacy Control (GPC) originated in response to the California Consumer Privacy Act (CCPA), which introduced the concept of a universal opt-out signal. A collaborative effort involving over a dozen organizations, such as the Electronic Frontier Foundation (EFF), the National Science Foundation, Mozilla, The New York Times, and The Washington Post, supports GPC. In 2022, the CCPA's first enforcement action, a $1.2 million penalty against Sephora, specifically cited the company's alleged failure to honor a user's opt-out request communicated via GPC.

What does GPC mean for Businesses and Publishers?

GPC is gaining recognition within global privacy laws as a legitimate and required mechanism for honoring opt-out requests. Let's examine how different regulations treat GPC:

California Privacy Rights Act (CPRA)

Under the CCPA/CPRA, the California Privacy Protection Agency mandates that businesses acknowledge opt-out preference signals as valid requests to opt out of the sale or sharing of personal information. The CCPA regulations explicitly state:

"If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or another mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted…for that browser or device, or, if known, for the consumer."

The implementing regulations of the CCPA also specify that:

  • Global privacy signals must clearly indicate a consumer's intention to opt out of the sale of their personal information.
  • In instances where a user's GPC signal conflicts with preferences set through a cookie banner, businesses should prioritize the GPC signal.

Colorado Privacy Act

Effective from July 1, 2024, the Colorado Privacy Act (CPA) obligates businesses to provide consumers with the ability to opt out of the processing of their personal data for targeted advertising or sale through a "universal opt-out mechanism." Unlike California, the CPA's requirement to honor the universal opt-out mechanism is mandatory. The CPA Rules provide clarity on the technical requirements for facilitating an opt-out via universal signals, the necessary disclosures for businesses, and how businesses must respond to user signals. The Colorado Department of Law is scheduled to publish a list of approved Universal Opt-Out Mechanisms by January 1, 2024.

Connecticut Data Privacy Act

Beginning January 1, 2025, the Connecticut Data Privacy Act (CTDPA) will expand existing opt-out obligations, requiring businesses to enable consumers to opt out of processing their personal data for targeted advertising or sale using an opt-out preference signal. This signal must unambiguously convey a consumer's desire to opt out of such data processing or sale.

Rules of Universal Opt-Out Mechanism

Both the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) mandate that the opt-out signal must adhere to the following criteria:

  • Be based on explicit and clear consumer choices, not default settings.
  • Not unfairly disadvantage other businesses.
  • Be user-friendly and easy to use.
  • Be consistent with similar mechanisms required by other legislation.
  • Allow businesses to accurately verify state residency and the validity of an opt-out request.

Other US State Privacy Laws

Certain US state privacy laws, including Virginia’s Consumer Data Protection Act (VCDPA) and Utah Consumer Privacy Act (UCPA), do not currently require businesses to respond to the GPC signal.

GDPR

The General Data Protection Regulation (GDPR) operates under an opt-in framework for consent, meaning users must actively provide consent before their data is processed by any business. Consequently, organizations subject to GDPR are not legally compelled to honor universal opt-out mechanisms like GPC. However, the GDPR emphasizes that "Natural persons should have control of their own personal data" (Recital 7). Utilizing a GPC signal can help communicate a user's intention to restrict data processing, which businesses are required to respect. The GPC website also suggests that it is "possible that a GPC signal opting out of processing could create a legally binding obligation for data processors" under GDPR in the future.

Implementing Global Privacy Control for your Business

Integrating GPC into your business operations necessitates considering your overall privacy compliance approach. Here are crucial points to keep in mind:

  • Determine Applicability of Privacy Laws: Assess which privacy laws apply to your business. Depending on the applicable regulations, you may be required to comply with specific requirements for opt-out preference signals like GPC.
  • Enable GPC for Consent Management: Users often engage GPC signals to limit cookie usage, particularly third-party tracking cookies. If your website employs a consent management platform (CMP), ensure it supports GPC signals. CookieYes CMP can detect these browser or plugin settings and honor the visitor’s signal preferences. You can enable the GPC feature on your banner without additional configuration. CookieYes CMP respects user privacy preferences by supporting GPC signals.
  • Integrate with GPC Signal: Identify data collection practices within your business that are linked to the GPC signal. Ensure you can receive GPC signals, transmit them to your backend systems, and respond in accordance with the user’s privacy preferences. Even if your company is not legally obligated to handle GPC signals, recognizing them demonstrates a commitment to respecting user privacy and fostering trust.

How CookieYes can Help with Global Privacy Control

  • Honor GPC Signal: Enable the option to respect Global Privacy Control, and our CMP will automatically accept the visitor's signal preferences. Your site visitors will also be notified that their GPC signal is being honored via our opt-out banner.
  • Custom Opt-Out Banner: Display a fully customizable opt-out banner to support your compliance efforts under CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), and UCPA (Utah), as well as other US privacy laws. Our "Do Not Sell/Share" opt-out banner is designed for compliance with US state privacy laws. For compliance with GDPR (EU & UK), LGPD (Brazil), and other global opt-in laws, you can use our cookie consent banner.
  • Do Not Sell/Share Link: Add the "Do Not Sell/Share" (DNS) link to your website footer. This link provides your site visitors with easy access to the opt-out preference center where they can specify their privacy preferences.
  • Integrate with Tech Stack: Implement CookieYes on any CMS or HTML website and integrate with existing standards like Google Consent Mode, Google Tag Manager, and IAB TCF version 2.2.

FAQ Global Privacy Control

How do I turn on global privacy control?

To activate Global Privacy Control (GPC), you need to set it up in your browser or use browser extensions that support GPC.

  • For browsers with built-in support:
    • Firefox: Go to about:config, search for globalprivacycontrol, and enable the options.
    • Brave: GPC is enabled by default.
    • DuckDuckGo: GPC is enabled by default.
  • For browsers without built-in support, use browser extensions or add-ons that implement GPC.

What is the global privacy control in California?

In California, GPC refers to a web browser setting that enables users to signal their preference for enhanced privacy controls when browsing websites. California's state privacy laws, the California Consumer Privacy Act (CCPA) and its amendment California Privacy Rights Act (CPRA), require businesses to recognize Global Privacy Control signals set by users as a valid opt-out mechanism.

What is a global opt-out?

A global opt-out generally refers to mechanisms like the Global Privacy Control (GPC) that allow users to issue a universal request for privacy controls across the internet. Instead of configuring privacy settings individually on every website, users can employ a global opt-out mechanism for a streamlined process and consistent privacy preferences across the web.

Does CCPA require global privacy control?

Yes. Under the California Consumer Privacy Act (CCPA) and the amended California Privacy Rights Act (CPRA), which grant California residents the right to opt out of the sale/sharing of their personal information, businesses in California are required to honor a global privacy control signal as a valid consumer request to opt out of the sale or sharing of personal information.

What is the universal opt-out mechanism in Colorado?

The Colorado Privacy Act (CPA) provides consumers with the right to opt out of the sale of their personal information and targeted advertising. The CPA mandates that businesses implement a "user-selected universal opt-out mechanism" starting July 1, 2024. These universal opt-out mechanisms are typically browser settings or extensions that allow users to send a standardized signal to websites, indicating their preference to opt out of data collection and sharing, such as tracking for targeted advertising.

What is an example of an opt-out preference signal?

Global Privacy Control (GPC) is a prime example of an opt-out preference signal, also known as a universal opt-out mechanism. GPC is a standardized signal transmitted from a user's web browser to the websites they visit. When a user activates GPC in their browser settings, it sends a signal to websites, conveying the user's intent to opt out of specific data collection and sharing practices.

Need Privacy Guidance?

Our experts can help you implement best practices and ensure compliance. Let's connect.

Schedule a ConsultationExplore Our Services