CCPA GPC Update: Transcend’s Insight on Emerging Privacy Controls

In mid-July, California’s Office of the Attorney General clarified that under law, businesses must honor the Global Privacy Control (GPC) browser signal, a ‘stop selling my data switch’ for consumers browsing the web.

This means that businesses covered by CCPA are responsible for receiving the GPC signal on their website, and treating it as a valid consumer request to stop the sale of personal information.

In this post, we’ll quickly look at the latest clarification around GPC and CCPA, and most importantly, what that means for users of Transcend’s Consent Manager (TLDR: you’re already covered!)

Global Privacy Control is a browser privacy preference signal standard. As the CCPA FAQs mention, it was developed as a way to offer consumers a browser-side “switch” to opt out of sale universally if the signal is supported, versus confirming separately on each site. (Read more background on GPC on the official website)

If a consumer enables GPC in their web browser, they will send the GPC signal to websites they visit. The website owner is responsible for properly receiving this GPC signal as a valid consumer request to stop the sale of personal information, and must honor the request accordingly.

It’s worth noting that the requirement to honor a ‘do not sell’ browser signal isn’t new. The CCPA has always required it, but it was only mentioned in concept and did not name a particular signal or standard. With this clarification in mid-July 2021, the California Attorney General has name-checked the Global Privacy Control standard, clarifying that the GPC itself must be honored as a valid consumer request.

How did we get to this point? The original California Consumer Privacy Act passed in June 2018 called on the Attorney General to issue “regulations to define the requirements and technical specifications for an opt-out preference signal sent by a platform, technology, or mechanism, to indicate a consumer’s intent to opt-out of the sale or sharing of the consumer’s personal information” Cal. Civ. Code § 1798.185

In August 2020, the AG issued these regulations, stating:

If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.

• Cal. Code Regs. tit. 11 § 999.315

In January 2021, California’s then-Attorney General Becerra tweeted his support for GPC, noting that he was “heartened to see how CCPA has spurred data privacy innovation”.

And now, in the CCPA FAQs under section B, question 7, the GPC is explicitly named and linked:

For businesses that collect personal information from consumers online, one acceptable method for consumers to opt-out of sales is via a user-enabled global privacy control, like the GPC. Developed in response to the CCPA and to enhance consumer privacy rights, the GPC is a ‘stop selling my data switch’ that is available on some internet browsers like Duck Duck Go, and Brave, or as a browser extension. Opting out of the sale of personal information should be easy for consumers, and the GPC is one option for consumers who want to submit requests to opt-out of the sale of personal information via a user-enabled global privacy control. Under law, it must be honored by covered businesses as a valid consumer request to stop the sale of personal information.

Is your company’s website set up to receive a user’s GPC signal and accordingly stop the sale of your users’ personal information? It’s worth double checking your current setup—existing consent management platforms can typically only support this signal with additional, complex configurations, so be sure to allow time to investigate this and resource the changes required accordingly.

In contrast, Transcend Consent is built with the ability to modify and override regulating events—this nuanced configuration provides site owners with an easy way to ensure granular consent compliance across their website.

For companies using Transcend Consent, GPC signal acknowledgement is already supported out of the box, bringing you into compliance with this CCPA requirement in just a couple of clicks.

Whenever an individual has GPC enabled on their browser, Transcend Consent will override certain trackers to prevent the sale of the individual’s personal information. For example, Transcend Consent will force-on the following modes in popular trackers whenever GPC is enabled:

• Facebook’s “Limited Data Use” mode

• Google’s “Restricted Data Processing” mode

• YouTube Privacy Enhanced mode

If you’re using Transcend Consent, the good news is that you’ve got little to worry about with this latest CCPA update. It provides a comprehensive consent solution that fully complies with your user’s preferences and defends your business—without needing to negotiate additional engineering resources and build custom configurations.

Looking for a way to support GPC signals out of the box and provide thorough consent compliance? Transcend’s Consent Manager can help - get a demo to learn more.