Global Privacy Control

Global Privacy Control (GPC) is a browser extension that makes it easy for consumers to set privacy preferences for their personal data as they browse the web.

When the setting is enabled, Global Privacy Control sends a signal to publishers and platforms to let them know they should limit data collection and that you do not consent to the sale or sharing of your data.

In the context of modern privacy law, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) reference an "opt-out preference signal," and Global Privacy Control is one practical application of that concept.

Is Global Privacy Control enforced?

As of August 2022, yes.

When Global Privacy Control was released, it wasn't totally clear if this signal would be enforced by privacy regulators. The Do Not Track (DNT) plugin had failed to gain traction and despite indications of support from the California Attorney General, there were no GPC enforcement actions for several years.

However, on August 24, 2022, California Attorney General Rob Bonta announced a $1.2M settlement with cosmetics retailer Sephora, citing that the company had:

• Failed to tell consumers it was selling their personal data
• Failed to honor user opt-out requests made via Global Privacy Control
• Failed to address these violations within the 30 day cure period

The first CCPA enforcement action to date, this settlement was a clear indicator that California regulators intend to support the Global Privacy Control signal.

Global Privacy Control background

Despite Global Privacy Control's recent heydey in the news, it's not actually a new idea. CCPA has always required that businesses respect browser-based privacy signals, though it didn't call out GPC by name.

However, in August of 2020, California Attorney General Xavier Bacerra released new regulation stating:

If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request... (Cal. Code Regs. tit. 11 § 999.315)

He also tweeted his support for Global Privacy Control, referring to the signal as a "stop selling my data switch."

As California regulators continue to ramp up enforcement, it's critical your company implements the right technical mechanisms to ensure Global Privacy Control is being honored across your digital presence.

Global Privacy Control compliance

Honoring Global Privacy Control is an important part of comprehensive compliance with California's "Do Not Sell or Share My Data" mandates.

We've outlined the basic steps for complying with those opt-out requirements below, but for more details make sure to check out our full "Do Not Sell or Share" implementation guide.

1. Catalog all data sharing processes and targeted advertising technologies.
2. Build an opt-out plan based on your business’ specific data practices and desired user experience.
3. Update your website and implement a consent manager like Transcend Consent to receive opt outs and detect opt-out signals like Global Privacy Control.
4. Honor opt outs and monitor for any changes in your data practices or technologies that may impact compliance.

Additional resources

• Global Privacy Control — Take Control Of Your Privacy
• [Video] What Sephora's $1.2M Settlement Means for CCPA/CPRA Enforcement
• CCPA Update: Businesses must immediately support the Global Privacy Control signal
• Global Privacy Control compliance with Transcend