In October 2020, the Global Privacy Control was created to allow consumers to exercise their privacy rights with the click of a mouse. This January, the team behind the GPC announced a major milestone through the GPC's adoption by major publishers and consent management platforms. Despite this, the GPC only recently gained wider traction with the privacy and compliance communities after California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetic retailer Sephora for violations of the California Consumer Privacy Act, including failure to process opt-out requests through user-enabled GPCs. Other states, including Connecticut, recently passed privacy laws that included language about universal opt-out mechanisms in their bills. This requires a deeper dive into the GPC, whether its similarity to "do not track" should be cause for concern, and whether it is here to stay.
What is the GPC?
The GPC is a technical specification for transmitting universal opt-out signals that uses binary options to allow users to opt-out of the sale of personal information at the browser level. If a user wants to opt-out of the sale of their data, they turn on the GPC signal for all or specific websites, and a site that supports the GPC will register the browser request to not sell personal information. However, to use the GPC today, users need to download a browser (e.g., DuckDuckGo, Brave, Mozilla Firefox) or an extension (e.g., Abine's Blur, Disconnect, privacy-tech-lab's OptMeowt, Electronic Frontier Foundation's Privacy Badger) that supports the signal.
Unlike opt-out consent management frameworks on sites that often load the content and begin collecting data before the user has even had the chance to opt out, the GPC honors the user's choice before the site loads. This makes the GPC a more effective tool.
Blur, an example of how GPC-supporting browser extensions and websites work together, is a browser extension created by Abine that blocks third-party tracking cookies. Blur's GPC toggle allows the user to switch the control for all sites in a global setting or individual websites. Results will vary based on whether the website recognizes the GPC. The Blur extension dashboard will display "Privacy handshake! [Website] registered your browser request to Not Sell your info." on a GPC-compliant website and "[Website] has seen your GPC privacy request but does not support it yet" for noncompliant sites. Privacy engineers and technologists implementing the GPC can set their sites to recognize a GPC set to one or turned on as a trigger for their existing "Do Not Sell" mechanisms.
What happened to 'do not track'?
The GPC is not the first idea for a universal browser-based choice signal. Initially proposed in 2009, do not track was an HTTP header field created to allow users to opt out of being tracked across multiple websites, as well as the use or sharing of such cross-contextual data or inferences derived from it. By 2012, Mozilla Firefox, Internet Explorer, Apple's Safari, Opera and Google Chrome supported the DNT header, and the World Wide Web Consortium created a working group to standardize the tool.
Despite a decade of effort, the "do not track" project ended when the W3C disbanded the working group in 2019 due to insufficient support and adoption. The U.S. Federal Trade Commission endorsed do not track in 2010 but did not mandate its implementation. Further, the W3C working group's recommendation to websites receiving the do not track signal — do not collect a user's data or deidentify it if the data is essential to business purposes — fell flat as the advertising technology industry's incentive to negotiate dissipated and concerns about it harming online growth began to spread.
Because of industry indecision about how to implement do not track, most websites did not implement the standard. This was despite the California Online Privacy Protection Act requiring websites to disclose whether they supported the standard in their privacy policy. This requirement led to most websites adding a statement in their privacy notices informing users they do not take any action in response to the do not track signal. After years of stagnation, Apple removed do not track capabilities from its Safari browser. Today, a few heavily trafficked sites like Medium and Pinterest still support it, although there is little trace of it elsewhere on the internet.
Differences in enforcement and recognition
Technologists and privacy professionals that witnessed the rise and fall of do not track and have since failed to see alternative solutions pick up speed may be wary of the sudden support behind the GPC. After all, do not track, as the GPC's predecessor, seemed like a well-crafted opt-out mechanism that nevertheless failed.
At first glance, both approaches do not seem so different. Do not track and the GPC function as a binary control to give users power over their choices regarding websites' data collection. The signals do not affect how sites load or the functions of first-party features but provide a simple signal for publishers to recognize and respond accordingly. Additionally, do not track had the backing of most major browsers, and adtech participants were closely involved in building the standard. Ultimately, lacking clear guidance from regulators and the adtech ecosystem, most website publishers opted to give users a pre- do not track experience.
Enforcement. The first key difference that may prevent history from repeating itself with the GPC lies in enforcement. In August 2022, the California attorney general brought the first CCPA enforcement action against international cosmetics retailer Sephora for violating the CCPA's "Do Not Sell" provision. Among its alleged misrepresentation about whether it sold user data, Sephora ignored GPC signals and failed to offer any opt-out mechanisms. In a press release, Attorney General Rob Bonta stated his office will hold businesses accountable to "[f]ollow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls."
This explicit callout of the GPC, in addition to the updated language in the CCPA FAQs that requires it to be honored by covered businesses, indicates it is being taken seriously in California. As the country's technology innovator, California's focus on this issue may signal the beginning of a wave of GPC enforcement across other states that have enacted privacy laws.
Recognition. The second key difference lies in the GPC's wider recognition. Do not track and the GPC are both technical methods that allow consumers to express their privacy preferences. While the browsers that supported do not track merely had to update a few lines of code to make it available, advertisers and site publishers could not agree on a consistent solution to respond to a browser's do not track signal, and ultimately did not respond at all. It became clear that implementing do not track would not be beneficial to publishers. The GPC differentiates itself from do not track in its consideration of publishers' interests.
First, the GPC may increase user trust in a site, which would in turn promote growth on publishers' sites. Robin Berjon, the vice president of data governance at the New York Times, shared that as a news publisher, "the value we see is a very strong link between privacy and trust." Publishers that recognize the GPC are more likely to increase trust among their current users, thereby growing their user base with the relatively new cohort of privacy-conscious consumers.
Second, the GPC allows consumers to express their data rights with a single toggle while also allowing publishers to sell ad space without having to sell data to third parties. The Internet Explorer browser offered do not track and even turned it on by default until 2015, and currently, Brave browser seems to do the same.
Publishers may see a decrease in revenue from the inability to sell data, especially data about Brave users who do not have the option to switch their GPC off in the current version of the browser. However, sites can still earn significant revenue without running into privacy violations by selling ad space for contextual rather than behavioral advertisements. This, in turn, decreases their risk of reputational harm and liability from the data they collect being exposed in third-party breaches.
Additionally, if more consumers use GPC, publishers will contribute less data for reuse in the third-party ecosystem, and the value of unique audience data for first-party use will increase. While a consumer's opt-out signal will not stop publishers from using their data for advertising purposes, it will prevent third parties from doing so, which manysee as a win for consumers.
Third, many publishers will not need to allocate a large budget to support the GPC. CCPA-compliant publishers already have the mechanisms in place to recognize the control. Any publisher that offers a "do not sell my personal information" button or link on their site can equate a GPC turned "on" as that user clicking the "do not sell" link. It is then up to the publisher to use a solution that best suits their data handling. A user's account or IP address can be tagged internally to show their preference, and consent management platforms can be configured to automatically accept a visitor's signal preference. One specific CMP allows publishers to enable a setting that applies to all the web properties associated with the vendor lists selected, e.g., IAB vendors and state-specific vendors. When the GPC setting is enabled, and the user's signal is received, the user's U.S. privacy string, defined by the IAB's CCPA Compliance Framework, or the uspString value, is changed to reflect an opt-out without the user requesting it manually.
Publishers should note that cookie banner systems do not offer GPC compliance beyond the user's current browser session. Organizations that operate internationally and are EU General Data Protection Regulation-compliant are similarly situated in transitioning into GPC compliance. Under the GDPR, there is no right to object to the sale of personal data, but the controller is still required to have a legal basis to share personal information. EU residents also have the right to object to processing their personal information, including the sale or sharing of data with third-party controllers. The GPC specifications indicate the signal can be used for this purpose. Countries with comprehensive data privacy laws that require a legal basis for processing personal data can utilize their existing mechanisms to usher in the GPC.
The future of GPC
Whether it was the passage of the GDPR, CCPA, and other privacy laws or the increased frequency of news coverage on cybersecurity and privacy harms that affected public perception of their online activity, one thing is clear: consumers now have a greater awareness of online commercial tracking and greater loyalty to and trust in businesses that prioritize privacy. The GPC comes at a time when do not track would have had the right environment to thrive.
Today, organizations that are covered entities under the CCPA — any for-profit entity that collects, shares, or sells California consumers' personal data and has an annual gross revenue of at least $25 million, possesses the personal information of at least 50,000 Californian consumers, households, or devices, or earns more than half of its annual revenue from selling consumers' personal information — must recognize the GPC and other universal opt-out mechanisms. However, this means the GPC is mandatory for the nation's largest data aggregators and many publishers.
With California enforcing the GPC and Colorado and Connecticut following suit with their own requirements to recognize universal opt-out request mechanisms in 2024 and 2025, respectively, there is active enforcement and regulatory involvement to keep the control alive. Even the heavily-anticipated American Data Privacy and Protection Act specifically lists "global privacy signals" for use as an opt-out mechanism. While there has been traction in the U.S., it remains to be seen if the GPC will obtain global recognition. The absence of support from the largest browsers by market share, like Google Chrome and Apple's Safari, is also an indication to remain cautious about the GPC's success. However, with the incentives for publishers to recognize the GPC, privacy professionals would be wise to understand and consider its implementation.