What is Global Privacy Control (GPC)?
Global Privacy Controls are settings users configure online to send privacy preferences to websites they visit. It’s a concept that has been around for a while now, building from the initial concept of “Do Not Track” or “DNT” project (now retired). It is currently favored by both privacy advocates and regulators because these browser-based settings allow users to “set and forget” their privacy preferences universally.
From the advocate/regulator/user perspective this makes a lot of sense. Rather than needing to tell each website individually what to do with the personal information it’s receiving, GPC allows for a single “global” signal to be set and delivered from the browser consistently across the internet (while that particular browser is being used) to all future websites visited. So how is GPC different from the previously failed DNT effort? And why is this attempt gaining traction and enjoying the spotlight right now?
Why GPC is important
The reason GPC is gaining traction may be the attention and public endorsement from significant privacy regulators for one:
“CCPA requires businesses to treat a user-enabled global privacy control as a legally valid consumer request to opt out of the sale of their data.
CCPA opened the door to developing a technical standard, like the GPC, which satisfies this legal requirement & protects privacy.”
Former California Attorney General, Xavier Becerra
And the fact that GPC has been referenced in California (CPRA), Colorado (CPA) and now Connecticut’s (CDPA) privacy laws gives this new iteration of the effort a more likely path to widespread endorsement and enforcement. Being on the radar of states that are active in the development of consumer privacy legislation, with state attorney general offices set to actively enforce these laws, could well give this mandate the teeth that DNT lacked when the concept first emerged.
Ok, So How Will GPC Work?
That is currently up for debate. Many of the standards, processes, and technologies still need to be developed, so stay tuned. Technical specifications have been published, but it’s too early to know how this HTTP header signal will be accepted and processed by companies on a large scale. In essence, once privacy preferences are affirmatively set by a user in the browser (where and when available) those preferences are then sent to all future website servers with a recognizable format that will legally need to be registered as a “do not track, sell or share my information” command. The signal will be binary, with a “0” for “off” and a “1” for “enabled” so there shouldn’t be any confusion on the receiving side about what that user is requesting. Just how that signal will be understood legally and technically by businesses will take some time though. Most likely a few public enforcement case studies for a common understanding will emerge to provide guidance in the coming years.
Reactions from Business, and What’s Next
In terms of timelines, the CPRA will go into force on January 1, 2023, and the CPA and CDPA will take effect on July 1, 2023. So even though many GPC questions remain, technically businesses should be ready to receive and register these consumer requests on those start dates. Meaning businesses should be able to follow through with opting those customers out of their digital marketing efforts and information sharing activities where applicable. No one knows just what kind of request volumes to expect. Perhaps short term “patch” solutions will suffice in the near term, but if demand picks up due to increased consumer awareness and a few high profile/high fine enforcement actions those systems won’t hold up over time. So, it’s best to start planning now for more robust responses, especially as more state privacy laws and even the potential of a federal privacy law loom on the horizon.
The go-to source for Global Privacy Signal information and developments can be found here at globalprivacycontrol.org. From their press release on Data Privacy Day last year, you can see some large, well-recognized organizations have pledged support. The privacy technology community has responded as well including some of the major players:
“…OneTrust is honored to partner with GPC to expand individual privacy controls and support organizations…”
Blake Brannon, Chief Technology Officer, OneTrust
So it looks like a few technical solutions will be available to leverage in your deployment efforts. If you are a B-C company, it’s time to take global privacy control seriously, and put into place the ability to respond to these requests. You’ll need to keep an eye out for coming developments and updates, but it’s surely not too early to begin planning and implementing for the inevitable ping of GPC signals coming your way soon.
For more information, and to inquire about how LevelUP Consulting Partners can help with your risk management and privacy compliance needs, contact: Dave Cohen, dave.cohen@levelupconsult.com, Senior Manager, LevelUP Consulting Partners.
