What is Global Privacy Control? How Universal Opt-Out is Changing Consent & Compliance
Privacy & Compliance | December 13, 2022
Privacy is a growing priority for web users. An overwhelming 84 percent of Americans say they are concerned about the safety and privacy of their personal data on the internet, according to recent research from Ipsos. And while the introduction of data privacy laws like the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the Colorado Privacy Act (CPA) has given consumers more control over their personal data and privacy than ever before, many privacy advocates, and even some regulators, argue that online privacy still has a long way to go.
One frequent sticking point is complication of managing user privacy preferences. Frankly, managing privacy preferences across the web is not nearly as straightforward as it should be.
Users must interact with different consent forms, cookie banners, and privacy policies for every website they visit — a tedious process that confuses consumers and degrades the user experience, resulting in inconsistent privacy controls that can leave users unprotected, and businesses non compliant with legal regulations.
To address this problem, there’s a growing call to implement a Global Privacy signal, also known as a Universal Opt-Out Method (UOOM), or an opt-out preference signal: a browser feature that would signal the user’s privacy preferences to every website they visit, streamlining the consent management process across the internet and improving user experience.
In fact, some leading privacy laws, like California’s CPRA and Colorado’s CPA, have already set timelines for recognizing and implementing global privacy signals to manage consent for data collection and processing.
Let’s look at what the changes mean for users and marketing professionals, and how businesses can stay compliant with evolving regulations.
Note: We will primarily be covering the Global Privacy Control, the most widely adopted opt-out method so far, but the concepts covered apply to all universal opt-out methods.
What is a Global Privacy Signal?
First off, it’s important to separate the concept of a universal out-out method from the technical reality of the Global Privacy Control.
What is a Universal Opt-Out Method AKA Opt-Out Preference Signal?
When regulators first began entertaining the idea of a universal opt-out for privacy concerns, no such tool actually existed, and so, rather than setting out technical requirements for privacy signals, regulators outlined the concept of universal opt-out signals as a universal mechanism or system that lets internet users easily signal their personal data and privacy settings on a global scale.
Law makers in California envisioned this signal as a way to convey the users preferences regarding the sale or sharing of their personal data, but other privacy advocates have imagined a broader toolset that lets users manage and control their data to a greater extent. This could include ability to view and control which personal information is shared, with whom it is shared, and for what purposes it is shared.
While regulators did not initially set forth technical requirements for universal opt-out methods, most set deadlines to do so once the number of available prefernce signals has grown, and many regulators, such as those in Colorado have promised to maintain a public list or recognized UOOMs.
What is the Global Privacy Control?
The Global Privacy Control (GPC) is a proposed technical specification that transmits a binary code, which, when set to true, notifies websites of a visitor’s privacy preferences (e.g., not to share or sell their personal data.), giving internet users the ability to make a one-time privacy choice on their browser, rather than submitting consent manually to each website.
The Global Privacy Control is supported and developed by a group of privacy-focused organizations and businesses, including Mozilla, The New York Times, Brave, DuckDuckGo, The Washington Post, Consumer Reports, and the Electronic Frontier Foundation.
The current iteration of the Global Privacy Control is tailored to the CPRA and transmits do-not-sell and do-not-share preferences via a binary code, which, when set to true, indicates that the user does not wish for websites to sell or share their personal information with third parties.
To use the Global Privacy Control, users must download a browser or extension that supports the technology; from there, they can turn on the UOOM and set their privacy preferences. The browser will send the GPC signal to all the websites they visit, and participating ones will act on the requests automatically.
The Benefits of Global Privacy Signals
For users, the benefits of such preference signals are obvious. Consent banners are annoying and time-consuming, and having a one-stop shop to decline all of them would improve the browsing experience and save time.
Legal teams, like users, are another potential beneficiary of the technology. The GPC provides an open standard for businesses and advertisers to make compliance with an increasingly wide array of data privacy laws much less daunting — ultimately streamlining their online marketing efforts.
While GPC is currently a response to CCPA and CPRA, implementing the technology can help future-proof your compliance effort as California’s focus on GPC may trigger a wave of GPC enforcement across various states with similar privacy laws.
For marketers, on the other hand, the prospect of a blanket ‘no’ to all data collection and processing may seem daunting. At first glance, GPC may seem to hinder a company’s ability to collect customer data to inform its marketing decisions. However, it can help you build trust with consumers and reinforce your brand’s reputation in the long run by empowering website visitors to control their data, and, if certain processing is required to improve user experience or present valuable offers, it is still legal to request consent and make your case.
How are Global Privacy Controls Different from ‘Do Not Track’?
Do Not Track was a plug-in offered by major browsers that, when turned on, added a header to browser metadata when initiating a connection with servers. However no servers knew how to interpret the header, nor were they required to, so they often ignored it. With lack of legislative action, it became clear that it would fail. The nail in the coffin was when Apple disabled DNT on Safari because websites could single out its users, making it (ironically) particularly useful for fingerprinting.
The main difference with GPC is that browser-level user-enabled requests could be made legally binding: CPRA final regulations already require all businesses to honor user requests via user-enabled global privacy controls.
Enforcement actions are currently the responsibility of the attorney general (who has already sent enforcement letters to companies that did not honor GPC), as well as the California Privacy Protection Agency created under CPRA.
In October 2021, the newly created California Privacy Protection Agency (CPPA) announced that Ashkan Soltani, former chief technologist at the FTC and one of the leading advocates for the GPC initiative, would be the CPPA’s first executive director.
Global Privacy Signals and Compliance Requirements
Some states, including California and Colorado, have already incorporated global privacy signals into their privacy laws:
California’s landmark privacy legislation, the California Consumer Privacy Act (CCPA) was updated in 2021 to clarify that global privacy signals“must be honored by covered businesses as a valid consumer request to stop the sale of personal information.” The California Privacy Rights Act (CPRA), which has further requirements to recognize GPC, goes into effect on January 1, 2023. Under the CPRA, covered businesses will be required to honor universal opt-out signals like the GPC, and treat them as a valid consumer request to opt out of the selling or sharing of personal information.
But a business may be able to circumvent the requirements by providing a link to a web page where visitors can consent to its decision of not using the opt-out signal. The page must also give users the ability to revoke their consent without degrading the user experience on the website.
Lawmakers in California have wasted no time in moving forward with universal opt-out. In July 2022, California attorney general Rob Bonta publicly backed the Global Privacy Control specification by issuing letters to several companies reinforcing the requirement under CCPA to honor the signal, and in August 2022, Bonta announced a $1.2 million settlement with makeup retailer Sephora, based on allegations that the company had failed to comply with CCPA, and specifically :had failed to process user opt-out requests via user enabled global privacy controls.”
The Colorado Privacy Act (CPA) introduced UOOM to allow consumers to communicate their opt-out preferences to all data controllers without submitting individual requests. The draft rules also outline technical specifications for maintaining a public list of recognized UOOMs. The Colorado Attorney General (AG) will have until July 1, 2023, to finalize the details.
Data controllers must comply with the CPA by July 1, 2024 — making Colorado the first state that explicitly requires businesses to honor universal, user-selected opt-out signals for targeted advertising and sales of personal data. Additionally, the UOOM must meet the technical specifications issued by the state AG.
The UOOM cannot be a default setting under the CPA. It must represent a user’s affirmative and unambiguous choice to opt-out of the sales of personal data. The process must be consumer-friendly, communicated in clear language, and consistent with other mechanisms required by US laws.
Connecticut’s SB 6, signed into law by Governor Ned Lamont in May 2022, Gives Connecticut consumers the right to opt-out of processing personal data for the purposes of targeted advertising, profiling, or the sale of personal data. Websites are required to post opt-out links on their websites, and as of January 1st, 2025, will be required to recognized opt-out preference signal[s]” sent via a universal opt-out mechanism.
EU: The GPDR and Global Privacy Signals
The EU’s General Data Protection Regulation (GDPR), is widely regarded as the worlds strongest privacy law, and it sets out a number of principles and rights related to the protection of personal data, including the right of individuals to control how their personal data is used and shared. But, the GDPR does not specifically mention global privacy controls. While global privacy controls may be a useful mechanism for individuals to exercise their rights under the GDPR, the GDPR does not require organizations to implement them.
In the specifications of GPC, the signal’s creators outline a potential reading of the GDPR that would require recognition of the GPC, claiming that “The GDPR requires that “Natural persons should have control of their own personal data” ([GDPR], Recital 7). The GPC signal is intended to convey a general request that data controllers limit the sale or sharing of the user’s personal data to other data controllers ([GDPR] Articles 7 & 21). This request is expressed with every interaction that the user agent has with the server.” However, lawmakers in the EU have given no clarification on the matter.
What about other jurisdictions?
In jurisdictions where there are no universal opt-out signal compliance requirements, websites may choose to ignore opt-out signals.
What’s Next for Global Privacy Controls?
AG Rob Bonta issued a press release after bringing the first CCPA enforcement action against Sephora for violating the CCPA’s “Do Not Sell” provision. It stated that businesses must “[f]ollow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
Since California is a technology and data privacy bellwether, its approach to GPC is likely a sign of things to come. As more states adopt data privacy laws, they’d likely model theirs after the CPRA. Fulfilling CPRA requirements can help you comply with other state regulations, stay ahead of the game, and position yourself as a trusted brand.
However, requirements for universal opt-out requests are still taking shape and are likely to present challenges to data controllers. For example, different organizations offer various opt-out methods, and there’s no consensus on how universal opt-out should work in today’s complex ad tech ecosystem.
The introduction of Global Privacy Control (GPC) will ultimately help brands create a better user experience to build trust with customers. But the successful implementation of global privacy signals does face some significant challenges, primarily from large players in the tech space. At present, neither Google Chrome nor Apple Safari–which represent a combined 84% of browser market share in 2022–support GPC. While users of these browsers can install extensions to support GPC, the lack of built-in support could represent the death knell for the still-nascent specification. So far, no regulators have required browser support for opt-out signals.
Global Privacy Signals FAQ
What is Global Privacy Control (GPC)?
The Global Privacy Control (GPC) is a proposed technical specification that transmits a binary code, which, when set to true, notifies websites of a visitors’ privacy preferences (e.g., not to share or sell their personal data.), giving internet users the ability top make a one-time privacy choice on their browser, rather than submitting consent manually to each website.
What Browsers Support Global Privacy Control?
Mozilla Firefox, Brave, and DuckDuckGo currently support GPC.
Does Chrome Support Global Privacy Control?
No, but Chrome users can download browser extensions, such as DuckDuckGo, Abine, and Privacy Badger to enable GPC.
Does Safari Support Global Privacy Control?
No, but Safari users can download browser extensions, such as DuckDuckGo, Abine, and Privacy Badger to enable GPC.
Which states recognize global opt-out signals?
California currently requires the recognition of global opt-out signals. Colorado and Connecticut will require recognition as of 2024, and 2025, respectively.
Does the GDPR require global privacy controls?
No. While global privacy controls may be a useful mechanism for individuals to exercise their rights under the GDPR, the GDPR does not require organizations to implement them.