Articles

Global Privacy Control (GPC) and Universal Opt-Out

Written by Matt Davis, CIPM (IAPP) | March 24, 2023

More than ever before, consumers are aware of their online privacy rights and businesses realize the importance of implementing GPC (Global Privacy Control). Whether consumers understand the letter of the law exactly or not, the reality is that as privacy protection rapidly evolves, so do the responsibilities of businesses and companies who collect, sell, or share data.  

Everyone who has used the internet has seen their fair share of popup privacy banners asking them to accept cookies. Some are fairly simple and notify users of their collection of cookies, while others have more detail about why they’re collecting data. 

Depending on the governing law, these popups may provide links to full privacy policies, settings, and where to learn more.  

In the past, this fairly intrusive method was the only way to secure consent from website users, who were forced to interact with popups for each new website they visited. If a consumer wanted to restrict the sale of their information, they had to submit a “do not sell” request to each business, which wasn’t always easy. And it doesn't make for a good privacy experience , especially when considering the right to opt for better data protection.

A 2020 study showed that many consumers struggled to locate the link to opt out of the sale of their information. Many businesses’ opt-out process was so onerous that it seriously impaired consumers’ control over what happened to their data.  

Today, technology enables consumers to set their privacy preferences once, and certain web browsers automatically send a signal to each new website the user visits. 

Because there is no federal data privacy law, businesses are left wondering how to comply with various state laws and manage these user opt-out preference signals. This blog will highlight global privacy laws and how businesses can remain compliant even in a changing privacy landscape.  

What are Global Privacy Control, Universal Opt-Out Signals, and Requests?

Global privacy control (GPC) is also known as a universal opt-out preference signal, which allows users to automatically communicate their privacy preferences to every website they visit. 

The GPC operates as an extension on the user's browser, enabling an “authorized agent”—a technology that users have authorized to manage data collection consent on their behalf—to share these preferences seamlessly.

A universal opt-out allows individuals to make a single, comprehensive request that applies across multiple websites and platforms, ensuring that their privacy preferences are respected without the need to manually opt out on each site they visit. This standardized signal acts as a universal consent or user opt-out request, indicating the user’s privacy settings across the entire digital ecosystem.

For consumers, universal privacy signals offer a streamlined and effective way to exercise their privacy and data rights, reducing the complexity of managing privacy preferences across numerous online services.

For businesses, this trend underscores the need to stay ahead of privacy compliance by integrating systems that can detect and respond to these universal signals, thereby fostering trust and ensuring adherence to modern privacy standards.

Companies must now adapt to recognize and respect these signals, integrating the necessary backend processes to comply with privacy regulations such as the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA).

How Does GPC Work?

When GPC is enabled in a user's browser, the browser automatically includes the GPC signal in the HTTP headers of all outgoing requests to websites. This signal indicates the user's preference not to have their data sold or shared. The website, upon receiving this signal, is expected to comply by adjusting its data collection and sharing practices accordingly.

For businesses, this means detecting the GPC signal in incoming web requests and responding appropriately:

Signal Detection: The website must be configured to detect the GPC signal in the HTTP headers or JavaScript environment.

Automated Response: Upon detection, the website should automatically disable certain cookies, prevent data from being shared with third parties, or modify other data processing activities in line with the user’s preferences.

Compliance Logging: To ensure compliance and maintain transparency, businesses should log instances where privacy signals are detected and document the actions taken in response.

Why Privacy Matters for Businesses

In the not-so-distant past, a “Do Not Track” signal tried (and failed) to gain traction. The idea was similar to GPC in that it provided consumers with a way to opt out of being tracked across websites and limit the use and sharing of data. Companies didn’t honor it, though—there was nothing to compel them to. Ten years after its proposal, in 2019, the WC3 disbanded the project because of “insufficient support and adoption.”  

That’s changed. The GPC and universal opt-out signals, now have state laws backing them—and they have teeth.    

The CCPA/CPRA requires businesses to treat the signals as valid requests to withdraw consent to the sale or sharing of personal information, including for cross-context behavioral advertising. 

In 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora, Inc., for violating the CCPA. There were various violations, but chief among them was the failure to process privacy requests via the GPC. Attorney General Bonta highlighted this violation in a press release on the enforcement.

"Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale. 

I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. [...] Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls."

Data Privacy Laws in Other States

As digital privacy becomes increasingly important, a growing number of US state privacy laws are setting modern privacy standards, empowering consumers with more control over their privacy choices. These regulations often include requirements for businesses to respect global privacy control signals, ensuring users can disallow the sale of their personal data seamlessly.

While California has led the charge with its California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), other states are quickly following suit, enacting their privacy laws to protect consumers. In 2023, several states—Colorado, Connecticut, Utah, and Virginia—have introduced US privacy legislation that either has already taken effect or will soon do so.

Colorado Privacy Act and Connecticut Data Privacy Act

Both the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CDPA) went into effect on July 1, 2023. These laws share several similarities with California’s CPRA, including the requirement for companies to observe GPC signals.

Under the CPA and CDPA, businesses operating in these states must respect user-enabled global privacy controls like GPC as valid requests to opt against the sale or sharing of personal data. This means that when a consumer in Colorado or Connecticut enables GPC in their browser, companies are legally obligated to comply with this signal, ensuring that the user’s data is not sold or shared without their explicit consent.

These laws place a strong emphasis on user privacy and control, aligning with a broader trend of increasing consumer rights in the digital space. Companies doing business in these states must now integrate systems capable of detecting and responding to GPC signals to remain compliant and avoid potential penalties.

Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA) came into effect on December 31, 2023. While the UCPA establishes several consumer rights similar to those found in other state privacy laws—such as the right to access, delete, and opt out of the sale of personal data—it does not require businesses to adhere to GPC signals.

However, businesses must still provide clear and accessible mechanisms for consumers to exercise their privacy rights, including opting out of the sale of their personal information through other means.

Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA), which became effective on January 1, 2023, also differs from laws like the CPRA in how it approaches the GPC universal opt-out mechanism. The VCDPA does not mandate that businesses honor GPC signals. Instead, it focuses on providing Virginia residents with the ability to access, correct, delete, and opt out of the processing of their personal data for purposes like targeted advertising and the sale of data.

While the VCDPA gives consumers significant control over their personal data, not being required to honor the signals of GPC means that users in Virginia may need to rely on more traditional methods—such as website-specific opt-out mechanisms—to manage their privacy preferences.

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA) was enacted on July 1, 2024. This law grants Texas residents the rights to access, delete, and correct their personal data and to opt out of targeted advertising and data sales. Businesses operating in Texas must ensure they have systems in place to respect these consumer rights and comply with the new regulations. The TDPSA aligns closely with other state laws but adds Texas-specific requirements that companies must follow.

Montana Consumer Data Privacy Act

Effective October 1, 2024, the Montana Consumer Data Privacy Act (MCDPA) provides Montana residents with rights to access, delete, and correct their personal data. Additionally, it allows consumers to exercise control over targeted advertising and profiling. Companies doing business in Montana must respect these preferences and adjust their data handling practices accordingly to remain compliant with the MCDPA.

Tennessee Information Protection Act

The Tennessee Information Protection Act (TIPA), effective July 1, 2025, introduces comprehensive privacy rights for Tennessee residents, including the right to access, delete, and correct personal data. The law also empowers consumers to limit targeted advertising and the use of their data for certain purposes. Businesses in Tennessee must implement systems to detect and honor these requests, ensuring full compliance with TIPA.

Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act (OCPA) took effect on July 1, 2024, granting Oregon residents the right to access, delete, and correct their personal data. The law also includes provisions for limiting targeted advertising and other data processing activities. Oregon companies must integrate mechanisms to respect these consumer rights and maintain compliance with the OCPA.

Delaware Personal Data Privacy Act

The Delaware Personal Data Privacy Act (DPDPA), effective January 1, 2025, provides Delaware residents with comprehensive privacy rights, including access, deletion, and correction of personal data, along with the ability to restrict targeted advertising and profiling. Businesses in Delaware must ensure they are equipped to handle these requests and comply with the DPDPA to avoid penalties.

As privacy laws evolve, companies must proactively adapt to these changes. They will comply with legal obligations and build stronger, trust-based customer relationships. 

To navigate this changing environment, it's important to know how to handle user control signals and opt-out preferences to comply with regulations and build trust with consumers.

How Osano Helps to process GPC signals

Even if your company isn’t legally required to process GPC signals, doing so helps build trust and shows consumers you care about their data preferences.

A consent management platform, such as Osano, can help your company meet compliance regardless of the jurisdiction, honor privacy opt-out requests, and avoid serious consequences.  

When Osano’s “Support Global Privacy Control (GPC)” toggle is switched on, Osano listens for incoming consent preference signals from visitors using a browser extension that supports GPC and automatically acts on and records those preference signals, keeping you in compliance.  

If you’re wondering how to contend with new data privacy laws, check out our action plan for 2024 state data privacy laws. Or, find out whether Osano is a fit for your company by scheduling a demo today.