Skip to content

GPC and the CCPA F.A.Q.

Since posting the two Sephora blogs about the compliant from the California Attorney General and their proposed settlement, I’ve seen many questions regarding the Global Privacy Control, and how it interacts with different regulation requirements. I’ve tried to summarize the most common questions I have since seen below, with my thoughts to each based on the research I have done.

Disclaimers

This blog is is different than most I write, because a lot of it is more based in theory. As such I want to make sure that you, the reader, understand the following four points.

  1. The Global Privacy Control (GPC) specification which drives much of the engineering analysis is still in proposal status. As such, it’s possible that this will change, potentially dramatically over time.
  2. The notes about the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) are based on draft regulation. It’s possible, and even probable, that these regulations will change during the rulemaking process ahead of the enforcement date of January 1st, 2023.
  3. I am not a lawyer, and this is not legal advice. I strongly encourage any concern based on the below to be validated with relevant legal counsel.
  4. While I am a developer, I have no specific knowledge if your technical stack and it may be that the below does not work in the context of your present setup. I advise any engineering analysis to be validated by your engineering team whom should have knowledge of your specific configurations.

Global Privacy Control Questions

What is the Global Privacy Control?

The GPC is a browser level signal that can reflect the desire to opt-out of having personal information shared or sold. This would allow a user to not have to manually decline consent on each website they visit resulting in a better user experience.

Where can I find the current specification of the Global Privacy Control?

The specification can be found on Github.

Why do I care about the Global Privacy Control?

In the context of the the California Consumer Privacy Act, it is required to adhere to the Global Privacy Control as per the F.A.Q by the Attorney General released in June of 2021.

Opting out of the sale of personal information should be easy for consumers, and the GPC is one option for consumers who want to submit requests to opt-out of the sale of personal information via a user-enabled global privacy control. Under law, it must be honored by covered businesses as a valid consumer request to stop the sale of personal information.

https://oag.ca.gov/privacy/ccpa#collapse7b

We know from the enforcement tracker that the California AG is actively testing for compliance with the GPC signal as part of enforcement sweeps.

Since the requirement to adhere to the signal was added more than a year after the enforcement of the CCPA began, it is very likely that any existing configuration does not properly handle the GPC signal in light clarification of the events involving Sephora.

How do I enable the Global Privacy Control?

If you wish to transmit a Global Privacy Control signal from your browser, you can visit this page for a list of clients / extensions which will allow you to do so.

Directions for Firefox can be found here, and information about Brave can be found here.

How can I validate if I am broadcasting a GPC Signal?

You can validate if you are transmitting the GPC by visiting the test page ran by globalprivacycontrol.org

How can I test for the Global Privacy Control?

Presently, there are two ways to test for the GPC signal, and which you would use would depend greatly on how the various vendors to whom you may be selling or sharing personal information are installed.

For example, with a client side tag manager, it may be viable to inspect the JavaScript property navigator.globalPrivacyControl which will return true when enabled, reflecting the user’s desire to opt out of having personal data sold or shared.

Likewise, for a server based integration method, perhaps it may be viable to look for the Sec-GPC request header, which will have a value of 1, reflecting the user’s intent to opt-out.

Hybrid scenarios may need to use both methods for determining if the signal is present on each respective layer on the architecture.

How can I tell if a website honors the control?

A business may use a .well-known/gpc.json file to reflect how they respond to the GPC. They may, under various regulation, have other requirements which indicate acceptance.

You should expect when viewing the browser’s Network Panel to not see personal information (as defined by the relevant regulation) sent to external entities (based on the regulations definition of sell or share) in the various network requests.

I should note that the more different ways a site decides to process the signal, the more complex the consent environment becomes, and that this will impact both engineering as well as legal processes. Careful discretion should be taken before deciding alter the behavior on regulation by regulation basis when it can be avoided.

What can I do if I believe the site does not honor the control?

Most regulations allow you to file a compliant with some sort of supervisory authority. For example, if you believe that a violation has occurred, and that business must adhere to the CCPA, you can file a compliant with the Attorney General.

Important Definitions For the Next Section

Definition of Personal Information

Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.

https://oag.ca.gov/privacy/ccpa

Definition of Sale of Personal Information

Widely considered upon the original enforcement to be ‘sale of personal information for money’ the recent Sephora investigation makes it clear that the California AG considers sale of data as ‘exchange of personal information for benefit’ thus is not limited to strictly monetary transactions.

Definition of Service Provider & Third Party

Under the CPRA draft a Third Party is different from a Service Provider, but the classifications for both terms have been changed and defined with their own sections. Service Providers are bound by contract, and can not include specific types of business functions, such as cross-context behavioral targeting.

Companies which can’t be classified as a Service Provider, are classified as Third Parties, and have different contract requirements. The Opt-Out of Sale Process we discuss below specifically applies to Third Parties in the majority of cases.

Definition of “Request to Opt-Out of sale/sharing”

Per the CPRA draft

Request to opt-out of sale/sharing” means a consumer request that a business neither sell nor share the consumer’s personal information to third parties, pursuant to Civil Code section 1798.120, subdivision (a)

https://cppa.ca.gov/meetings/materials/20220608_item3.pdf

References to Signal, Preference Signal

In the following section references to Signal or Preference Signal should be assumed in this post to reference the Global Privacy Control signal.

GPC and the CCPA Interaction Questions

Note: Most of the answers in this section reference the CPRA draft regulations, as the CCPA final regulation text lacked explicit direction for how the Opt-Out Preference Signal should be complied with. Any reference to Section in bold text, refers to the CPRA draft regulations unless otherwise defined.

Must I honor the GPC under the CCPA?

Yes, adhering to the GPC for indication of opting out of sale of personal information has been required by the California Attorney General since July of 2021.

Under the CPRA draft regulations complying with the signal means that the business must treat it as a valid opt-out of sale/sharing for the browser or device, and if known, for the consumer.

Must I honor the GPC under other State Laws?

Several regulations speak to the ability to express a desire to opt out of sale via a preference signal. Some highlights below (non-exhaustive)

Colorado Privacy Law

The Colorado law requires the state to develop regulations which include how to handle processing of a universal opt-out signal which will begin enforcement a year after the law’s enforcement date. Thus organizations subject to the Colorado law need to comply with the opt-out signal regulation before July 1st, 2024. It is very likely that the Global Privacy Control will be considered for this effort.

Connecticut Act Concerning Personal Data Privacy and Online Monitoring

Data Controllers are subject to honoring a opt-out preference signal, which will trump any conflicting controller-specific privacy setting beginning on Jan 1st, 2025. It is very likely that the Global Privacy Control will be considered for this effort.

Can I inform the user that I honored the GPC request for opt-out?

Per Section 7025.c.6 a business should display whether or not is has processed the consumer’s opt-out preference signal.

However, it should be noted that in Section 7025.f it states that when processing the opt-out signal in a frictionless manner the website is prevented from displaying a notification, pop-up, text, graphic, animation, sound, video or any interstitial content in response to the opt-out preference signal.

Why would I want to process the GPC in a frictionless manner?

Under the draft regulations you may (provided you meet all requirements) be able to optionally provide the “Do Not Sell My Personal Information” links in the footer. However, this is dependent on execution of the opt-out signal in a frictionless manner, as defined by Section 7025.f and Section 7025.g. Section 7025.e in the draft regulation makes it clear you must process the opt-out signal regardless of if you choose to offer the links or not.

Can I still show the Consent Banner if the user leverages the GPC?

I am torn on this one. Section 7025.c.2 indicates that a business shall not require the consumer to provide additional information beyond what is required to send the signal. A Business can provide the consumer with a option to provide additional information (such that the request can apply to offline sale or sharing of personal information), but this is not required.

So I think the regulation needs further definition, but it would seem to me, if a website acknowledge the signal, then the consent manager should suppress the prompt, but downstream “opt-out” processes should kick off as is required under Section 7026. Requests to Opt-Out of Sale/Sharing

Can I charge a fee for processing the GPC signal?

Section 7025.f.1 states that when executing in a frictionless manner, a business may not charge a fee or require any other valuable consideration.

However, Section 7025.e indicates that a non-frictionless manner exists, and it’s not clear if a fee can be charged in that instance. For example, the phase ‘non-frictionless’ doesn’t appear anywhere else in the draft.

Can I change the customer experience after processing the GPC Signal?

Section 7025.f.2 states that when executing in a frictionless manner, a business may not change the experience in regard to the product or service offered by the business.

However, Section 7025.e indicates that a non-frictionless manner exists, and it’s not clear what’s possible in that instance. For example, the phase ‘non-frictionless’ doesn’t appear anywhere else in the draft.

What happens if the GPC signal conflicts with a existing privacy setting?

Section 7025.c.3 speaks to this. The business is required to process the opt-out signal, but may notify the consumer of the conflict and present the consumer the opportunity to consent to the sale or sharing of their personal information.

What happens if the user later shows up without the GPC signal?

Section 7025.c.5 speaks to this.

A business shall not interpret the absence of an opt-out preference signal after the consumer previously sent an opt-out preference signal as consent to opt-in to the sale or sharing of personal information.

https://cppa.ca.gov/meetings/materials/20220608_item3.pdf

In other words, if you know at an account level that a user has opt’d out of sale, you can’t assume if they later arrive without the signal, that they have suddenly consented to the sale of their data. The signal (even if not present in the current session) takes precedence over any sort of implied consent.

This is demonstrated in Section 7025.c.7.C

Noelle revisits Business O’s website at a later time using a different browser that does not have the opt-out preference signal enabled. Business O knows that it is Noelle because she is logged into her account. Business O shall not interpret the absence of the opt-out preference signal as consent to opt-in to the sale of personal information.

https://cppa.ca.gov/meetings/materials/20220608_item3.pdf

When can I prompt the user for consent again?

Section 7026.i indicates that where not otherwise stated, you must wait 12 months before re-prompting the user for consent after they have provided an valid opt-out request (which the preference signal is one).

Personally I think this becomes problematic in light of technical issues which I discuss here.

What Happens if the User Opts-Out of Sale via the GPC?

This is covered by Section 7026. The business must:

  • Notify the requestor via a on-screen indication (unless processing the signal in a frictionless manner).
  • Cease to sell to and / or share with third parties the consumer’s personal information as soon as possible, but no later than 15 days from the date the business receives the request. Note that providing personal information to Service Providers or Contractors does not constitute a sale or sharing of personal information, however the draft regulations dramatically redefine what a Service Provider is, a legal review is strongly suggested.
  • Notify all third parties to whom the business has sold or shared a consumer’s personal information that the consumer has opt out of sale/sharing and direct them to comply with the consumer’s request and forward the request to any other party to whom the third party has disclosed that consumer’s information. Third parties may not retain, use or disclose the personal information unless they become a service provider or contractor that complies with the CCPA and the CCPA regulations.
  • Provide a means by which the consumer can confirm that their request to opt out has been processed by the business.

Technically, several things need to happen, and it gets complicated quickly.

  • Notify the user the signal has been processed (unless frictionless manner applies).
  • Flag that data being shared through the various collection points (such as Tag Management systems) needs to stop / stop sending data via these methods
  • Inform each downstream third party the need stop acting upon the consumer’s personal data.
  • Third Parties need to delete the data and cease using it.
  • Inform any ETL processes or Data Feeds to stop providing the data to third parties.
  • If the user has an account, the desire to opt-out must be stored at the account level (so that proper processing of the opt-out preference signal can still occur should the user return on their account on a different browser or device) then this needs to be surfaced somehow on the website upon login so the relevant systems don’t accidently continue to sell or share data.
  • Provide a notification somewhere that the consumer can see the opt-out process has completed.

Having a robust data governance process is critical for the technical work here. I strongly suggest automating this process as when requests come in at scale, it will be difficult to handle all the requests inside of the mandated time window for compliance.

Do Consent Management Platforms Handle the GPC?

Many consent managers took the original definitions of the CCPA and specifically added limited support to categories of cookies such as “targeting”. However it’s clear form the draft regulations that the Consent Manager on it’s own is insufficient for opting out of sale/sharing of personal data.

As per Section 7026.b.4

A notification or tool regarding cookies, such as a cookie banner or cookie controls, is not by itself an acceptable method for submitting requests to opt-out of sale/sharing because cookies concern the collection of personal information and not the sale or sharing of personal information. An acceptable method for submitting requests to opt-out of sale/sharing must address the sale and sharing of personal information.

https://cppa.ca.gov/meetings/materials/20220608_item3.pdf

So even the typical Consent Manager that handles cookie consent would be considered non-viable under the regulations. I think it would have to be integrated with other systems such as the Tag Manager and other processes which may transmit the consumer’s personal information to be considered viable because it must address the sale or sharing of personal information regardless of what form it takes.

Put another way the the consent manager on it’s own is likely insufficient because it lacks the required downstream processes. Further it’s unlikely that the tag manager, even if integrated with the consent management platform would meet requirements. The likely data flows we’re discussing are more numerous than that for most enterprises and don’t take place entirely on the front end of the website.

Based on the draft regulations I reviewed here – I think most businesses will be looking at an new consent architecture because you can’t just kick all these downstream processes off on every request even if they did exist in the consent manager. An architect would need to solve the implementation considerations outlined by the specification for whatever site infrastructure they are working with to avoid causing a self-inflicted denial of service attack due to excessive network load.

Published inLegalPrivacy