Global Privacy Control Endorsed by California AG – Next Steps
In late January, California’s Attorney General (AG) tweeted about the use of the new Global Privacy Control (GPC), informing California consumers that on certain browsers they can use GPC as a “stop selling my data switch” to exercise their right to opt out of the sale of their personal information (PI) in one step – rather than on an individual site basis. As the GPC is not yet a finalized standard, it remains uncertain as to when the AG’s office will begin enforcing the GPC, but the tweet provides some insight into how the OAG views this issue.
Opt-Out of Sale Methods
The California Consumer Privacy Act’s (CCPA) broad definition of “sell” includes the sharing of PI for any exchange of value, which arguably encompasses the sharing of information with third parties in relation to on-site advertising cookies and similar tracking technologies. Title 11, Cal. Code Regs § 999.315(a) (CCPA regulation § 999.315(a)), establishes that a business must provide two or more designated methods for submitting requests to opt out of sales.
In addition to the required “Do Not Sell My Personal Information” (DNSMPI) link, the rule provides that other possible opt-out methods include an opt-out web form, a designated toll-free phone number or email address, and “user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their [PI].” Section 999.315(c) goes further in stating that if a business collects PI from a California resident online, “the business shall treat user-enabled privacy controls” as a valid opt-out of sale request.
New GPC Standard
Seeking to capitalize on this new mechanism enumerated in the CCPA regulations, in October 2020 a group of privacy researchers, major newspaper publishers, and several web browser vendors created a proposed technical specification called the Global Privacy Control. Several browsers or extensions (see list) have already incorporated the GPC such that, if enabled by a user, the signal will be sent automatically from the browser to the sites visited, and participating websites that adopt technical support for the mechanism will need to honor the CCPA “Do Not Sell” request with respect to the third-party tracking technologies on the website.
On browsers and browser extensions incorporating GPC, California residents can theoretically exercise their opt-out right across all websites in one step instead of site-by-site by clicking DNSMPI links. However, in its current beta form the GPC is not on its face limited to California residents, and so it seemingly extends the do not sell opt-out capability to any individual regardless of their domicile. Moreover, the GPC appears to be tied to an IP address and browser, requiring a separate opt-out should an individual use a different browser or device to visit the same site.
Comparison to ‘Do Not Track’ and Conflicts with Other Opt-Out Methods
GPC follows in the footsteps of “Do Not Track” (DNT), a web browser signal and policy framework developed in the early 2010s that ultimately failed. DNT sought to use an HTTP header signal to provide website visitors a universal, persistent means of opting out of online tracking, but progress eventually stalled in the Worldwide Web Consortium (W3C) over philosophical disagreements, and broad adoption by browsers and publishers never transpired. Like DNT, GPC is the subject of ongoing discussions within the W3C’s Privacy Community Group.
Mindful of DNT’s failure, in his Final Statement of Reasons (FSOR) for the CCPA regulations issued in June 2020, the AG recognizes that in response to the California Online Privacy Protection Act’s (CalOPPA) DNT response requirement, most website and mobile app operators indicate they do not recognize DNT signals. To prevent this same response in relation to GPC, the AG rejects discretionary compliance, and states in the FSOR, “The regulation is thus necessary to prevent businesses from subverting or ignoring consumer tools related to their CCPA rights [...].”
Notably, CCPA regulation 999.315(c)(2) holds that if a global privacy control conflicts with a consumer’s existing business-specific privacy setting (or participation in a financial incentive program), the business must respect the global privacy control “but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific setting […].” This suggests that although the GPC must be honored for online PI collection, there is an opportunity to communicate with the consumer about their preferences in the event of a conflict. It is not certain, however, whether a business that already provides two methods of opt-out would then be required to recognize GPC as a third opt-out method, particularly if its existing methods encompassed opt-outs in relation to third party cookies.
Compliance & 30-Day Cure Period
While the wording in the CCPA Regulation does not set forth what formally constitutes a “user-enabled global privacy control,” the AG’s tweet seems to indicate the California AG’s office believes that the GPC is (or will be) valid even though the standard is not yet finalized. Greenberg Traurig has learned that the AG office’s view is that GPC violations would likely be subject to the 30-day notice of violation cure period under CCPA 1798.155(b). This is true, at least, until the California Privacy Rights Act (CPRA) goes into effect in 2023, and the 30-day cure period will no longer exist in this context.
With this in mind, risk-averse businesses may wish to begin considering with stakeholders the steps necessary to implement recognition of the GPC standard. See developer instructions for website publishers seeking to interact with the GPC here. It is also the case that several consent management providers have pledged support for incorporating GPC support within their tools.
Businesses should consider as well what potential impact the GPC could have on ad operations, such as higher opt-out rates for visitors who hit their sites and corresponding drops in re-marketing or ad campaign success rates, and develop marketing and messaging strategies for asking visitors to “white list” their website for GPC purposes.
Needless to say, it appears likely that we will be hearing more about GPC in the near future, and only time will tell whether it will become a widely adopted opt-out solution or fizzles out like DNT.