Global Privacy Control (GPC) is a browser-based privacy tool that standardizes a user’s privacy choices across all websites. It is a type of universal opt-out mechanism (UOOM) or signal.
The GPC’s development is an open initiative that seeks to enable a browser-based global standard for privacy control. It’s been driven by a group of people and organizations — including legal experts, technology professionals, privacy activists and advocates — dedicated to improving privacy online.
The GPC is supported by the Electronic Frontier Foundation and Mozilla and is available through major browsers, including Chrome, Firefox, Brave, and DuckDuckGo, either built in or via a browser extension.
How does the universal opt-out signal work?
A UOOM like the GPC enables people online to signal consent choices to share or refuse access to their personal data for purposes like sale or targeted advertising. The goal is to enable users to select their privacy preferences once and have the tool communicate that decision every subsequent time a user is asked for their consent, typically when visiting websites.
In line with this, the GPC permits automated opt-ins and opt-outs related to cookie use, the sharing or sale of data, targeted advertising, and other online services. The choice can be as basic as refusing all access to one’s personal data, or very granular, with permission for some specific uses and refusal for others.
Although it’s not legally binding in many jurisdictions just yet, to date over half of the state-level privacy laws in the United States require businesses to respect this signal as though it was communicated directly by the user.
What does the Global Privacy Control mean for consumers?
There are a number of benefits that the GPC brings consumers, many of whom experience consent fatigue after a number of years of constant consent requests and being faced with popups everywhere online.
- A simplified, universal way to communicate privacy choices across a variety of online properties.
- More control over their personal data through one-off, granular controls and automated opt-outs.
- Consistency in expressing privacy choices to avoid oversharing data as a result of differences in mood, how busy they are, how many sites they visit on a given day, etc.
- Spreading awareness about and contributing to advocacy for transparent practices, and online data privacy and protection in line with accepted standards and regulations.
What does the Global Privacy Control mean for businesses?
Universal opt-out mechanisms apply to online platforms and services operating in regions where data privacy laws require their use. The signal is not a requirement under the General Data Protection Regulation (GDPR) in the European Union, which has among the world’s most strict data privacy requirements. This is because the GDPR predates the GPC initiative.
The jurisdictions that have adopted the requirement in their privacy laws are currently concentrated in the US, and all within the last four or five years.
However, all businesses that collect and use personal data online need to be aware of the GPC and user consent choices. It’s likely that the use and allowance of UOOMs will be incorporated into major new and updated data privacy laws over time.
Enabling your website visitors to opt in or out using the GPC can streamline your business’s privacy operations. Non-standard data privacy implementations can be a resource drain for businesses. Using this standardized system helps simplify adoption and enable accelerated innovation within the data privacy space.
Recognizing the GPC shows a dedication to data privacy best practices and a commitment to transparency and accountability. This helps to build trust with your customers and gives you a competitive advantage in an increasingly privacy conscious market.
How to implement Global Privacy Control in your business
Understanding GPC is just the beginning. Businesses must actively comply with and properly respond to GPC signals to ensure that they meet legal requirements (where present) while respecting visitors’ choices.
Evaluate which privacy laws apply to your business
Businesses must assess the privacy laws applicable in each jurisdiction in which they operate. This involves identifying relevant regulations, such as the GDPR in Europe or the CCPA in California, and understanding their specific requirements.
As noted, however, employing best practices and respecting the GPC signal even if your audience isn’t protected by a law that requires it is always a good idea. It provides additional protection for your business and demonstrates respect for users’ privacy.
Ensure your consent management platform supports GPC
To ensure that GPC signals are not overlooked, it’s crucial that your consent management platform (CMP) supports these universal opt-out mechanisms. Usercentrics CMP is enabled by default for a variety of regulations that require recognition of an opt-out mechanism, including GPC.
Having a CMP that automatically detects and honors the GPC signal helps reduce consent fatigue for users. It also helps build trust and prevent confusion, since they don’t have to wonder why they’re still being asked for consent choices via a consent banner when they already set up their choices in the GPC tool.
Integrate with GPC signals
Ensuring that your web properties can receive GPC signals is increasingly vital for empowering users in owning their data privacy.
This capability not only enhances user trust but also ensures that your business meets modern privacy standards, and facilitates a transparent and user-centric approach to data management.
Global Privacy Control and international data privacy regulations
| Privacy regulation | GPC obligations |
| Digital Markets Act (EU) | No explicit obligations. Principles align closely with respect to end-user consent for data processing and do not track requests. |
| General Data Protection Regulation (EU) | No explicit obligations. Strict GDPR consent requirements can be furthered by GPC signals’ ability to express consent across websites. |
| California Consumer Privacy Act / California Privacy Rights Act | Businesses must respect the “Do Not Sell Or Share My Personal Information” action, which GPC signals can communicate automatically across websites and online services. |
| Virginia Consumer Data Protection Act | Consumers must be allowed to opt out of data processing and sale as well as targeted advertising, which can be effectively communicated through GPC signals. |
| Lei Geral de Proteção de Dados (General Data Protection Law – Brazil) | No explicit obligations. Consumers must give clear consent to data processing and this could be enabled through GPC signals. |
| Protection of Personal Information Act (South Africa) | No explicit obligations. GPC can facilitate the fulfillment of POPIA’s requirement for explicit consent regarding the collection and processing of personal information. |
| Federal Act on Data Protection (Switzerland) | No explicit obligation. Consent must be given for personal data processing; GPC can play a role in managing consent preferences. |
| TCF v2.2 (EU) | No explicit obligation. TCF 2.2 includes detailed user consent mechanisms that GPC can support to ensure that user consent is respected across digital environments. |
| Google Consent Mode | No explicit obligation. Integration with GPC will enable the signaling of consent preferences across Google’s extensive digital ecosystem. |
European Union, GDPR, and GPC
The European Union’s GDPR predates the GPC initiative, so the law doesn’t specifically reference the universal opt-out signal.
There are some concerns about whether the GPC can meet some data privacy law requirements, like the one for consent prior to data processing. One sticking point for the GDPR is whether consent can be considered to be informed and explicit if the GPC is used.
Additionally, while GPC is designed to express a generic preference for data privacy, which may align with the right to object (Art. 21, GDPR), there is no explicit endorsement or regulatory guidance from European authorities confirming this applicability.
The interpretation and legal acknowledgment of GPC under the GDPR remain areas of active discussion and are likely to continue to evolve.
United States and state-level laws and GPC
The US has passed 21 state-level privacy laws as of August 2024. However, reference to or requirements regarding the GPC are inconsistent.
The laws in California (California Consumer Privacy Act and California Privacy Rights Act), Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas require that businesses respect GPC. On the other hand, the laws in Florida, Indiana, Iowa, Kentucky, Virginia, Nevada, Rhode Island, Tennessee, and Utah do not mention or require it.
California’s Attorney General specifically recommended respecting the GPC, particularly for mobile platforms, early in 2023. It has also been referenced in relation to the CCPA-related penalties against beauty retailer Sephora.
The Oregon Consumer Privacy Act (OCPA), which came into effect on July 1, 2024, mandates that businesses must recognize universal opt-out mechanisms such as GPC for targeted advertising, the sale of personal data, and profiling that produces legal or significant effects on consumers by January 1, 2026.
Delaware’s Digital Personal Data Protection Act (DPDPA) and New Hampshire’s Data Privacy Act (NHDPA) have followed suit, each incorporating provisions that align with the GPC’s objectives to enhance user privacy controls. New Jersey’s Data Privacy Act also supports the use of GPC by mandating compliance with these universal opt-out protocols.
Brazil, the LGPD, and the GPC
Brazil’s Lei Geral de Proteção de Dados (LGPD) does not specifically reference the GPC signal. Like the GDPR, this exclusion is a result of the law having come into effect before the GPC initiative was launched.
As with the GDPR, concerns remain about whether the GPC can meet some data privacy law requirements, for example, those necessitating consent prior to data processing.
However, the LGPD does provide flexibility with regard to consent mechanisms, recognizing different contexts and enabling organizations to adapt their processes accordingly. It emphasizes on the rights of data subjects and aligns in spirit with the objectives of GPC to enhance user control over personal data.
The adoption of GPC within Brazil will depend on how well GPC mechanisms can align with these detailed requirements under the LGPD.
South Africa, POPIA, and the GPC
Like the GDPR and the LGPD, South Africa’s Protection of Personal Information Act (POPIA) came into effect before the GPC initiative was launched and thus does not specifically reference the universal opt-out mechanisms.
The same concerns also exist about whether the GPC can meet some of the data privacy law’s requirements.
POPIA emphasizes that consent must be a voluntary, specific, and informed expression of will. The adequacy of GPC in meeting POPIA’s detailed consent requirements remains under consideration.
TCF v2.2 and the GPC
The Transparency and Consent Framework (TCF) v2.2 and GPC both aim to enhance transparency and user control over personal data collection, processing and usage.
The TCF v2.2 focuses mainly on providing a standardized framework for obtaining and managing user consent in the digital advertising ecosystem, whereas the GPC is meant to establish a universal consent mechanism on websites and online services.
While TCF v2.2 and GPC share common goals, TCF doesn’t explicitly incorporate GPC signals. However, recent changes around data consent mechanisms, including clearer language and more detailed vendor disclosures, aligns with the broader objectives of GPC to simplify and standardize user consent across websites and online services.
As the TCF and GPC evolve, it’s likely that future versions of the TCF might include GPC as part of a broader strategy to unify user privacy controls across different platforms and regulatory environments.
The future of Global Privacy Control
The average online user has become increasingly aware of online privacy and the use of their data, and cares about what happens to it. However, many people are also experiencing consent fatigue from having to make frequent consent choices every time they use a browser.
In this light, a universal opt-out mechanism that enables users to “set it and forget it” makes sense. This aligns with individuals’ desires for less intrusive consent mechanisms but also supports broader compliance efforts with data privacy regulations, despite GPC’s current non-mandatory status in many jurisdictions.
That said, concerns remain about the GPC’s ability to meet stringent consent requirements, like the GDPR’s demand for explicit and informed consent. This ongoing concern may become a strong driver for developments that ensure the GPC better aligns with various global data protection laws.
As technology continues to evolve, so too will universal opt-out request signals. The GPC is likely to become an even more streamlined, user-friendly, and powerful tool to help protect users’ data privacy online.
Although GPC isn’t currently a feature in all data privacy legislation, universal opt-out mechanisms being referenced in some major acts indicates that they are likely to become critical for compliance in the future.
Fortunately, achieving and maintaining compliance with these complex and changing laws is made simple with a robust CMP. Usercentrics is an all-in-one consent management solution that helps businesses manage consents and adapt to evolving frameworks to support a comprehensive approach to data protection.
