What is Global Privacy Control (GPC)?

Global Privacy Control refers to two things. It is an initiative and a tool developed by a group of people and organizations—including legal experts, technology professionals, and privacy activists and advocates—dedicated to improving privacy online. GPC is an open initiative, so participation is not limited to any specific person or group. Collaboration and consensus are major goals to empower internet users with greater control over their personal data.

GPC also refers to the specification resulting from the group’s work to enable a browser-based global standard for privacy control. It is also referred to as a universal opt-out signal or mechanism. The GPC is supported by the Electronic Frontier Foundation and Mozilla. To date, Mozilla’s Firefox, Brave, and DuckDuckGo are browsers that have the GPC signal built-in. A number of browser extensions also include the GPC, so even browsers like Chrome that do not have the specification built in can support it if users install an extension.

The Global Privacy Control mechanism enables people online to signal a preference to share or refuse access to their personal data, e.g. to be collected and shared with or sold to third parties. The goal is to enable users to select their privacy preferences once, and then the GPC communicates those preferences every time a user is asked for their consent, e.g. on websites where a cookie banner pops up or in setup for other online services. The GPC enables opt in and/or opt out, like for cookie use, data sharing or sale, or targeted advertising.

The GPC is a browser-based setting or extension where users can set their preferences once, and then they are automatically communicated wherever the user goes or whatever services they use via the browser. The preferences can be as basic as refusing all access to one’s personal data, or very granular, with permission for some specific uses, but refusal for others.

The GPC is not legally binding in many jurisdictions yet, though businesses will be required to respect the signal in places where data privacy laws include the requirement, like in California or Connecticut. Elsewhere, the GPC relies on websites and other online services to honor the user’s privacy choices. Browsers do not currently have to have the functionality built in, and some websites or apps may not be capable of enabling the GPC to function.

GPC aims to provide consumers with a number of benefits.

• A simplified, universal way to communicate privacy preferences. It is meant to work across a variety of online properties. No need to navigate settings or select privacy preferences every single property they visit.
• More control over their personal data. Users can opt out of sharing their data broadly, or choose at a granular level what they are okay with sharing and what they aren’t. E.g. personalized advertising may be okay, but sale to third parties is not.
• Consistency in expressing privacy preferences. People may make different privacy selections on different days depending on their mood, how busy they are, on how many sites they get asked, etc. With GPC, the same preferences are always communicated.
• Contributing to advocacy for online data privacy and protection. Using GPC helps spread awareness about privacy issues. The initiative encourages transparency and accountability from organizations regarding data processing, and compliance with privacy standards and regulations.

The universal opt-out mechanism is or will be legally binding only in some regions. At present it only applies in web browsers and on online platforms and services. So it may not affect all companies. However, it is a sign of evolution regarding data privacy online, especially regarding standards and user expectations about privacy, which can have significant effects on trust, brand reputation, and competitive differentiation.

Businesses that collect and use personal data online need to be aware of the GPC and users’ preferences. This may tie into complying with relevant privacy regulations, or it could just be a mark of respect for user preferences regarding their privacy for the time being.

Acknowledging the GPC encourages organizations to be transparent and accountable to those whose personal data they may collect and use. This builds better, more trustworthy customer relationships, and also streamlines privacy operations for companies, as they can receive and incorporate users’ preferences via the GPC.

The universal opt-out signal, while not a universal legal requirement, ties in to best practices and requirements of some data privacy laws. It’s referenced in some recent regulations, like in some of the US state-level privacy laws, and it may become an international standard eventually. Recognizing the signal can contribute to an organization’s privacy compliance efforts, or at least show a dedication to best practices.

It can be a serious resource drain when companies have to comply with or use tools or services with a common goal, but non-standard implementations and maintenance. Acknowledging and using the GPC helps contribute to a global standard for privacy protection and practices, simplifying adoption and enabling accelerated innovation.

Being trustworthy and transparent about respect for user privacy and data usage is a competitive advantage and increasingly good for brand reputation. Providing users with clear information and user-friendly ways to exercise their data privacy rights shows respect for privacy and encourages higher user engagement and long-term customer relationships.

The European Union’s General Data Protection Regulation (GDPR) predates the GPC initiative, so the law does not specifically reference the universal opt-out signal. The GDPR came into effect in 2018 and the GPC initiative launched in 2020.

Concerns remain about whether the GPC can meet some data privacy law requirements, like the one for consent prior to data processing. One sticking point for the GDPR is whether consent can be considered to be informed and explicit if the GPC is used. This issue is likely to continue to evolve.

Six new data privacy laws have been passed in the United States in 2023 alone between March and June. As of mid-2023 the US has 12 state-level privacy laws. However, reference to or requirements regarding the GPC remain inconsistent. The laws in California, Connecticut, Colorado, Montana, and Texas reference a requirement to respect Global Privacy Control. But the laws in Virginia, Nevada, Utah, Iowa, Tennessee, Indiana, and Florida do not reference or require it.

California’s Attorney General specifically recommended respecting the GPC, particularly for mobile platforms, early in 2023. It has also been referenced in relation to the CCPA-related penalties against beauty retailer Sephora.

Brazil’s Lei Geral de Proteção de Dados (LGPD) does not specifically reference the Global Privacy Signal. Like the GDPR, the law came into effect before the GPC initiative was launched.

Like with the GDPR, concerns remain about whether the GPC can meet some data privacy law requirements, like the one for consent prior to data processing. One sticking point for the LGPD is whether consent can be considered to be informed and explicit if the GPC is used. This issue is likely to continue to evolve.

South Africa’s Protection of Personal Information Act (POPIA) does not specifically reference the Global Privacy Signal. Like the GDPR, the law came into effect before the GPC initiative was launched.

Like with the GDPR, concerns remain about whether the GPC can meet some data privacy law requirements, like the one for consent prior to data processing. One sticking point for POPIA is whether consent can be considered to be informed and explicit if the GPC is used. This issue is likely to continue to evolve.

The Transparency and Consent Framework v2.2 and Global Privacy Control share common goals to provide transparency regarding data processing and empower users with control over their personal information. However, the TCF does not explicitly reference the GPC. The TCF 2.0 came out prior to the GPC initiative being launched.

The TCF 2.2 focuses mainly on providing a standardized framework for obtaining and managing user consent in the digital advertising ecosystem, whereas the GPC is meant to establish a universal consent preference mechanism on websites and online services. It is possible a future version of the TCF may include the GPC as both evolve.

New laws are being passed and existing ones are evolving as technologies and consumers’ expectations evolve. There are a number of prominent advocates in the data privacy sphere, and they have been influential in the development of the Global Privacy Control initiative. Everyone involved continues to work on awareness, adoption, and standardization.

The average online user has become aware of online privacy and the use of their data, and cares about what happens to it. However, many people are also experiencing consent fatigue from having to make frequent consent choices every time they use a browser. A single standard that enables “set it and forget it” makes sense and could solve a real need. It also helps encourage compliance with data privacy regulations, even if the GPC is not legally binding everywhere today.

At the same time, however, concerns remain about whether use of the GPC can be considered to enable and provide valid consent, like the GDPR’s requirement for it to be informed and explicit. This sticking point may become a strong driver for further study and change.

As technology continues to evolve, the universal opt-out signal will evolve as well, enabling even more streamlined, user-friendly, and powerful tools to help protect users’ data privacy online. Ideally, relevant parties and regulators can collaborate to make the smartest, most comprehensive, and most secure privacy tools available.

If you have questions or interest in understanding or recognizing the GPC for your website or app, or a consent management platform to help achieve compliance with privacy laws around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.