Global Privacy Control Opt-Out of the “Sale” – A technical and legal point of view
According to the California Attorney General, consumers can now use a new technology called Global Privacy Control (“GPC”) to refuse a “sale” of personal information under the California Consumer Privacy Act (“CCPA”).
The GPC, according to its website, was developed by “various stakeholders including technologists, web editors, technology companies, browser vendors, extension developers, academics, and civil rights organizations.”
Contrary to IAB Tech Lab US Privacy Channel, which is controlled and operated by the adopting company via JavaScript, the GPC is controlled by the browser software either natively (as in the case of Firefox) or as a browser extension / plug-in (as in the case of “OptMeowt”).
How it works
The GPC is available to consumers through an Internet browser or browser extension. Internet browsers that currently natively support GPC are Mozilla Firefox, DuckDuckGo, and Brave; and browser extensions include Abine, Disconnect, OptMeowt by privacy-tech-lab and Privacy Badger by EFF.
The GPC, technically speaking, looks a lot like the “Do Not Track” (“DNT”) header. When activated by the user, the GPC header, similar to the DNT header, is set to the value “1” and broadly signals recipients of the consumer’s request to opt out. Once consumers have enabled GPC on their browser to communicate their privacy preferences, the browser then sends the GPC signal through an HTTP header to the websites that the consumer is visiting. Participating websites must, according to the California Attorney General, honor these requests as a valid âsaleâ denial.
What the GPC header looks like (see red box):
An HTTP request to example.com with the GPC header enabled in Chrome, via a plugin.
Practical considerations for businesses
Businesses that only engage in CCPA âsalesâ through the online advertising ecosystem (where data sharing is mediated through the consumer’s browser or mobile device) may not have to do a lot of work.
Any third party (ad networks, DMP, agencies, DSP, SSP, etc.) receiving network requests from a browser on which GPC is enabled will receive the unsubscribe signal. automatically. The GPC signal, as an HTTP header, is broadcast like a shotgun, no special JavaScript is required to receive or propagate it. And, under the CCAC’s final rulebook, all “businesses” as defined by the CCPA (which includes most of the advertising ecosystem) are required to honor “global user-activated privacy controls.”[1]
Important warning: The above is true as long as the âsaleâ is not made after the fact, server-to-server, through file sharing or some other primary method where the party to whom the information is âsoldâ is not in. able to receive the GPC signal directly from the user’s browser. In these cases, the publisher may need to create a business process that listens for the signal and then, if applicable, prevents personal information from being âsoldâ on the backend. This may also include, for example, propagating the signal to the relevant partner / third party with a contractual arrangement whereby the signal constitutes an option to take CCPA out of the âsaleâ.
In either case, in order to comply, companies should also consider communicating to their ad technology partners that the partners are required by the CCPA to honor GPC signals as a valid âsellâ refusal request.
How can we help
Norton Rose Fulbright is ready to assist businesses with their CCPA and CPRA compliance efforts, and actively helps customers manage the GPC header.
If you would like to learn more about the technical capabilities of the company, including a demonstration of NT Analyzer, please feel free to contact us directly or use the contact us button on the right.