Our web developer, Suchi Natarajan, breaks down the Global Privacy Control (GPC) and how to comply with it.
You may have heard the phrase “GPC” thrown about lately, especially after Sephora was fined $1.2M by the California Privacy Protection Agency (CPPA), in part for not complying with the GPC. In a press release about the fine, California Attorney General Rob Bonta even commented,
“Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights.”
Going forward, it became clear that it was an absolute necessity to honor GPC in the state of California. But, what is GPC in the first place? How do I comply with it? Will it affect my advertising? Would it be easier to convince my boss to stop conducting business in California entirely? But don’t sweat! GPC isn’t as complicated as it seems, and neither is complying with it.
GPC, or Global Privacy Control, is a “technical specification for transmitting universal opt-out signals that uses binary options to allow users to opt-out of the sale of personal information at the browser level.” (IAPP) Put slightly more simply, it’s a signal visitors to your site can set via their browsers to automatically indicate they want to opt-out of data sales or sharing for advertising. There’s a bunch more technical details associated with GPC, which you can learn more about here. But, for now you can think of it like being on the “do not call” registry. Your users are automatically stating their preference to opt-out of their personal data being processed, and it’s up to you as a business to respect their wishes.
Despite being called Global Privacy Control, GPC is only required by a handful of US states. So if you conduct business in California, Colorado, Connecticut, Texas, Oregon, or Montana you may be required to comply. If you don’t, you’re technically all good- however, GPC has had widespread adoption in the past few years and has been implemented by a number of mainstream browsers, including Firefox
Now that you understand what GPC is and whether it applies to your business, it’s time to get into actually complying with it.
In order to comply with GPC, you’ll first need to actually detect it when a user gets on your website. To do so, you’ll need the assistance of the developer in your organization who can edit the website’s header. From there, the developer can simply check the user’s signal with a simple script. For specific instructions on how to do so, see here. The script will check if GPC is on when a user arrives, and will prevent cookies and pixels associated with advertising from running. Don’t pat yourself on the back too soon, there’s still more to do.
It’s important to enforce GPC across all systems, not just your cookie banner. While you should prevent cookies and pixels from firing when GPC is detected, you also should ensure that the consumer’s data isn’t being transmitted to other vendors from the tools you use on your website, or even tools you use on your backend.
Some of your vendors may support the GPC signal if shared with them, but many may not support it by default. However, you’re still responsible for enforcing the opt-out preferences on those systems. There are a couple different ways to go about this, ranging in requirements from automatically setting the signal through technical integration to a manual process to update the vendor system. The first option is that you can write custom conditions in tools like Google Tag Manager to prevent vendor tags from firing. You’ll need to make sure that the conditions and triggers you set up run when it detects the signal and before anything fires on the page. Alternatively, you can also set up a manual process and add users to a suppression list to make sure they’re not processed. You’ll need to remember to regularly update the list and enforce preferences. If both of those sound like too much work, you can automatically configure opt-out enforcement for all systems across your stack using Fides!
Congrats, you’ve got a basic handle on what GPC is, whether you need to worry about it, and how to comply with it if so! With this knowledge in hand, you can now conduct business in the increasing number of US states with privacy regulations without fear. Of GPC, anyway. 👀
If you need extra assistance with configuring GPC compliance, or even just wrapping your head around the privacy needs of your business feel free to reach out to the privacy experts at Ethyca – who’ll help you with any privacy challenge your business is facing.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo