Skip to content
Legal Teams: How do I comply with GPC?

For legal teams - How does my business comply with GPC?

California’s Privacy Protection Agency, the CPPA (opens in a new tab), was the first regulator to formally confirm that they expect businesses to comply with GPC as part of California privacy regulations. In demonstrating their willingness to enforce, in August 2022, Sephora was fined $1.2M (opens in a new tab) for not complying with data sales consent requirements including the Global Privacy Control. However, other US States, like Colorado, Connecticut, Texas, Oregon, and Montana, have indicated that they will also require compliance with GPC under their respective privacy regulations.

More generally speaking, Ethyca’s recommended best practice is to interpret the GPC signal as contextually appropriate to the jurisdictions in which your business operates. In simple terms, if you are operating in Europe under GDPR, Brazil under LGPD, and the growing list of US States such as California, Virginia, Colorado, Connecticut, and Utah that have considerations around data sharing or targeted advertising, you should consider supporting the GPC signal as appropriate to that market.

It is important to note that this decision is subjective and one that a business must make, however in considering the consumer's best interests, expectations, and understanding of their rights to consent, here at Ethyca, we believe that where a user opts-out using the GPC, they would reasonably expect to be opted out of:

  • Sale of their data
  • Sharing of their data for the purpose of advertising
  • Targeted advertising

Conversely, you can see that many of these regulations also perform “automated decision making” or “profiling,” which is something a business may reasonably expect to perform as part of the provision of its services; so of course you will need to provide a user the ability to consent. However depending on what you do within your automated decision making systems, this may not constitute something that a GPC opt-out signal should reasonably enforce.

Here’s a helpful chart of how to think about what the GPC is likely analogous to in each jurisdiction. As you can see, here we’ve mapped these to whether or not it would be reasonably expected by a consumer that the GPC should honor this data processing right.

Table: How to map the GPC to any Global or State Privacy Regulation

JurisdictionRegulationData ProcessMechanismGPC Suitability
California, USACCPAData SalesOpt-outYES
California, USACPRAData SharingOpt-outYES
California, USACPRAAutomated Decision MakingOpt-outNO
Virginia, USAVCDPAData SalesOpt-outYES
Virginia, USAVCDPATargeted AdvertisingOpt-outYES
Virginia, USAVCDPAProfilingOpt-outNO
Connecticut, USACTDPAData SalesOpt-outYES
Connecticut, USACTDPATargeted AdvertisingOpt-outYES
Connecticut, USACTDPAAutomated Decision MakingOpt-outNO
Colorado, USACPAData Sales or SharingOpt-outYES
Colorado, USACPATargeted AdvertisingOpt-outYES
Colorado, USACPAAutomated Decision MakingOpt-outNO
EuropeGDPR / ePrivacyEssentialMandatoryNO
EuropeGDPR / ePrivacyFunctionalOpt-inNO
EuropeGDPR / ePrivacyAnalyticsOpt-inNO

A note on Europe and Brazil: While Europe’s consent requirements tend to be opt-in and don’t immediately map to the opt-out nature of GPC, thoughtful user experience considerations are vital.

If a user has set GPC to true, it would be reasonable to assume that they do not give opt-in consent to the advertising category of consent under European privacy regulations.

If you're unsure how to setup GPC support you can ask the Fides Slack Community (opens in a new tab), or get Privacy Engineering Intelligence from Ethyca (opens in a new tab) now.