Frequently Asked Questions
Global Privacy Control (GPC) is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user’s browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification.
GPC is being developed by a broad coalition of stakeholders: technologists, web publishers, technology companies, browser vendors, extension developers, academics, and civil rights organizations.
The GPC was initially spearheaded by Ashkan Soltani Georgetown Law and Sebastian Zimmeck (Wesleyan University) in collaboration with The New York Times, The Washington Post, Financial Times, Automattic (Wordpress.com & Tumblr), Glitch, DuckDuckGo, Brave, Mozilla, Disconnect, Abine, Digital Content Next (DCN), Consumer Reports, and the Electronic Frontier Foundation (EFF).
As it is intended to invoke users’ privacy rights, we encourage policymakers from around the world to engage in the development of this specification. If you would like to learn more about how GPC could work in your jurisdiction, please contact us via email at firstname.lastname@example.org.
GPC was initially introduced at the World Wide Web Consortium (W3C) Privacy Community Group (Privacy CG) in April 2020. A number of stakeholders are part of that community. There are ongoing discussions in the Privacy CG. Interested parties are encouraged to engage with the proposal here.
Additionally, GPC is currently being implemented across the web. A number of browsers, extensions, and publishers are supporting or implementing GPC (see below).
The online advertising ecosystem is evolving, and consumer expectations are changing. An increasing number of web users do not want to be tracked by parties they aren’t choosing to interact with, and new laws, technological changes, and advertising business models reflect these preferences.
GPC provides consumers and businesses with clear expectations and guidelines for the sharing and sale of data online. It permits users to easily and clearly exercise their privacy rights, facilitates greater trust between businesses and their customers, and fosters certainty for businesses and advertisers by relying on an open standard.
GPC is intended to serve as an expression of users’ intent to invoke their online privacy rights. Depending on the jurisdiction and applicable laws, a user’s expression through GPC may have legal impact. However, GPC on its own does not create any legally binding obligations.
GPC may impact existing law in several ways: In California, Section 1798.135(c) of the California Consumer Privacy Act (CCPA) gives users the right to opt out of the sale of their personal information.
Furthermore, Section 999.315 of the CCPA Regulations requires businesses to honor these opt-out requests. The regulations specify that "[a] business shall provide two or more designated methods for submitting requests to opt-out […] [including] user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information. […] User-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information shall be considered a request directly from the consumer, not through an authorized agent."
On this basis, it is possible that the GPC may become a legally binding opt-out signal in California.
In addition, the European General Data Protection Regulation (GDPR) gives users the right to object to their personal data being processed. The GPC signal is intended to convey a general request that data controllers limit the sale or sharing of the user's personal data to other data controllers. It is possible that a GPC signal opting out of processing could create a legally binding obligation for data processors.
In Bermuda, the Privacy Commissioner has indicated that he believes the GPC may be used to create a legally binding obligation on businesses under their laws, which provide users the right to “request an organisation to cease, or not begin, using his [or her] personal information […] for the purposes of advertising, marketing or public relations,” or “where the use of that personal information is causing or is likely to cause substantial damage or substantial distress to the individual or to another individual.”
Additional information is available in the proposed specification.
Do Not Track was an effort preceding GPC to permit users to communicate their privacy preferences to websites they visit. Unfortunately, in the appendices to their Final Statement of Reasons, the California Attorney General (AG) determined that the AG could not require businesses to comply with DNT requests because the requests do not clearly convey users’ intent to opt out of the sale of their data. A more detailed discussion of the inadequacies of DNT is available as Appendix E of the AG’s Final Statement of Reasons.
When considering whether DNT was sufficient under the CCPA, the AG specifically determined that a new type of privacy signal would benefit users and businesses and that its regulation is “intended to support innovation for privacy services that facilitate the exercise of consumer rights in furtherance of the CCPA.”
GPC responds to this call for innovation by providing a mechanism for privacy signaling that is applicable to current laws, technologies, and business practices. The Attorney General has said that he believes GPC is “a technical standard that would make it easier for consumers to stop the sale of their personal information” and that he is “heartened to see a wave of innovation in this space.”
The California AG has determined that businesses must honor two methods of submitting opt-outs. GPC is meant to provide users with an additional option for objecting to the sale of their data, and it functions identically to clicking a “Do Not Sell My Personal Information” link provided by a business.
Some jurisdictions allow businesses to sell user data when there is a conflict between global and site-specific preferences — for instance, if a user has provided specific permission to a website to sell their data. The CCPA Regulations §999.315(c)(2) state that when a GPC signal conflicts with the existing privacy settings a consumer has with the business, the business shall respect the GPC signal but may notify the consumer of the conflict and give the consumer an opportunity to confirm the business-specific privacy setting or participation in a financial incentive program.
A conflict between GPC and site-specific privacy preferences may be resolved differently in other jurisdictions.
Additionally, some implementations of GPC allow users to consent to the sale or sharing of their data on an individual basis.
The GPC preference expression should accurately reflect the users’ privacy preferences. The threshold for obtaining user consent differs between jurisdictions. GPC strives to honor those differences while still providing users with choice about how businesses use their data. In some jurisdictions, the presence of GPC in a user’s browser may constitute an adequate signal to not sell their data, while regulations in another jurisdiction may require the user’s explicit consent in order to send a GPC signal.
What constitutes a deliberate choice may differ between regional regulations. For example, regulations in one jurisdiction may consider the use of a privacy-focused browser to imply a GPC preference, such as under the CCPA Final Statement of Reasons - Appendix E #73 ("The consumer exercises their choice by affirmatively choosing the privacy control […] including when utilizing privacy-by-design products or services"), while regulations in another jurisdiction may require explicit consent from the user to send a GPC signal.