Global Privacy Control (GPC) and Universal Opt-Out

More than ever before, consumers are aware of their online privacy rights and businesses realize the importance of implementing GPC (Global Privacy Control). Whether consumers understand the letter of the law exactly or not, the reality is that as privacy protection rapidly evolves, so do the responsibilities of businesses and companies who collect, sell, or share data.  

Everyone who has used the internet has seen their fair share of popup privacy banners asking them to accept cookies. Some are fairly simple and notify users of their collection of cookies, while others have more detail about why they’re collecting data. 

Depending on the governing law, these popups may provide links to full privacy policies, settings, and where to learn more.  

In the past, this fairly intrusive method was the only way to secure consent from website users, who were forced to interact with popups for each new website they visited. If a consumer wanted to restrict the sale of their information, they had to submit a “do not sell” request to each business, which wasn’t always easy. And it doesn't make for a good privacy experience , especially when considering the right to opt for better data protection.

A 2020 study showed that many consumers struggled to locate the link to opt out of the sale of their information. Many businesses’ opt-out process was so onerous that it seriously impaired consumers’ control over what happened to their data.  

Today, technology enables consumers to set their privacy preferences once, and certain web browsers automatically send a signal to each new website the user visits. 

Because there is no federal data privacy law, businesses are left wondering how to comply with various state laws and manage these user opt-out preference signals. This blog will highlight global privacy laws and how businesses can remain compliant even in a changing privacy landscape.  

What are Global Privacy Control, Universal Opt-Out Signals, and Requests?

Global privacy control (GPC) is also known as a universal opt-out preference signal, which allows users to automatically communicate their privacy preferences to every website they visit. 

The GPC operates as an extension on the user's browser, enabling an “authorized agent”—a technology that users have authorized to manage data collection consent on their behalf—to share these preferences seamlessly.

A universal opt-out allows individuals to make a single, comprehensive request that applies across multiple websites and platforms, ensuring that their privacy preferences are respected without the need to manually opt out on each site they visit. This standardized signal acts as a universal consent or user opt-out request, indicating the user’s privacy settings across the entire digital ecosystem.

For consumers, universal privacy signals offer a streamlined and effective way to exercise their privacy and data rights, reducing the complexity of managing privacy preferences across numerous online services.

For businesses, this trend underscores the need to stay ahead of privacy compliance by integrating systems that can detect and respond to these universal signals, thereby fostering trust and ensuring adherence to modern privacy standards.

Companies must now adapt to recognize and respect these signals, integrating the necessary backend processes to comply with privacy regulations such as the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA).

How Does GPC Work?

When GPC is enabled in a user's browser, the browser automatically includes the GPC signal in the HTTP headers of all outgoing requests to websites. This signal indicates the user's preference not to have their data sold or shared. The website, upon receiving this signal, is expected to comply by adjusting its data collection and sharing practices accordingly.

For businesses, this means detecting the GPC signal in incoming web requests and responding appropriately:

Signal Detection: The website must be configured to detect the GPC signal in the HTTP headers or JavaScript environment.

Automated Response: Upon detection, the website should automatically disable certain cookies, prevent data from being shared with third parties, or modify other data processing activities in line with the user’s preferences.

Compliance Logging: To ensure compliance and maintain transparency, businesses should log instances where privacy signals are detected and document the actions taken in response.

Why Privacy Matters for Businesses

In the not-so-distant past, a “Do Not Track” signal tried (and failed) to gain traction. The idea was similar to GPC in that it provided consumers with a way to opt out of being tracked across websites and limit the use and sharing of data. Companies didn’t honor it, though—there was nothing to compel them to. Ten years after its proposal, in 2019, the WC3 disbanded the project because of “insufficient support and adoption.”  

That’s changed. The GPC and universal opt-out signals, now have state laws backing them—and they have teeth.    

The CCPA/CPRA requires businesses to treat the signals as valid requests to withdraw consent to the sale or sharing of personal information, including for cross-context behavioral advertising. 

In 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora, Inc., for violating the CCPA. There were various violations, but chief among them was the failure to process privacy requests via the GPC. Attorney General Bonta highlighted this violation in a press release on the enforcement.

Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale. 

I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. [...] Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.

Data Privacy Laws in Other States

As digital privacy becomes increasingly important, a growing number of US state privacy laws are setting modern privacy standards, empowering consumers with more control over their privacy choices. These regulations often include requirements for businesses to respect universal opt-out signals, ensuring users can disallow the sale of their personal data seamlessly.

While California has led the charge with its California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), other states are quickly following suit, enacting their privacy laws to protect consumers. 

For the most part, other states require businesses to honor GPC and universal opt-out signals. Of the 19 states with comprehensive privacy laws on the books, only 6 do NOT require businesses to honor GPC signals. They are:

• The Utah Consumer Privacy Act (UCPA)
• The Iowa Consumer Data Protection Act (ICDPA)
• The Tennessee Information Protection Act (TIPA)
• The Indiana Consumer Data Protection Act (INCDPA)
• The Kentucky Consumer Data Protection Act (KCDPA)
• The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Again, these are the US privacy laws that do not require businesses to honor GPC signals. All other privacy laws in the US do have that requirement.

How Osano Processes GPC signals

Even if your company isn’t legally required to process GPC signals, doing so helps build trust and shows consumers you care about their data preferences.

A consent management platform, such as Osano, can help your company meet compliance regardless of the jurisdiction, honor privacy opt-out requests, and avoid serious consequences.  

When Osano’s “Support Global Privacy Control (GPC)” toggle is switched on, Osano listens for incoming consent preference signals from visitors using a browser extension that supports GPC and automatically acts on and records those preference signals, keeping you in compliance.  

If you’re wondering how to contend with new data privacy laws, check out our action plan for 2025 state data privacy laws. Or, find out whether Osano is a fit for your company by scheduling a demo today.