How to implement the Global Privacy Control
A handbook for digital leaders and their teams
The Global Privacy Control ("GPC") is a browser setting with which internet users can exercise their privacy rights by sending a signal that they would like to opt out of the sale or sharing of personal information to every website they visit by default.
From the perspective of internet users, the GPC is an easy way to universally opt out of the sale or sharing of personal information. Instead of having to click on the footer links of every website they visit, users can simply choose to turn on the GPC in their browser. (Or, if their browser doesn't support the GPC, they can install and use a browser extension that does, like the Electronic Frontier Foundation's Privacy Badger.)
From a technical view, the GPC is an HTTP request header and a read-only property of the Navigator object in the browser. It can be used for setting the firing logic for tags on the frontend and, where necessary, ingested into user schemas in the backend.
Brands, publishers, and non-profits that advertise, market, or sell to consumers need, in turn, to respect users' choices by listening for the presence of a GPC signal when users interact with their digital touch points and honoring it in the ways they handle those users' personal information. When the user's GPC signal is on, website operators must treat the user's browsing session as a "Do Not Sell" session as defined under the California Consumer Privacy Act ("CCPA").
Although the GPC is still a draft specification, and not yet an official web standard endorsed by the World Wide Web Consortium ("W3C"), it has seen wide adoption by browsers, data privacy software vendors, online publishers, and the internet community as a whole. The California Attorney General's office has also endorsed the use of the GPC as a valid method for consumers to opt out of the sale or sharing of their personal information under the CCPA.
How to begin supporting the GPC
To start supporting the GPC in your activities, start with a list of teams and people who should be involved.
Most lists include those accountable to comply, like your advertising, marketing, or sales team; those accountable to implement that compliance, such as IT or your agency; and last but not least, those who can help you determine what "compliance" actually means, be it your legal counsel or privacy champion.
Gather the individuals on the list in a meeting or workshop to agree on a program or project for identifying the resources and time needed and getting the work done.
If you're already doing business with U.S. consumers, you should have an established capability for handling "Do Not Sell" browsing sessions on your digital touch points. In such a case, consider treating the presence of a GPC signal as yet another intake for such a request.
If, however, your organization is entering the U.S. market for the first time, prepare for a lengthy discovery process of everything you need to do to comply with U.S. state privacy laws, and how implementing support for the GPC gets you closer to that baseline compliance.
What GPC implementation tends to entail
- Updating privacy statements and/or cookie notices
- Where required, informing your audience about those updates
- Making the necessary changes to Consent Management Platforms ("CMPs")
- Configuring your tag management tools and/or client-side libraries to respect GPC signals
- Extending your Data Management Platform ("DMP"), Customer Relationship Management ("CRM") system, and/or Customer Data Platform ("CDP") to ingest and respect users' GPC preferences
- Updating standard operating procedures ("SOPs") used by the affected teams, agencies, and partners
- Implementing
.well-known/gpc.jsonin your Content Management System ("CMS")