Global Privacy Control Opt-Out of the “Sale” – A technical and legal point of view
According to the California Attorney General, consumers can now use a new technology called Global Privacy Control (“GPC”) to refuse a “sale” of personal information under the California Consumer Privacy Act (“CCPA”).
The GPC, according to its website, was developed by “various stakeholders including technologists, web editors, technology companies, browser vendors, extension developers, academics, and civil rights organizations.”
How it works
The GPC is available to consumers through an Internet browser or browser extension. Internet browsers that currently natively support GPC are Mozilla Firefox, DuckDuckGo, and Brave; and browser extensions include Abine, Disconnect, OptMeowt by privacy-tech-lab and Privacy Badger by EFF.
The GPC, technically speaking, looks a lot like the “Do Not Track” (“DNT”) header. When activated by the user, the GPC header, similar to the DNT header, is set to the value “1” and broadly signals recipients of the consumer’s request to opt out. Once consumers have enabled GPC on their browser to communicate their privacy preferences, the browser then sends the GPC signal through an HTTP header to the websites that the consumer is visiting. Participating websites must, according to the California Attorney General, honor these requests as a valid “sale” denial.
What the GPC header looks like (see red box):
An HTTP request to example.com with the GPC header enabled in Chrome, via a plugin.
Practical considerations for businesses
Businesses that only engage in CCPA “sales” through the online advertising ecosystem (where data sharing is mediated through the consumer’s browser or mobile device) may not have to do a lot of work.
Important warning: The above is true as long as the “sale” is not made after the fact, server-to-server, through file sharing or some other primary method where the party to whom the information is “sold” is not in. able to receive the GPC signal directly from the user’s browser. In these cases, the publisher may need to create a business process that listens for the signal and then, if applicable, prevents personal information from being “sold” on the backend. This may also include, for example, propagating the signal to the relevant partner / third party with a contractual arrangement whereby the signal constitutes an option to take CCPA out of the “sale”.
In either case, in order to comply, companies should also consider communicating to their ad technology partners that the partners are required by the CCPA to honor GPC signals as a valid “sell” refusal request.
How can we help
Norton Rose Fulbright is ready to assist businesses with their CCPA and CPRA compliance efforts, and actively helps customers manage the GPC header.
If you would like to learn more about the technical capabilities of the company, including a demonstration of NT Analyzer, please feel free to contact us directly or use the contact us button on the right.