Skip to main content

Global Privacy Control Opt-Out of “Sale” – A Technical and Legal Viewpoint

By and July 16, 2021July 22nd, 2021Insights

According to the California Attorney General, consumers may now utilize a new technology called the Global Privacy Control (“GPC”) in order to opt out of a “sale” of personal information under the California Consumer Privacy Act (“CCPA”).

The GPC, according to its website, was developed by “various stakeholders including technologists, web publishers, technology companies, browser vendors, extension developers, academics, and civil rights organizations.”

Unlike the IAB Tech Lab U.S. Privacy String, which is controlled and operated by the adopting Business via JavaScript, the GPC is controlled by the browser software either natively (as in the case of Firefox) or as a browser extension/plugin (as in the case of “OptMeowt”).

The California Attorney General has indicated that the GPC is a valid consumer request that Businesses must honor.

How it works

The GPC is available to consumers either through an internet browser or a browser extension. The internet browsers that currently support GPC natively are Mozilla Firefox, DuckDuckGo, and Brave; and browsers extensions include Abine, Disconnect, OptMeowt by privacy-tech-lab, and Privacy Badger by EFF.

The GPC, technically speaking, feels very similar to the “Do Not Track” (“DNT”) header. When activated by the user, the GPC header, similar to the DNT header, is set to the value of “1” and broadly signals to recipients the consumer’s request to opt-out. Once consumers enable GPC on their browser to communicate their privacy preferences, the browser then sends the GPC signal via an HTTP header to the websites that the consumer visits. Participating websites must, according to the California Attorney General, then honor these requests as a valid opt-out of “sale.”

What the GPC header looks like (see red box):

HTTP request

An HTTP request to example.com with the GPC header activated in Chrome, via a plugin.

Practical considerations for Businesses

Businesses that only engage in “sales” under CCPA via the online ad ecosystem (where sharing of data is intermediated by the consumer’s browser or mobile device) may not need to do much heavy lifting.

Any third party (ad networks, DMPs, agencies, DSPs, SSPs, etc.) receiving network requests from a browser that has GPC activated will receive the opt-out signal automatically. The GPC signal, as an HTTP header, is blasted out shotgun style, no special JavaScript required to receive or propagate it.  And, under the CCPA final regulations, all “Businesses” as defined by the CCPA (which includes most of the ad ecosystem) are required to honor “user-enabled global privacy controls.”[1]

Important Caveat: The foregoing holds true so long as the “sale” isn’t done after the fact, server-to-server, via file share, or some other backend method where the party to whom information is “sold” is not in a position to receive the GPC signal directly from the user’s browser. In these instances, the publisher may need to create a technical process that listens for the signal and then, as appropriate, prevents personal information from being “sold” on the backend. This may also include, for example, propagating the signal to the relevant partner/third-party with a contractual understanding that the signal constitutes a CCPA opt-out of “sale.”

In either case, in order to comply, Businesses should also consider communicating to their ad tech partners that the partners are required by the CCPA to honor GPC signals as a valid opt-out of “sale” request.

How we can help

Norton Rose Fulbright stands ready to assist Businesses with their CCPA and CPRA compliance efforts, and is actively assisting clients in handling the GPC header.

If you are interested in learning more about the firm’s technical capabilities, including a demo of NT Analyzer, please feel free to reach out directly to us or use the contact us button to the right.

 

 

[1] See CCPA Regulations, 999.315.

Steven Roosa

Author Wenda Tang

Wenda Tang is a lawyer in the Washington, DC office, where she is part of the Data Protection, Privacy and Cybersecurity practice group. Wenda focuses on drafting and interpreting technology-related contracts, including insertion orders, service provider addendums, DPAs, advertising agreements, and non-disclosure agreements. She also assists clients in complying with data protection and privacy laws, such as the CCPA, GDPR, HIPAA, GLBA, COPPA, CAN-SPAM Act, and TCPA.

More posts by Wenda Tang
Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa