The GPC—which was developed by a broad coalition of stakeholders including web publishers, technology companies, academics, and civil rights organizations—is a signal that can be delivered through a browser extension or setting that allows users to automatically indicate to the websites they visit that they intend to opt-out of the “sale” of their personal information as defined under the CCPA. The GPC would therefore allow users to effectively opt-out of CCPA sales on any site they visit without completing the opt-out request process currently in use on most sites. (The GPC project also seeks to indicate consumer preferences under other data protection laws, such as the GDPR.)
Use of the GPC remains limited. No mainstream browser has adopted the technology, although Mozilla reportedly is working to implement GPC as an option in Firefox.
GPC Requirements Under CCPA
Under the CCPA regulations, “If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request . . . .”
Attorney General Becerra’s tweet highlighting the GPC and his suggestion that businesses are already required to respect GPC signals under the CCPA have raised a number of questions.
- Because no technology like the GPC existed at the time of the CCPA rulemaking process, it is unclear when the requirement to honor the GPC in particular took effect. There are also questions as to whether the determination that a given signal meets the CCPA regulations’ requirements may be issued via Twitter.
- The Attorney General’s tweet also created ambiguities relating to the scope of consumer opt-outs communicated through GPC signals.
- The impact of the Attorney General’s remarks on the implementation of the California Privacy Rights Act (CPRA) also remains to be seen. Under the CPRA, businesses are allowed to read a consumer’s signal opting out of all sharing of their personal information instead of publishing a link allowing consumers to opt-out of the sale of their personal information. Whether respecting the GPC signal will become a way for businesses to remove opt-out links from their websites is one of many questions that may be addressed through the CPRA rulemaking process, which has not yet begun, but is required by law to conclude by July 1, 2022.
- Currently, there is one signal that is being facilitated by the coalition mentioned above. However, it is possible that other signals will be developed over time, and it is unclear whether (and at what point) online services may be required by the Attorney General’s regulations to monitor for and comply with those other signals.
Authored by Jonathan Hirsch and Erik Lampmann.