U.S. Privacy and Data Protection | Insights | Nov. 2024 (State Law)

What is Global Privacy Control?

Global Privacy Control (GPC) is a browser setting that allows users to automatically communicate their desire to opt out of the sale or sharing of their personal information such as through marketing cookies. When enabled, GPC sends a signal to websites indicating the user's privacy preferences, essentially functioning as a universal opt-out mechanism. Businesses using cookies should take note of emerging GPC trends.

California's Stance on GPC

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), requires businesses to honor "opt-out preference signals" like GPC. This means that if a user has GPC enabled in their browser, businesses must treat this as a valid request to opt out of the sale or sharing of their personal information (which California broadly defines as including things like marketing and analytics cookies). This aligns with the trend and requirements for cookie consents in the EU/UK and other state legislation.

Recent Regulatory Actions

The Sephora Case

Back in 2022, Sephora settled with the California Attorney General for $1.2 million, including for allegations that it failed to process opt-out requests made through GPC. This case set a precedent for enforcing GPC compliance under the CCPA.¹

CPPA Enforcement Advisory

In 2024, the California Privacy Protection Agency (CPPA) Enforcement Division issued its first advisory, emphasizing the importance of honoring GPC signals. This advisory serves as a clear indication that the CPPA is taking GPC compliance seriously.²

How to Comply with GPC Requirements

To ensure compliance with GPC and growing privacy laws, businesses should:

• Detect GPC Signals: Implement technical measures to recognize GPC signals from users' browsers.3
• Honor Opt-Out Requests: Treat GPC signals as valid opt-out requests for the sale or sharing of personal information (by 15 business days under the CCPA).
• Update Privacy Policies: Clearly disclose how your business processes GPC signals in your privacy policy.
• Train Staff: Ensure that relevant personnel understand GPC and how to handle related consumer requests.
• Audit Data Practices: Regularly review your data collection, use, and sharing practices to ensure alignment with GPC requirements.
• Document Compliance: Maintain records of your GPC compliance efforts, including how you process and respond to GPC signals.

Conclusion

As privacy regulations continue to evolve, businesses marketing or selling goods or services online, including in California, should stay informed about GPC requirements.

Kronenberger Rosenfeld, LLP regularly advises clients regarding data and privacy compliance. Contact our firm using our online case submission form.