About Global Privacy Control (GPC)
This article describes the Global Privacy Control (GPC), a proposed browser standard that allows users to indicate that they generally do not consent to the sale or sharing of their personal data.
Global Privacy Control (GPC) is a proposed browser standard that allows users to indicate across domains that they generally do not consent to the sale or sharing of their personal data.
In many ways, GPC is similar to Do Not Track. Both are browser-level Boolean settings designed to save users from having to manually opt out of each website they visit. The key difference between Do Not Track and GPC signals is that the California Attorney General has clearly indicated that GPC must be respected by businesses covered by CCPA or CPRA.
Why does it exist?
GPC intends to provide a durable, cross-site signal to indicate that a consumer generally objects to the sale and sharing of their personal data. The proposed standard hopes to save users from needing to repeatedly object to the sale of their data on each site they visit. From the specification:
Several legal frameworks exist — and more are on the way — within which people have the right to request that their privacy be protected, including requests that their data not be sold or shared beyond the business with which they intend to interact. Requiring that people manually express their rights for each and every site they visit is, however, impractical.
The California Attorney General has been explicit in his support for a signal like GPC - it’s clear that companies are expected to respect the signal as an opt-out:
Given the ease and frequency by which personal information is collected and sold when a consumer visits a website, consumers should have a similarly easy ability to request to opt-out globally. This regulation offers consumers a global choice to opt-out of the sale of personal information, as opposed to going website by website to make individual requests with each business each time they use a new browser or a new device.
For more information, see the GPC specification proposal.
How should the GPC signal be interpreted?
The California Attorney General and the Sephora settlement have made it clear that companies subject to California regulations are expected to enforce the GPC signal as an opt-out for purposes of CCPA/CPRA.
The appropriate interpretation of the GPC signal for GDPR / ePrivacy isn’t as clear, but we expect more clarity with the upcoming ePrivacy regulation, which is now undergoing final negotiations. It is not certain whether and in what form it will be legally binding, but there is already a standard proposed for that purpose.
Ultimately, it’s up to your business to decide which interpretation of the applicable regulations is best for you.
How can I respect the GPC signal with Tealium?
The needs and requirements of our customers vary widely, so we intend to provide a flexible foundation for our customers to build upon, across our platform.
For more information on Tealium’s support for GPC, see Client-side Global Privacy Control and Server-side Global Privacy Control.
How is the signal exposed?
To enable GPC, supporting browsers expose a global boolean (true for an opt-out) in the DOM:
navigator.globalPrivacyControl // will be true for opt-outs
and sets a header on all outgoing requests (1 for an opt-out):
Sec-GPC: 1
How can I indicate GPC support?
Websites can explicitly signal that they support GPC by using a mechanism provided by the proposed standard.
A website MAY produce a resource at a
.well-knownURL to indicate that it supports GPC. The purpose of a GPC support resource is for a site to communicate its support for Global Privacy Control. By default, an origin’s support is unknown.
This file may be hosted by the site owner, Tealium does not provide any related services or hosting.
This page was last updated: February 28, 2024