To Track or Not to Track: GPC and 'Do Not Track' Signals
For website visitors, most data exchanges and processing activities are invisible. For various reasons, websites collect data, including IP address, browser type, operating system, visited pages, clicked links, and time spent on the website. Such data is collected to improve user experience, secure the website, and ensure customers receive the best service. Also, the data could be collected to provide customers with targeted advertising and tailored content, increasing sales.
Unless a specific law or regulation restricts websites from informing the visitors or seeking consent for data processing, such as the states of California or Colorado, websites often collect data without the users’ knowledge. The problem is that often, businesses collect more information than is relevant to the services they provide and share this information with third parties without the consumers’ knowledge, which in turn could make it difficult for consumers to understand how their personal information is collected and used, and could make it impossible for them to object to such processing.
Do Not Track
Before the era of data protection regulations, even before Instagram was launched, back in 2009, a group of researchers proposed a Do Not Track (“DNT”) solution, which was an HTTP header that allowed users to signal their preference to websites about whether they wanted to be tracked or not. The decision on whether to honor the signal or ignore it, however, would be made by the owners of the website. Mozilla Firefox was the first web browser to support the DNT signal, and was later followed by other browsers, such as Internet Explorer, Apple's Safari, Opera, and Google Chrome. However, the DNT signal was not widely adopted by websites, and this for two main reasons: first, there was no legal obligation for websites to honor such a signal, and second, there was no clear definition of how to honor such a signal and what the definition of “tracking” was.
The General Data Protection Regulation (“GDPR”) significantly changed the game's rules when it obliged websites to collect consent for data processing, which meant that websites could no longer collect any information unless consumers had consented to it. In this case, a DNT signal became rather insignificant, as regardless of the choices, a cookie banner would be the only compliant solution according to the requirements of the European Union.
The California Consumer Privacy Act (“CCPA”) suggested another approach, which was to provide users with a right to opt out of data processing by sending a “Do not sell my personal information” request. The two mechanisms are significantly different, in that in the case of a DNT, if it was successful, consumers wouldn’t have to submit a request to each and every website, but rather they would activate one setting that represented their choice throughout - to be tracked or not. That is where Global Privacy Control came in.
Global Privacy Control
Global Privacy Control (“GPC”) was proposed a few years ago as a modernized solution to meet the same goal DNT hadn’t, namely to provide consumers with a holistic tool to communicate their preferences concerning data processing. Both GPC and DNT signals are tools that users can use to protect their privacy online, however a GPC signal is already more specific and more widely supported than a DNT signal.
The GPC is a browser setting that allows users to signal their preference to websites on whether they want their personal data to be sold, as well as opt out of targeted advertising and direct marketing. The GPC signal is sent to the website as an HTTP header from the user's browser. The website can then choose whether or not to honor the user's preference. However, certain privacy laws already require the websites to honor the GPC signals in such a way as if the consumer has submitted an opt-out request.
“Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale.”
Attorney General Bonta
Under the California Consumer Privacy Act, if a business is required to comply with CCPA, it will treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt out of the sale of their personal information as a valid request submitted under the CCPA.
Under the CPRA, when consumers communicate their opt-out choice via opt-out preference signal, the consumer should see up to three choices and choose accordingly either:
- to opt out from selling and sharing personal information, including limiting the use of sensitive personal information
- to limit the use of sensitive personal information
- to stop selling and sharing personal information for cross-context behavioral advertisement purposes
Its previous version, the pre-CPRA version of CCPA, also mentioned GPC as an alternative option to submit an opt-out request, which should be honored by the businesses accordingly.
“If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted under Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.”
California Consumer Privacy Act
On the July 1st, 2023, the Colorado Privacy Act (CPA) went into effect. Even though provisions concerning GPC signals will become effective in 2024, provisions with respect to GPC recognition are even more clearly defined under the CPA, as it promises to provide consumers with a single, simple mechanism to communicate their opt-out choice to multiple companies at once. Technical specifications provided in Colorado Privacy Act Rules specifically say that:
“A. Universal Opt-Out Mechanism must allow for Consumers to automatically communicate their opt-out choice with multiple Controllers…
…B. The Universal Opt-Out Mechanism must allow Consumers to clearly communicate one or more opt-out rights available under C.R.S. § 6-1-1306(1)(a)(IV).”
As the GPC signal becomes more widely adopted, it will become an important tool for protecting user privacy. By enabling the GPC signal and using websites that recognize it, users can take control of their privacy and prevent their personal data from being sold without their consent.
Here are some of the benefits of implementing and recognizing the GPC signal:
- It can help to protect users' privacy by giving them more control over how their personal data is used;
- It can help to reduce the amount of personal data that is collected and stored by websites;
- It can help to improve the transparency of how websites collect and use personal data;
- It can help to build trust between users and websites.
The GPC signal is a promising new tool for protecting user privacy. As it becomes more widely adopted, it will play an increasingly important role in ensuring users have control over their personal data.