What is Global Privacy Control (GPC) and Universal Opt-out in Data Privacy?

In today's digital world, where data privacy has become a major concern for individuals worldwide, while online activities increase, so does the collection of personal information by websites and online services. This shift has led to a growing demand for mechanisms that allow individuals to control how their data is used. 

Because personal data has become about as valuable as currency, the introduction of Global Privacy Control (GPC) comes as a significant development for the safeguarding of individuals’ online privacy, making it easier for them to manage their digital footprints, and offering an effective universal opt-out mechanism against the pervasive tracking, selling and/or sharing of personal information. 

In this article we are looking at what GPC is and what universal opt-out means in data privacy.

What is Global Privacy Control (GPC)?

GPC, or Global Privacy Control, is a technological standard that enables internet users to express their privacy preferences across the web by performing one single action instead of several. 

But what is GPC, exactly? It is a protocol that allows a user to communicate their wish to not to be tracked or have their data sold or shared directly to websites and online services. This protocol is the product of collaboration among technology companies, publishers, and privacy advocates, some of which include Consumer Reports, DuckDuckGo, Robin Berjon (former editor of the GPC spec), Raptive, Digital Content Next, and Sebastian Zimmeck (Assistant Professor of Computer Science, Wesleyan University and GPC co-founder), and it is aimed at addressing the growing need for a simplified and effective privacy control mechanism. The development of GPC reflects an acknowledgment of the complex landscape of digital privacy and the need for more user-centric solutions.

The concept of a universal signal was preceded by the DNT (Do Not Track) signal, and you can read more about the GPC’s predecessor in our blog post on the two types of opt-out signals.

How does the universal opt-out signal work?

GPC is a digital declaration, sent from the user's browser to websites, that the user opts out of data selling and sharing. This signal is recognized by websites that support GPC, ensuring that the user's privacy preferences are honored universally, without the need for repeated manual settings adjustments. The mechanism behind the GPC signal is designed to be straightforward, requiring minimal input from the user while maximizing privacy protection.

In simpler words, GPC is a setting in your browser that lets you tell websites if you don't want them to sell/share your personal info or send you targeted ads and marketing. When you visit a website, your browser sends a GPC signal to tell the site about your choice. The site can then decide if it will follow your request. But, some privacy laws make it a must for websites to respect your GPC choice as if you've directly asked them not to use your data. 

How does the Global Privacy Control affect consumers?

Global Privacy Control (GPC) is a big step forward for consumers using the internet. In essence, GPC is a magic button that tells websites you don't want to be tracked or have your information shared without having to inform each site individually. Being able to do this in one simple action means it is now much easier for everyone to protect their privacy online. 

Turning on GPC, it automatically lets websites know that you want to keep your browsing private. This means less unwanted tracking and fewer worries about who's collecting your data. For many people, this new tool gives them more confidence and control when they're online, making it a very important development for anyone concerned about keeping their personal information safe.

Clym assists businesses with GPC signals by offering a comprehensive compliance solution which combines data privacy with web accessibility inside one single tool. When you visit a website that has implemented Clym’s compliance tool, if you are a resident of one of the jurisdictions where honoring GPC signals are mandated by data protection laws, our tool will automatically detect the signal which means you will be opted-out of data selling and/or sharing without your needing to do anything else, such as submitting an opt-out request with the website. 

How does the Global Privacy Control affect businesses and publishers?

Global Privacy Control (GPC) has a big impact on how businesses and publishers handle information online. To follow GPC rules, these companies need to update their systems so they can understand and act on GPC signals, which tell them if a user doesn't want their data to be tracked or shared. This might sound like a lot of work because it involves changing how they use technology, but it's also a chance for them to show they care about their users' privacy.

When a business supports GPC, it's telling the world that it takes privacy seriously. This is important because people are becoming more concerned about how their data is used and protected. Companies that are quick to adopt GPC can stand out by showing they respect their customers' wishes. Plus, following GPC can make it easier for them to meet the requirements of different privacy laws all over the world. Instead of juggling many rules, they can follow one clear standard. This can save time and effort, making it simpler for businesses to ensure they're handling data in a way that's fair and respectful to everyone.

At this time there is one consumer privacy law in the United States that has taken the stage with its requirements for covered businesses to allow consumers to opt-out of the sale of personal data and the processing of personal data for targeted advertising through a Universal Opt-Out Mechanism (UOOM), the Colorado Privacy Act, or CPA. What this means for your business is that as of July 1, 2024, if Colorado’s privacy law covers your organization, you will be required to allow consumers to opt out using a Universal Opt-Out Mechanism (UOOM). Back in November, 2023, the Attorney General published a shortlist of UOOMs that were being considered and at the start of 2024 the final choice for the time being was announced to be Global Privacy Control (GPC).

GPC has already been recognized as a valid and legally binding opt out in California, and per the application submitted with Colorado’s AG back in 2023 it is also “likely to comply with the requirements of all other US jurisdictions that currently provide for universal opt-out mechanisms” which would include US state privacy laws such as: 

• California Consumer Privacy Act effective now;
• Colorado Privacy Act effective now;
• Texas Data Protection Act  becomes effective on 07/01/2024;
• Connecticut Data Privacy Act effective now;
• Delaware Privacy Act becomes effective on 01/01/2025;
• Montana Consumer Data Privacy Act becomes effective on 10/01/2025;
• Oregon Consumer Privacy Act becomes effective on 01/01/2026.

Clym facilitates the active listening for GPC signals so your business can be safe. How, you may ask? By offering a comprehensive solution that seamlessly integrates into your website requiring no manual configuration from your side and facilitating compliance with more than 40 data privacy regulations around the world, including those listed above, or the GDPR in Europe, or web accessibility laws like ADA’s Title III. With Clym’s CMP added on your business’ website, you and your legal team can sleep well at night knowing that we got you covered. 

Here is an example of how Clym can help your business with the GPC signal: 

Whenever a consumer from Colorado or California, or any other US state or country that mandates Universal Opt-Out Mechanisms (UOOMs) accesses your website and has their browser setup to send a GCP signal, Clym’s tool listens for this signal and where it detects it, it automatically opts-out the consumer:

In this example, our tool has detected a GPC signal and automatically opted out the consumer from Advertising, Analytical, and Entertainment cookies. 

This setting is automatically configured for you, however, you also have the option to allow an override of this if you so wish.

In this example, there is no GPC signal sent out by the browser which means the consumer either hasn’t activated the GPC in their browser, or they are located in a jurisdiction where UOOMs are not mandated by the applicable data privacy law. 

As such, the consumer can opt-in or opt-out of the different categories of cookies currently running on the website. 

Global Privacy Control (GPC) and International Data Privacy Regulations

Global Privacy Control (GPC) is a tool that helps both people, who can manage their online privacy more easily, and businesses, who can show transparency and build trust with their customers and website visitors by implementing systems that recognize and implement these signals, especially in light of strict privacy laws like the California Consumer Privacy Act (CCPA)  in the US and the General Data Protection Regulation (GDPR) in Europe. 

Because GPC automatically lets websites know a user's privacy choices, this helps simplify how people protect their privacy online and makes it easier for companies to follow these privacy laws.
Data privacy rules are different all around the world because countries have their own views and rules about privacy. However, even though data privacy laws around the world can differ, there's agreement on the idea of consent and the way this is expressed, either via an ‘opt-in’ or an ‘opt-out’ action on the part of a consumer. We have discussed opt-in and opt-out consent in data privacy at length in an associated blog post, to help businesses understand what is expected of them. To put it simply, consent is needed in situations where websites want to put cookies or trackers on someone's device, when people need to agree to legal terms, when they sign up for marketing emails, or when they register on a website or app and have to accept the site's or app's rules and policies. 

GPC aims to create a common way for people to share their privacy preferences with websites, no matter where they are. This is important because as companies and their online services operate globally, they have to deal with many different privacy laws. GPC can help simplify things by offering a consistent way for users to set their privacy preferences internationally, helping both users and companies navigate the complex landscape of global data privacy regulations.

Let’s look at some of these privacy regulations and GPC’s implications: 

GPC for GDPR

The implication of the GPC on the GDPR can be difficult to interpret. GDPR mandates that before you run analytics or ads, you need to obtain consent from the user. 

GPC makes it easier for companies to follow opt-out rules by providing a standard for the way people can say if they agree (opt-in) or disagree (opt-out) with their data being used. This means companies can more clearly understand when someone has given permission for their information to be used, fitting well with GDPR's tough requirements on getting consent. 

This not only makes the job of managing permissions easier for companies but also improves the experience for users. It becomes much simpler for anyone in the EU to control their privacy rights, like saying no to tracking or choosing what personal information they're okay with sharing.

GPC for California Consumer Privacy Act (CCPA - CPRA)

The California Consumer Privacy Act (CCPA) is a law that helps protect the privacy of people living in California. It lets them tell businesses they don't want their personal information sold. Under the CCPA - CPRA, the role of global privacy control (GPC) is equally significant. 

The law creates an obligation for covered businesses to allow California residents to opt-out of the sale or sharing of their personal information. GPC assists with this by providing an efficient method for managing these requests, reducing the complexity for both users and businesses. By automating their opt-out process, businesses in California can ensure that user preferences are respected in a timely and effective manner, with the help of GPC. 

This helps make sure that people's decisions about their privacy are respected right away, which is what the CCPA aims to do.

GPC for LGPD

Brazil’s General Data Protection Law (LGPD)  is a lot like the GDPR in that it focuses on the need for people's permission (consent) and their privacy rights. 

GPC application in Brazil would mean that it would be much easier for people in Brazil to manage their privacy choices, like saying yes or no to how their data is used, and companies could do a better job of following LGPD rules by making sure they respect people's choices about their data.

GPC and TCF 2.2

The way GPC and the Transparency and Consent Framework (TCF) 2.2 work together shows how GPC signals could help with managing consent online.

Whereas the IAB’s TCF 2.2 makes it clear for users how their data is collected and used for targeted ads and also requests the users’ permission (consent) for this, in line with data privacy laws in the EU, GPC, on the other hand, lets users easily tell websites they don't want their data sold or used for targeted ads with just one setting.

Both GPC and TCF 2.2 aim to protect user privacy online but in different ways. TCF 2.2 is there to make sure websites, advertisers, and tech companies follow the rules when they handle user data or store information on devices, especially for ads. It sets a common way for sites to explain to users what happens with their data and ask for their consent. GPC is more straightforward, giving users a single way to set their privacy choices, like saying “No” to data selling or targeted ads. When someone turns on GPC, their browser tells websites about their choices.

It is interesting to consider how the two might work together. If a website is already implementing the TCF 2.2 it can interpret a GPC signal as an indication that the consumer is saying “No” to having their data used in ways already regulated by privacy laws in the EU. What this means is that if a consumer has GPC turned on and they visit a website, said website should adhere to the TCF 2.2. guidelines and treat the signal as an opt-out since you have denied consent. 

How can Clym help with Global Privacy Control (GPC) and Universal Opt-out?

Clym offers a unique solution for businesses looking to comply with Global Privacy Control (GPC) and Universal Opt-Out mechanisms, streamlining the integration of data privacy and web accessibility into one efficient tool. Our tool facilitates businesses’ compliance with GPC so that when visitors from jurisdictions that recognize and enforce GPC signals access a website that is using Clym, they are automatically opted out of data selling and sharing. 

This automatic detection and compliance spare users the hassle of manually submitting opt-out requests, making it simpler for them to exercise their privacy rights, while also helping  businesses to effortlessly align with data protection laws, enhancing user trust and privacy on their digital platforms.

Moreover, Clym's solution is designed to facilitate the active monitoring of GPC signals, providing businesses a worry-free compliance strategy. This comprehensive system integrates smoothly with existing websites, requiring minimal effort from businesses to comply with over 40 data privacy regulations globally, including the GDPR and ADA’s Title III for web accessibility.

With Clym, companies can rest assured that their legal and privacy obligations are being met, allowing them and their legal teams to focus on their core operations with peace of mind. Clym's platform not only aids in complying with GPC and universal opt-out requests but also fosters a commitment to privacy and accessibility that is crucial in today's digital landscape.

Don’t wait any longer, see for yourself today! See Clym in action by booking a demo or reaching out to us to discuss your specific needs today.