Privacy is becoming more and more important in the US. With more than 20 states with privacy laws, privacy has also become a maze of different regulation practices, further clouded by a limited number of cases or guidelines available to businesses.
However, the state leading the way, California, has ramped up the enforcement of its landmark legislation, the CCPA, with fines multiplying since 2021. This increased regulatory action is giving marketers and legal teams clearer signals about expectations. One of the main areas of focus is Global Privacy Control (GPC), a mechanism that allows users to explicitly opt out of the sale or sharing of their personal data. In this article, we’ll see what GPC is, how to make sure GPC signals are respected on your website, and what the impacts of GPC are on your activities.
Global Privacy Control was created in 2020 by a coalition consisting mainly of academics, privacy-focused tech companies (Brave, DuckDuckGo…) and newspapers (New York Times, Financial Times…), with the goal of simplifying personal data protection online. One of its objectives was to establish a system that would be actually actionable, unlike options like Do Not Track,a setting available in Chrome that is largely ignored by websites and carries no enforcement consequences.
The feature is accessible via plug-ins on the main browsers (Chrome, Safari) and via settings for other browsers (especially Mozilla Firefox and Brave). Once the option is activated, the signal can be read by websites via javascript.
It was quickly recognized by California as a way for users to signal to all the websites they visit that they don’t agree to their data being sold or shared (to reuse the vocabulary used in the CCPA). Starting in 2022 with the Sephora case (which carried a fine of $1.2M), there have been multiple fines given to companies which did not respect GPC signals. Given the increased pace of sanctions handed over by the CPPA (California Privacy Protection Agency), more and more companies are now scrambling to implement tools enabling them to accurately follow GPC signals. But it is not always clear how.
CMPs (Consent Management Platforms) offer multiple products, the best-known being cookie banners. Even though each provider has unique systems, the baseline is the same: a hyperlink is placed on every page, and loads the cookie banner when users land on the website for the first time. Marketing and/or legal departments can set up the banner on an online platform, and update it in real time. They also have access to detailed records to optimize traceability.
Nowadays, most CMP providers offer GPC signal features, enabling websites to automatically detect when GPC has been activated. Once this is done, data collection related to data sales / sharing can be blocked using standard variables, usually via a TMS (tag management system).
This is, by far, the easiest method. Given the latest trends in privacy regulations in the US, if you don’t have a cookie banner provider yet, we highly recommend you envision this option to simplify privacy management in the near future.
GPC signals can be read by all websites, and custom methods are available for websites not equipped with CMPs, or which wish to follow another direction.
The best-known custom system was developed by the Washington Post and Wesleyan University, and involves implementing a json file. This system has the advantage of transparency, but it may be more difficult to implement at scale, especially for websites with thousands of pages, and it may bring less traceability.
Whichever method is chosen, it is highly recommended to carry out extensive testing to ensure that all data sale / sharing has been effectively blocked. You should also liaise with your legal department to determine if you should keep records of the tests.
So far, marketing impacts have been very limited. Although GPC proponents claim that 150M people use GPC (which, in any case, would represent only 3% of all internet users), the share of traffic carrying the signal is actually a lot lower, especially because many users do not systematically activate GPC (for example, they may have activated it on their laptops, but not on mobile).
Per our investigations, it is virtually impossible to determine the share of traffic with GPC activated. Precise numbers can’t be calculated because GPC effectively limits data collection mechanisms. When we have activated the features with our clients, no impacts have been noted. In other words, the volume of traffic with GPC is indistinguishable from normal traffic variations, at least for now. As a result, US marketers tend to be less interested in this topic, contrary to their European colleagues, who have to deal with cookie rejection rates that can reach 50%.
However, legal risks are very real, and immediate. As we saw in Part 1, multiple fines above $1M have already been levied against businesses for (among others) failing to comply with GPC signals. As privacy lawsuits multiply in California and elsewhere, legal departments need to follow through with their marketing & IT departments to ensure that the tracking implementation is compliant. They also need to establish processes to maintain compliance over time: often, this relies on “translators”, team members who have knowledge in both legal matters and marketing data collection.
In the future, GPC may become more ubiquitous, especially if more popular browsers (Chrome, Safari) integrate it natively. In that case, volumes of data may decrease dramatically. Marketers need to continue following the trends; if this scenario actually happened, they should take action to try and limit losses of data.
Privacy in the US is here to stay. GPC, propelled by California’s pioneering role, is now a major part of the framework that companies across the US have to follow. Although the impacts of GPC on data collection are still limited, fines imposed by California are rising. Companies have to act now to ensure they remain compliant, and avoid bad surprises. They also need to continue watching privacy trends, to ensure not only compliance, but also that their marketing practices remain optimal.
Discover all the latest news, articles, webinar replays and fifty-five events in our monthly newsletter, Tea O'Clock.
.jpg)
.svg)
