What is Global Privacy Control (GPC) and how is it protecting your privacy online? – A collective of open-source and AI developers, contributors and InfoSec enthusiasts crafting code amidst the scenic landscapes of Mauritius

If you’re an American, you’re likely familiar with the California Consumer Protection Act (CCPA), a data privacy regulation enacted in January 2020. This legislation was designed to protect consumer privacy by giving individuals greater control over the sale of their personal data. One of its most significant provisions is the right to opt out of the sale of personal information.

When the CCPA began enforcement in July 2020, companies started receiving notices of alleged noncompliance from the Office of the Attorney General (OAG). Businesses had to quickly implement a “Do Not Sell” mechanism on their digital platforms to allow consumers to opt out of the sale of personal information or risk facing substantial fines and penalties. As a result, almost every website that does business with California residents now has an easily accessible “Do Not Sell My Personal Information” link.

While opting out of the sale of personal information by looking for “Do Not Sell” links on websites is relatively simple, it can become cumbersome for individuals who visit numerous sites daily, whether directly or via social media links. This is where Global Privacy Control (GPC) comes to the rescue. GPC is not legislation but a technical standard designed to complement the existing CCPA by making it easier for consumers to opt-out.

GPC works by allowing users to set their preferences regarding the sale of their data in a browser or an extension that supports the GPC specification. Once this preference is set, the browser automatically sends a signal (Sec-GPC) to each site visited, indicating that the user does not want their data to be sold, shared, or used for targeted advertising. The site must handle this signal in the same way it would a “Do Not Sell” request under the CCPA. This eliminates the need for users to manually make a “Do Not Sell” request for each new site they visit. You set the preference once and forget about it.

GPC’s true strength lies in its ability to standardize the opt-out process for data privacy in countries outside the US that have similar opt-out directives in their data privacy legislation.

Once the preference is set, each time the user visits a site, the browser automatically sends a signal (Sec-GPC) indicating that the user does not want their personal data to be sold, shared, or used for targeted advertising. The site must then handle this signal just as it would a “Do Not Sell” request under the CCPA. This eliminates the need for the user to manually make a “Do Not Sell” request for each new site they visit—set the preference once, and you’re done.

Where this mechanism truly excels is in standardizing the opt-out process for data privacy in countries outside the US that have similar opt-out directives in their data privacy legislation.

For instance, the EU’s General Data Protection Regulation (GDPR), which strongly favors opt-ins, also states in Article 21 that users may object to the processing of their personal data at any time if the processing is necessary for the legitimate interests pursued by the controller. A similar right is found in Article 24 of the Data Protection Act (DPA) of Mauritius, which was heavily inspired by the GDPR.

As my friend and colleague Loganaden Velvindron (cyberstorm.mu) has highlighted in the GPC explainer, “Mauritian regulators may deem GPC to constitute a legally binding invocation of Article 24 rights. That would be the case if people’s GPC opt-out preferences are their only known opt-out preferences or if their GPC opt-out preferences align with any other opt-out preferences they have invoked. However, in cases of conflicts, there might be ambiguities, as there is no explicit mention of a global opt-out mechanism prevailing over direct consent given for a specific sharing request on a specific site.”

For now, GPC seems to be gaining traction. Several major browsers, such as Firefox and Brave, have already implemented the feature natively, and several major publishers in the US are honoring GPC requests. Firefox has GPC preferences set to not sell or share data by default in private mode. For browsers that do not yet support GPC, extensions like Privacy Badger provide similar functionality to users.

Personally I think GPC is a great tool in signalling user’s preference for sites. But on its own, it cannot do much. In the end, it is really up to publishers to decide whether or not they want to respect the user’s preference. This is why it is often argued that consent-based solutions do not effectively work. In order for GPC to work effectively, it should complement comprehensive privacy legislations that give consumers explicit rights over their private data online, as in the case of the CCPA. Without comprehensive privacy legislation, publishers can simply just deny access to their products rather than having to deal with honoring a user’s request to not have their data shared or sold.

That being said, the fact that GPC is a universal opt-out solution not tied to any specific legal implementation means that any country having privacy laws that give their citizens the right to opt out of the sale or sharing of their personal data can easily take advantage of the GPC spec, just like California residents.

Article by Veegish Ramdani, member of cyberstorm.mu