International: Global Privacy Control - new ways of protecting online users' rights
The Global Privacy Control ('GPC') is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared with other subjects. It represents a standard developed by a coalition of stakeholders, such as technologists, web publishers, technology companies, browser vendors, extension developers, academics, and civil rights organisations.
According to the draft specification1, and it has no official standing and does not represent the support or consensus of any standards organisation. However, the GPC is already supported by several major browsers and extensions.
What is the GPC
According to several legal frameworks across the globe, users have the right to request the protection of their privacy through different means, including requests for their data not be sold or shared beyond the organisation with which they intend to interact.
With this in mind, the GPC consists of a setting or extension in the user's browser or mobile device acting as a mechanism that websites can use to indicate they support the specification. More specifically, the GPC provides a way to signal, through an HTTP header or the document object model ('DOM'), a user's assertion of their applicable rights to prevent the selling of their data to third parties or sharing data with them. In this way, the GPC is intended to work with existing and upcoming legal frameworks that render such requests enforceable.
Laws, regulations, and frameworks tackled by the GPC
As the GPC aims to serve as an expression of users' intent to invoke their online privacy rights, its signal may be interpreted as having legal effects, depending on factors such as:
- the location of the individual sending the signal;
- the scope of the applicable law; and
- any separate agreement between the recipient of the signal and the individual.
Therefore, considering the jurisdiction and the applicable legislation, a user's expression through the GPC may have legal impact. However, it must be also noted that the GPC on its own does not create any legally binding obligations.
One of the laws that the GPC may have an impact on is California's California Consumer Privacy Act of 2018 (as amended) ('CCPA'). In particular, §1798.135(a)(1) of the CCPA provides that businesses must provide a clear and conspicuous link on their Internet homepage, titled 'Do Not Sell My Personal Information,' enabling consumers to opt-out of the sale of the consumer's personal information. In addition, §1798.135(a)(4) requires business to refrain from selling consumers' personal information they collected when consumers exercise their right to opt-out of the sale of their personal information. Lastly, §1798.135(c) of the CCPA states that consumers may also authorise another person to opt-out on their behalf of the sale of their personal information, as well as that businesses are required to comply with this delegated opt-out request, pursuant to the California Consumer Privacy Act Regulations ('CCPA Regulations'), as adopted by the California's Attorney General.
In this regard, the CCPA Regulations further specified the above requirements in §999.315, which provides that businesses have to provide two or more means for submitting opt-out requests, including an interactive form accessible via a clear and conspicuous link titled 'Do Not Sell My Personal Information,' on the business's website or mobile application. The CCPA Regulations further list other acceptable methods for submitting these requests, such as:
- a toll-free phone number;
- a designated email address;
- a form submitted in person;
- a form submitted
- through the mail; or
- a user-enabled global privacy control, such as a browser plug-in or privacy setting, device setting, or other mechanism communicating or signalling the consumer's choice to opt-out of the sale of their personal information.
In this regard, the GPC may be deemed an equivalent signal to the latter legislative reference to 'user-enabled global privacy controls,' as it would communicate a 'Do Not Sell' request from a global privacy control.
Lastly, circumstances in which the GPC signal may conflict with existing privacy settings a consumer has with the business must be considered. On this, §999.315(c)(2) of the CCPA Regulations provides that the business must, on the one hand, respect the global privacy control, but on the other, may also notify the consumer of the conflict, providing him/her with the choice to confirm the business-specific privacy setting.
Another regulation with which the GPC may interact is the EU General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In fact, the GDPR provides data subjects with:
- the right to withdraw at any time the consent they provided for the processing of their personal data (Article 7(3) of the GDPR);
- the right to object the processing of their personal data, which would activate an obligation for the controller to block the processing activity (Article 21 of the GDPR).
In relation to the GDPR, the GPC may be interpreted as conveying a general request that data controllers limit the sale or sharing of the user's personal data to other data controllers. Therefore, it is possible that a GPC signal opting out of processing could create a legally binding obligation for data processors.
The GPC, however, provides that the user's request expressed through the signal cannot be interpreted as:
- the exercise of the right to object the processing of personal data for marketing purposes on the basis a legitimate interest.
How OneTrust helps
The GPC aims to provide consumers and businesses with clear expectations and guidelines for the sharing and sale of data online. It allows users to easily and clearly exercise their data protection rights, facilitates greater trust between businesses and customers, and fosters certainty for businesses and advertisers by relying on an open standard.
OneTrust proudly supports this initiative and compliance solutions that support consumers’ choices and rights. OneTrust and the GPC recently announced a partnership aimed to help users control their privacy with a browser setting to communicate privacy preferences. OneTrust's Consent Management Platform ('CMP') is one of three CMP solution providers enabled to respect the new setting.
Matteo Quartieri Privacy Operations
1. Available at: https://globalprivacycontrol.github.io/gpc-spec/