global privacy control safari

Take control of your privacy.

Online privacy should be accessible to everyone. It starts with a simpler way to exercise your rights.

Read the Latest Press Release and Follow @globalprivctrl on Twitter .

Turn On GPC

Enable Global Privacy Control to communicate your privacy preference.

Send the Signal

Your browser will send the GPC signal to websites you visit.

Exercise Your Rights

Participating websites can respect your privacy rights accordingly.

You may have noticed “Do Not Sell” and “Object To Processing” links around the web from companies complying with privacy regulations. To opt out of websites selling or sharing your personal information, you need to click these links for every site you visit.

Now you can exercise your legal privacy rights in one step via Global Privacy Control ( GPC ), required under the California Consumer Protection Act (CCPA).

Together, over a dozen organizations are developing the GPC specification. Get Involved

GPC lets users signal their desired privacy, just by browsing.

GPC is available as part of several major browsers, extensions, and websites.

The GPC signal will be intended to communicate a Do Not Sell request from a global privacy control, as per CCPA-REGULATIONS §999.315 for that browser or device, or, if known, the consumer. Under the GDPR, the intent of the GPC signal is to convey a general request that data controllers limit the sale or sharing of the user’s personal data to other data controllers ( GDPR Articles 7 & 21 ). Over time, the GPC signal may be intended to communicate rights in other jurisdictions.

“ CA DOJ is encouraged to see the technology community developing a global privacy control in furtherance of the CCPA and consumer privacy rights. ”

Xavier Becerra

CA Attorney General

“ 40 million consumers are now using web browsers and other privacy tools that support this global opt out. Major publishers, the New York Times, Washington Post, have already pledged to respect it. California's Attorney General has already said that companies must respect GPC. This is a big step in Americans privacy, a big, big step forward. ”

Senate Finance Chairman

“ My hope is that Governor Northam and the legislature will improve [the newly passed Virginia Consumer Data Protection Act] in the near future in important ways... making it easier for Virginia citizens to invoke their privacy rights, such as through a global privacy control. ”

Mark R. Warner

“ GPC provides a clear and binary indication of an individual's choice... Based on a review of several of the web browsers' intentions regarding GPC, it appears likely to be a prominent, easily understandable, and accessible mechanism in the browser settings. ”

Alexander McD White

Bermuda Privacy Commissioner

“ It's past time to give consumers a real and enforceable way to stop companies from tracking and selling their data. My Mind Your Own Business Act would do just that, and this project [Global Privacy Control] shows it’s possible. ”

“ CCPA requires businesses to treat a user-enabled global privacy control as a legally valid consumer request to opt out of the sale of their data. CCPA opened the door to developing a technical standard, like the GPC, which satisfies this legal requirement & protects privacy. ”

Got to slide 0
Got to slide 1
Got to slide 2
Got to slide 3
Got to slide 4
Got to slide 5

Join over 50 million users.

Download a supported browser or extension and start exercising your privacy rights with GPC.

Founding Organizations

The following organizations, representing 50 million users and hundreds of thousands of websites, are in support of GPC.

Featured Press & Announcements

Frequently asked questions, what is the global privacy control (gpc).

Global Privacy Control (GPC) is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user’s browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification.

Who is supporting the development of GPC?

GPC is being developed by a broad coalition of stakeholders: technologists, web publishers, technology companies, browser vendors, extension developers, academics, and civil rights organizations.

The GPC was initially spearheaded by Ashkan Soltani Georgetown Law and Sebastian Zimmeck ( Wesleyan University ) in collaboration with The New York Times , The Washington Post , Financial Times , Automattic (Wordpress.com & Tumblr) , Glitch , DuckDuckGo , Brave , Mozilla , Disconnect , Abine , Digital Content Next (DCN) , Consumer Reports , and the Electronic Frontier Foundation (EFF) .

I’m a web user. How can I use GPC to signal my privacy preferences to websites?

GPC is available for an increasing number of browsers and browser extensions, listed here . If you want to use GPC, you can download and enable it via a participating browser or browser extension. More information about downloading GPC is available here .

I’m a publisher, developer, or other service. How can I support GPC?

The GPC spec is easy to implement on a wide variety of websites and other services. The proposed specification and back-end implementation reference documentation are available here . For additional information, please feel free to reach out on Github or Twitter ( @globablprivctrl ).

I’m a policymaker. How can I support GPC or learn more about how it could apply in my jurisdiction?

As it is intended to invoke users’ privacy rights, we encourage policymakers from around the world to engage in the development of this specification. If you would like to learn more about how GPC could work in your jurisdiction, please contact us via email at info[at]globalprivacycontrol.org .

How can I get involved in developing the proposed specification?

GPC was initially introduced at the World Wide Web Consortium (W3C) Privacy Community Group (Privacy CG) in April 2020. A number of stakeholders are part of that community. There are ongoing discussions in the Privacy CG. Interested parties are encouraged to engage with the proposal here .

Additionally, GPC is currently being implemented across the web. A number of browsers, extensions, and publishers are supporting or implementing GPC (see below).

Get Involved

@globalprivctrl

What is Global Privacy Control? How organizations are teaming up to prevent your personal data from being sold

The Global Privacy Control (GPC) feature is a setting in some browsers and plug-ins to tell websites not to sell your personal data.
GPC is found in a small number of browsers and plug-ins, and compliance is optional.
The GPC is being developed by a consortium of tech companies and publishers.

The Global Privacy Control (GPC) is a technology initiative being spearheaded by a group of publishers and technology companies to create a global setting in web browsers that allows users to control their privacy online. This means you should be able to set the GPC control in your browser to prevent websites from selling your personal data.

Why the Global Privacy Control feature is important

In recent years, there has been increasing scrutiny on privacy rights online. In 2018, the European Union's General Data Protection Regulation (GDPR) went into effect, limiting the data websites can collect on EU citizens. The California Consumer Privacy Act (CCPA) is a similar legislative measure that went into effect in California in 2020.

While there is enhanced interest in online privacy and some governments are taking steps to limit what websites can do with user data, there is no global way for users to opt-out of having their personal information sold or used in ways they don't approve of. Every website that needs to comply with legal mandates — or simply implement more progressive privacy policies — must implement an opt-out mechanism on its own.

The GPC is built to inform websites not to sell user data. This is different from other privacy tools that might limit tracking but might still allow user data to be sold (or to sell that data itself).

When fully implemented, the GPC may allow you to opt-out of having your personal data sold by the websites you visit.

Status of the Global Privacy Control feature

Buoyed by these new laws, the GPC is intended to be a single, global setting users can activate in their web browser that signals to all websites the user's intention about their data privacy.

Currently, the specification is being written by an informal consortium of more than a dozen organizations including the Electronic Frontier Foundation (EFF), the National Science Foundation, The New York Times, Mozilla, The Washington Post, and Consumer Reports.

The specification that will govern how the GPC will be implemented and behave is still in development , though in principle, it simply allows a website to read a value (such as Sec-GPC-field-value = "1") to know that the user has chosen to opt-out of having their data sold.

A number of web browsers and browser extensions have implemented the GPC in its draft form. Moreover, adoption of the GPC privacy settings carries no legal weight. If you use a browser or extension with the GPC feature, at this time no websites are obligated to respect its setting — compliance with the GPC is voluntary.

Main content

To revisit this article, visit My Profile, then View saved stories .

Backchannel
Newsletters
WIRED Insider
WIRED Consulting

Gilad Edelman

The Privacy Battle That Apple Isn’t Fighting

For at least a decade, privacy advocates dreamed of a universal, legally enforceable “Do not track” setting . Now, at least in the most populous state in the US, that dream has become a reality. So why isn’t Apple—a company that increasingly uses privacy as a selling point —helping its customers take advantage of it?

When California passed the California Consumer Privacy Act in 2018, it came with a large asterisk. In theory, the law gives California residents the right to tell websites not to sell their personal data. In practice, exercising that right means clicking through an interminable number of privacy policies and cookie notices , one by one, on every site you visit. Only a masochist or a die-hard privacy enthusiast would go to the trouble of clicking through to the cookie settings every time they’re looking up a menu or buying a vacuum. Privacy will remain, for most people, a right that exists only on paper until there’s a simple one-click way to opt out of tracking across the whole internet.

The good news is, that ideal is inching closer and closer to reality. While the CCPA doesn’t explicitly mention a global opt-out, the regulations interpreting the law issued by the California attorney general in 2020 specified that businesses would have to honor one just as they do individual requests. The technology for a universal opt-out didn’t actually exist yet, but last fall, a coalition of companies, nonprofits, and publishers unveiled a technical specification for a global privacy control that can send a CCPA-enforceable “Do not track” signal at the browser or device level.

Today, if you live in California, you can enable the global privacy control by using a privacy browser like Brave or downloading a privacy extension, like DuckDuckGo or Privacy Badger, in whatever browser you already use. (Seriously, go do it. The full list of options is here .) Once you do, you’ll automatically tell sites you visit “Do not sell my personal information” without having to click anything—and, unlike with previous efforts to create a universal opt-out, any decent-size company that does business in California will be legally obligated to comply, which requires adding just a few lines of code to their website.

The state of CCPA enforcement remains murky, because some businesses object to the attorney general’s broad interpretation of the law. But California’s government has begun making clear that it intends to enforce the global privacy control requirement. (The more recently passed California Privacy Rights Act, which goes into full effect in 2023, makes this requirement more explicit.)

In mid-July, Digiday reported that attorney general Rob Bonta’s office had “sent at least 10 and possibly more than 20 companies letters that call on them to honor the GPC.” And an item appeared on a recent list of CCPA enforcement actions on the attorney general’s website noting that a company had been forced to start honoring the signal.

Keurig’s New Coffee Pods Are Completely Compostable&-but You’ll Need a New Machine to Use Them

Adrienne So

Space Force Is Planning a Military Exercise in Orbit

Stephen Clark, Ars Technica

Toronto Wants to Manage Storms and Floods&-With a Rain Tax

Now, the bad news. While it’s a lot easier to install a privacy extension or browser than click through a million privacy pages, the vast majority of people are still unlikely to do so. (It remains to be seen whether DuckDuckGo papering America’s highways and cities with billboards will inspire a new wave of privacy connoisseurs.)

This matters quite a bit, because online privacy rights are collective , not individual. The trouble with pervasive tracking is not merely that it can allow someone to access your personal location data and use it to ruin your life, as recently happened to a Catholic priest whose commercially available Grindr data revealed a pattern of frequenting gay bars. Even if you personally opt out of tracking, you’re still living in a world shaped by surveillance. Tracking-based advertising contributes to the decline of quality publications by eating away at the premium that advertisers pay to reach their audiences. Cheaper to find those readers on social media or even on bottom-feeding extremist news sites. It turbocharges the incentive to relentlessly maximize engagement on social media platforms. None of that will go away until a critical mass of people opt out of being tracked across the board.

That’s why one absence from the list of companies supporting the global privacy control is so conspicuous. Apple burnished its already strong reputation on privacy earlier this year by introducing App Tracking Transparency, a setting that flips the privacy default on iOS devices by forcing apps to get a user’s permission before sharing their data. That is a genuinely big step forward for privacy, since the difference between being opted out by default and opted in is enormous—and indeed, early reports suggest that most iPhone users are declining to give apps permission to track them.

But Apple, despite its stated (and heavily advertised) commitment to privacy, has not incorporated the global privacy control into Safari, the most popular mobile browser in the US and the second-most-popular desktop browser. Nor has it built it into iOS, which accounts for more than half of the US mobile operating system market. That means it’s not doing as much as it could to protect tens of millions of users from having their data sold and shared. The App Tracking Transparency framework is important, but it relies on Apple catching app developers who violate the policy. Safari’s tracking-prevention feature, meanwhile, relies on a technical approach to blocking cookies and other trackers that can often be circumvented.

“For years, companies have found ways to circumvent technical privacy protections. It’s basically an arms race,” says Ashkan Soltani, a privacy researcher who helped develop the global privacy control. “Technical tools are not enough. You need to have the force of law behind it.” That’s where the global privacy control is crucially different from existing tracking prevention. If a business disregards it, it isn’t just violating terms of service or evading some code—it’s breaking the law and risks being slapped with major fines or penalties.

So far, however, none of the biggest browsers have incorporated the feature, keeping it from widespread adoption. This is not shocking in the case of Google, which hasn’t added it to Chrome or Android: The world’s biggest surveillance advertising company is not exactly known for caring much about user privacy. (Google declined to comment for this story.) A Mozilla spokesperson said the company is “looking into the global privacy control and actively considering next steps in Firefox.” It isn’t clear why Apple hasn’t yet joined the party or whether it plans to in the future. The company didn’t respond to multiple requests for comment over the past week.

In the past, Apple has used software design and App Store policies to protect users, stepping into the vacuum created by the lack of comprehensive privacy legislation. Now, in California and any other states that follow its lead—Colorado, for example, will require businesses to honor the global privacy control starting in 2024—the law has finally gotten ahead of the technology. The public won’t start seeing the full benefits until the private sector catches up. If even a privacy-centric company like Apple isn’t interested, though, the wait might be longer than you'd think.

📩 The latest on tech, science, and more: Get our newsletters !
Hundreds of ways to get s#!+ done —and we still don't
Immortality should be an option in every video game
Venmo gets more private —but it's still not fully safe
How to share your wi-fi password
Virtual reality is the rich white kid of technology
👁️ Explore AI like never before with our new database
🎮 WIRED Games: Get the latest tips, reviews, and more
✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers

Global Privacy Control wants to succeed where Do Not Track failed

A new web standard is playing off of california’s powerful privacy law.

By Russell Brandom

Share this story

On today’s internet, information is nearly impossible to control. It’s become commonplace for a single website visit to spill over into targeted ads (often for something you’ve already bought) or unexpectedly canny spam emails. It’s assumed that information from your browsing history will be available to target your Instagram ads, and despite nominal commitments to privacy, tech companies have mostly given up trying to stop those data flows.

Privacy groups are hoping that a new standard, called Global Privacy Control , will change that. It’s designed as a global opt out, a general signal that users want as little data collection and sharing as possible. In particular, the GPC standard will let users signal that they don’t want services to share their data with third-party data brokers, something that is outside the reach of most modern privacy tools. The team hopes that this new signal will give users a way to protect their data after it’s been collected and ensure personal information doesn’t travel too far.

“You don’t know if they’re selling data on the back end”

“When you go to a website right now, you don’t know if they’re selling data on the back end,” says DuckDuckGo CEO Gabriel Weinberg, a central player in the project. “But we’re hoping that this signal will stop them from doing that, because it will be legally binding.”

The GPC standard sprang from a powerful but little-noticed provision in the California Consumer Privacy Act (CCPA), which was strengthened further with the passage of the California Privacy Rights Act in November . A provision in the law gives Californians the right to opt out of having their personal information sold by the sites they visit. Crucially, the law interprets “sell” as including any exchange of value, which could include being read broadly enough to go beyond outright data broker sales and into the endemic tracking pixels that power much of the advertising you see online.

“The right is supposed to prevent any third-party tracking,” says Ashkan Soltani, who worked on drafting the CCPA and CPRA and has been a pivotal force in drafting the new standard. “There hasn’t been too much enforcement yet but more importantly, people don’t know about it and can’t find the button, so not many people opt out…But the CCPA also has in it the right for users to opt-out through a global privacy control.”

Global Privacy Control is meant to automate that opt out, letting users click a single button on their browser instead of hunting for the opt out on every website they visit. Starting today , browsers from Brave and DuckDuckGo will send the GPC signal by default, and DuckDuckGo plugins will let you bring the same signal to Firefox and Chrome. Privacy Badger, Abine, and Disconnect.me have made similar moves to build the standard into their products. All told, project organizers estimate that 40 million users worldwide will be sending out the GPC signal through one product or another, giving them surprising political muscle when future privacy rules are written.

40 million users worldwide

Site partners like The New York Times , The Washington Post, and Meredith Digital have also agreed to respect the signal, and Automattic (the company that owns WordPress) will honor GPC in its self-hosted sites and internal ad network, spanning hundreds of thousands of sites. It’s a small group compared to the billions of Chrome and Safari users out there, but it will provide a proof-of-concept for the more private web the GPC team is trying to build.

There is still a long way to go before GPC is available outside the cloistered world of web privacy tools. None of the major browsers currently support GPC as a native privacy option, although Mozilla said it supports the effort. The team says they’ve submitted the standard to the W3C, but it will be a long road before it gets approved — with lots of opportunity for ad-friendly tech companies to throw a wrench in the works. The last time privacy advocates tried to build an opt-out system, this is where it fell apart, resulting in the short-lived Do Not Track standard of the mid-‘00s.

But GPC boosters like Weinberg say the CCPA and other pending privacy laws make things different this time. There’s a lot that still needs to happen before GPC has the force of law — in particular, the California attorney general will need to definitively state that the GPC counts as an opt out — but it would give the standard a power that Do Not Track never had.

“The CCPA has passed and the GDPR has provisions that we think map to this signal. So there’s a real case that those laws apply to Global Privacy Control, but it hasn’t been legally proven in the courts,” says Weinberg. “Ultimately, there will probably have to be court cases to fully establish what ‘sale’ means under CCPA and what ‘opt-out’ means under GDPR.”

The California attorney general’s office declined to comment for this piece, but AG Becerra said in a tweet that the standard “satisfies [the CCPA’s] legal requirement and protects privacy.”

The biggest lingering question is the long-simmering push for a federal privacy law , which privacy advocates have been fighting to get through Congress since 2016. As long as GPC relies on California privacy law, it will only matter to California residents — but a federal privacy law could open the standard up to the entire country and potentially strengthen GPC’s protections further. There’s also increasing ambition to expand the opt-out signal beyond the web to apps and the Internet of Things, although such a move would be years away.

Even if GPC gets full backing from legislators and courts, it won’t mean an end to targeted advertising or even data sharing. There’s still a lot of targeting that can be done within a single site, and the online ad world will surely get creative in finding loopholes that let them share data further. But establishing a robust opt-out system on the web would still mean a powerful shift in the way personal data works online — and potentially a start to cleaning up the bewildering tangle of data-sharing agreements online. As partners roll out and momentum builds, Weinberg thinks time is on his side.

“Our view is that websites really have to respect it,” says Weinberg. “It’s only a matter of time.”

Update 1/28 1:33PM ET: Included public statements from California AG Becerra, which were made after press time.

Spotify’s lossless audio could finally arrive as part of ‘Music Pro’ add-on

Oh no, i started playing fallout shelter again, galaxy ai features are coming to last-gen samsung phones — including the s21 series, tesla slashes price for monthly full self-driving subscription, the fitbit charge 5 is a steal at 50 percent off.

More from Policy

A graphic illustration representing the European Union flag.

The EU’s tough new moderation rules are about to cover a lot more of the internet

Apple unbanned Epic so it can make an iOS games store in the EU

An illustration depicting a feature-less face against a pink, white, and blue background.

New bill would let defendants inspect algorithms used against them in court

Accountable Tech And Design It For Us Lead A Rally To Protect Kids And Teens Online

Kids Online Safety Act gains enough supporters to pass the Senate

Newsletters

Site search

Israel-Hamas war
2024 election
Solar eclipse
Supreme Court
All explainers
Future Perfect

Filed under:

How your browser can make your online life a little more private

A new browser setting will do what Do Not Track didn’t, but you could switch to a more private browser right now.

Share this story

Share this on Facebook
Share this on Twitter
Share this on Reddit
Share All sharing options

Share All sharing options for: How your browser can make your online life a little more private

Safari and Chrome browser icons on a phone screen.

Data privacy laws are still a work in progress, but one major improvement is coming: Global Privacy Control, which — assuming everything works out — will let you automatically opt out of having your data sold or shared at every website you visit. For now, it doesn’t do much, but it is available if you want to add it to your browser. If nothing else, the recent launch of the new specification is a great opportunity to check out your browser’s privacy options — and your browser options in general.

Trackers hidden on the vast majority of websites collect as much information about us as possible and try to link that data to our actions online as well as off , typically to send us targeted ads. The idea behind Global Privacy Control would be to place a setting on your browser that tells every site you visit that you don’t want your data to be sold or shared with anyone else, and websites would have to respect your wishes. While some browsers have built-in tools (or available extensions) meant to stop tracking in the first place, they aren’t always effective, and they can’t do anything once your data is collected. And while laws like the California Consumer Privacy Act (CCPA) give users the right to request that businesses not sell their data, those users have to make that request of every site they visit, a process that is too time-consuming for most people. With Global Privacy Control, that request would be automatic, relayed as soon as you visit the site, and, if you’re in a location where it’s legally required — like California — websites would have to abide by your request.

If a browser extension that tells websites your privacy preferences sounds familiar, that’s because something like this has been tried before. Do Not Track, introduced in 2010, was an attempt by the Federal Trade Commission (FTC) to institute a sort of digital equivalent to the Do Not Call list: a browser extension or setting that tells websites you visit that you don’t want to be tracked. The problem with Do Not Track was that websites weren’t legally required to comply with it, so very few of them did.

Ashkan Soltani was part of the Do Not Track effort back in 2010 as a staff technologist at the FTC and has spent most of his career researching and investigating internet privacy and tracking. He’s the co-author of CCPA and an upcoming ballot measure in California called Proposition 24 that would amend it. Unsurprisingly, then, he’s also behind Global Privacy Control.

Soltani told Recode that he’s pretty optimistic that Global Privacy Control will be able to do what Do Not Track couldn’t. CCPA includes a provision for browser “global privacy controls” regarding data selling and sharing, and a requirement that websites follow them. Do Not Track couldn’t be used for this because “track” means more than just the sale or sharing of data; it’s too broad. Global Privacy Control, however, is more specific and limited to what the law requires.

“It would have been ideal if the [California attorney general] had adopted Do Not Track as the mechanism, but unfortunately their opinion was that couldn’t be used,” Soltani told Recode. “Hence, Global Privacy Control.”

The trick now is getting California to approve Global Privacy Control as the global privacy control called for in the law, at which point websites will be legally bound to follow it. In the meantime, a few websites have already agreed to do so voluntarily, including the New York Times and the Washington Post.

Global Privacy Control may not do much now, but if you want to get it for yourself, it’s available on DuckDuckGo’s mobile browser now and in the process of being added to the Brave’ s browser. Or you can get it through the Privacy Badger extension available for most browsers. But, as Wired points out, it could be several years before Global Privacy Control fully goes into effect, and there’s still no guarantee that it will.

In the meantime, why not take advantage of the web browser privacy options you do have? Some are better than others, as you’ll see, and even the best browser from a privacy standpoint has its downsides. And you should never assume that your web browsing is 100 percent private because data companies come up with new ways to follow you around the internet all the time. With that in mind, here’s a rundown on what’s out there.

Google Chrome: Popular but not very private

The most popular browser by far is Google’s Chrome , so it’s likely what you’re using to read this article right now. But it’s not the most private. In fact, it’s widely considered to be one of the worst. And no, Incognito Mode will not save you . The fact is, Google isn’t all that inclined to limit tracking on its services: The company has a massive ad business, part of which relies on the data it collects from users, and that data includes what those users do on its browser, including data acquired through the many trackers Google puts on websites. And, if you have a Google account and stay logged in while using Chrome, that will be linked to your account on Google’s other platforms, like Gmail and YouTube.

Having all of your accounts linked to one company in this way might be part of Chrome’s appeal for you and worth whatever privacy trade-offs you have to make. If you want to keep using Chrome, there are a few things you can do to reduce tracking. Chrome’s privacy settings let you block third-party cookies, and, in the settings for your Google account, you can turn off ad personalization and use activity controls to turn off things like web activity tracking and location history. You can also add browser extensions like Privacy Badger, DuckDuckGo , and Ghostery that block trackers. But why add a bunch of extensions when you can get a browser that already does the job?

Microsoft Edge: The new and improved Internet Explorer?

Microsoft used to dominate the browser market with its problematic Internet Explorer. That’s still around, but it’s quickly being replaced by the company’s recently revamped Edge browser, and Microsoft’s web browser market share is growing . Your default privacy settings block some trackers, and ad personalization should be turned off by default. You can log into your Microsoft account to link Edge with whatever other Microsoft platforms you use, but if the goal here is privacy, that might not be the best idea. If you must, Microsoft does have a privacy dashboard that you can use to control privacy settings across your account, including turning off personalized ads.

A recent study said Edge was one of the worst browsers for privacy — worse than Chrome, even — because it sent an identifier back to Microsoft’s servers. Because the identifier was linked to the device’s hardware, it couldn’t be changed or reset. That should no longer be the case, but it’s something to keep in mind.

Safari: Only for Apple and rather private

Safari is Apple’s native browser, which means it’s also only available for Apple devices (a Windows version is no longer supported). Privacy has long been a selling point for Apple, and it is for Safari as well. Many privacy protections, like blocking third-party cookies, are on by default. Safari also limits the amount of data collected from you and stops trackers from following your activity around the internet, and you can easily find out which trackers are trying to follow you across websites (just click on the little shield icon in the toolbar). It’s always enlightening to give privacy reports like that a read, just to get a sense of who is tracking you, how often, and where.

Firefox: A browser not built by a major tech company

Firefox comes from Mozilla, another company that has made privacy part of its business model — it’s actually part of Mozilla’s manifesto and its nonprofit foundation’s new “ Unfck the Internet ” campaign — and which continues to roll out improved privacy protections to keep up with the evolving tracking technology ecosystem. It blocks trackers, third-party cookies are off by default, and Mozilla is working on ways to block fingerprinting , which can track you even if you have cookies blocked.

Browsers built for privacy

Even more private is Brave , which was built specifically to be a private browsing experience as well as a faster one: it blocks ads by default, along with other trackers. Brave also lets you use Tor in its “private window” feature — more on Tor later. There’s also DuckDuckGo , which is best known as a privacy-first search engine but now offers a mobile browser. Ghostery , which began life as a browser extension that blocked trackers, has also gotten into the mobile browser game.

And then there’s Tor

Tor is as private as it gets. Your traffic is encrypted and routed through several nodes before it reaches its final destination, so not even your ISP will know where you go. And you’re in private (or incognito) mode by default, which means all cookies and site data from your session are deleted as soon as you close the browser. That’s why Tor is known as the browser of choice for people who want to do illegal things on the dark web. But privacy is for everyone, not just criminals. The big trade-off with Tor is that all that encrypted routing means pages take longer to load, and some sites block traffic from the Tor network entirely.

If you’ve never thought much about any of this before, Tor might seem like a pretty extreme step to take. Fortunately, there are other options out there that will improve your privacy without sacrificing your web browsing experience. And while we wait for privacy laws and tools like Global Privacy Control to become available, they’re a good way to keep your data out of someone else’s hands.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.

Will you support Vox today?

We believe that everyone deserves to understand the world that they live in. That kind of knowledge helps create better citizens, neighbors, friends, parents, and stewards of this planet. Producing deeply researched, explanatory journalism takes resources. You can support this mission by making a financial gift to Vox today. Will you join us?

We accept credit card, Apple Pay, and Google Pay. You can also contribute via

Next Up In Technology

Understand the world with a daily explainer plus the most compelling stories of the day.

Thanks for signing up!

Check your inbox for a welcome email.

Oops. Something went wrong. Please enter a valid email and try again.

Iran’s retaliatory attack against Israel, briefly explained

An illustration of a man floating in the air on his back encircled by several floating objects: a chair, a wall clock, a turtleneck sweater, a potted plant, a curtain and rod, a book, and two plates.

Life is hard. Can philosophy help?

Several pro-Trump yard signs are displayed in the grass, printed with slogans like “Gun Owners 4 Trump,” “Defend Our Liberty,” and “Stop Election Fraud.”

Don’t sneer at white rural voters — or delude yourself about their politics

A hand wearing a surgical glove holds a vaccine vial that says “Measles Mumps Rubella Vaccine.” A syringe is visible in the background.

You probably shouldn’t panic about measles — yet

President Biden speaks onstage at a lectern beside a screen that reads “canceling student debt.”

Biden’s student loan forgiveness plan, explained

A silhouetted person sitting in front of six computer screens full of data.

A hack nearly gained access to millions of computers. Here’s what we should learn from this.

Consent Management

Compliance Monitoring

DSAR Handling

Privacy Measurement

FOR INDUSTRIES

For Publishers

Sourcepoint Blog

Sourcepoint help center.

Diversity & Inclusion

Privacy Notice

Privacy and consent management. Proprietary scanning technology. Unparalleled insights and analytics.

PRIVACY MANAGEMENT

Capture, manage, and optimize consumer privacy preferences.

Automate your vendor assessment process.

Streamline data subject access requests.

DOCUMENTATION

Visit our help center to view product documentation.

Dive into best practices with our experts and learn about client use cases.

Navigating US privacy rules of sensitive data

What’s behind the surge in VPPA class actions

Consent requirements and challenges for mobile games

CASE STUDIES

How they adapted their Consent or Pay model

How they supercharged their consent management strategy

How they scaled their compliance monitoring workflows

A LITTLE PRIVACY, PLEASE

Stay up-to-date with the latest industry news & information.

LATEST POSTS

Cppa issues an enforcement advisory on data minimization.

Their first "enforcement advisory", reminds companies of their data minimization obligations, specifically in the...

Kentucky sends comprehensive privacy bill to governor

Kentucky's privacy bill mirrors Virginia's, is set for 2026. excluding universal opt-outs, is set...

FEATURED POSTS

Since 2015, we’ve been helping the world’s most influential brands to turn privacy compliance into a catalyst for better business outcomes.

LEADERSHIP TEAM

We’re digital veterans uniquely positioned to help enterprises tackle complex privacy challenges.

Sourcepoint Partners with Freestar to Provide Access to Portfolio of Leading Privacy Solutions

Sourcepoint partners with Freestar to offer top privacy solutions, helping clients navigate global regulations...

Sourcepoint CMP Tackles Future of US Privacy with New Sensitive Data Opt-in Functionality

Sourcepoint’s feature supports a new model for consent in the U.S. that has so...

We seek to foster an environment that attracts the best talent, values diversity of life experiences and perspectives, and encourages innovation.

We’re hiring! Be a part of an organization where you can have an impact every day.

What is Global Privacy Control? Frequently Asked Questions

According to their website, Global Privacy Control (GPC) ‘s aim is to make it easier for consumers to exercise their privacy rights. Much like the Do Not Track plug-ins of the past, GPC helps users communicate a desire to not be tracked online. More specifically, they are focused on enabling users to opt out of the sale of their personal information at the browser level.

First introduced in October 2020, GPC announced in January 2021 a milestone in adoption and the support of major publishers and consent management platforms, including Sourcepoint. They later received the backing of California attorney general Rob Bonta, with his office issuing letters to several companies in July 2021 to reinforce the requirement under CCPA to honor the GPC signal.

On August 24, 2022, AG Bonta announced a $1.2 million settlement with retailer Sephora , resolving allegations that it violated CCPA, including failure to process opt-out requests via user-enabled global privacy controls

What is Global Privacy Control?

Global Privacy Control is a technical specification for transmitting universal opt-out signals, also sometimes referred to as a universal opt-out mechanism. The initiative is supported by a consortium of privacy-focused organizations such as the Brave browser and DuckDuckGo , as well as well-known publishers like the New York Times and The Washington Post . For now, the signal is tailored for California’s Consumer Privacy Act (CCPA), which gives Californians the right to opt-out of the sale of their data. But the FAQs on the GPC website says that it is “possible that a GPC signal opting out of processing could create a legally binding obligation for data processors,” making it potentially relevant to GDPR in the future.

How does Global Privacy Control work?

To take advantage of the GPC tool, users need to download a browser or extension that supports the signal . Similar to managing an ad-block extension, users can turn on the GPC signal for all websites they visit or each individual website. When visiting a website that supports GPC, that website will automatically register the browser request to Not Sell Personal Info. Here’s what that experience looks like with the Blur extension by Abine.

How is Global Privacy Control different from Do Not Track (DNT)?

Do Not Track was a plug-in offered by major browsers that, when turned on, added a header to browser metadata when initiating a connection with servers. However no servers knew how to interpret the header, nor were they required to, so they often ignored it. With lack of legislative action, it became clear that it would fail. The nail in the coffin was when Apple disabled DNT on Safari because websites could single out its users, making it (ironically) particularly useful for fingerprinting.

The main difference with GPC is that browser-level user-enabled requests could be made legally binding : CCPA final regulations already require all businesses to honor user requests via user-enabled global privacy controls.

Enforcement actions are currently the responsibility of the attorney general (who has already sent enforcement letters to companies that did not honor GPC), as well as the California Privacy Protection Agency created under CPRA .

In October 2021, the newly created California Privacy Protection Agency (CPPA) announced that Ashkan Soltani , former chief technologist at the FTC and one of the leading advocates for the GPC initiative, would be the CPPA’s first executive director.

What’s next for Global Privacy Control?

The group behind GPC said it has been working with the California AG’s office to make GPC legally binding under CCPA. With the support of AG Bonta, they have a better chance at increasing adoption and creating a set of legally binding technical specifications. They are also exploring GPC’s applicability and functionality with regard to other privacy laws, such as GDPR.

In November 2021, the California Privacy Protection Agency made a request for comments on CPRA rulemaking . The draft regulations mandate that applicable businesses respect “opt-out preference signals.” In 2023, CPRA will likely continue to mandate respect of universal opt-out mechanisms, with options for creating friction.

Meanwhile, Colorado and Connecticut will require respect of opt-out requests via universal opt-out mechanisms in 2024 and 2025, respectively.

As one of the first consent management platforms to support GPC in the market, we think we can shed some light on the topic. Watch our webinar on demand to learn:

The relationship between GPC and universal opt-out
Relevant jurisdictions and effective deadlines
Use cases for creating friction
Market adoption of GPC so far
Best practices for respecting the GPC signal
How to set up the Sourcepoint CMP to respect the signal

As always, you can read our product documentation about how to respect Global Privacy Control (GPC) signals or get in touch .

Latest Blog Posts

Their first "enforcement advisory", reminds companies of their data...

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

HHS clarifies application of HIPAA to online tracking technologies

New guidance from HHS suggests that under some conditions, using...

Latest White Papers

Benchmark Report: US Privacy Compliance

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

How to review your vendor list to mitigate compliance...

Keep in touch

Let's explore what we can do together.

We'll be in touch within 48 hours

Global Privacy Control: What is it & Why it Matters

If you've been online, you've probably seen the term GPC and wondered what it means. GPC stands for Global Privacy Control.

In this article, we will learn all about what it is, how it works, why it's important, and how global privacy even works.

Let's get started.

Key Takeaways

GPC is dedicated to improving the privacy of online users by automatically sending a signal to websites being visited and communicating users' privacy preferences.
The GPC initiative allows users the freedom to control their personal data and how and when their personal details get to be used by any advertiser or online business.
Regulations in California, like the California Privacy Rights Act, allow for penalties to be imposed on businesses that do not comply with both the CCPA and GPC regulations.

What is Global Privacy Control?

Global Privacy Control (GPC) gives internet users the option to control what is done with their personal information and their privacy preferences. The GPC will allow the user to select their personal privacy preferences, and websites will need to follow them.

After you decide what information the website can use, the GPC will inform the website via a Global Privacy Control signal so they can handle your preferences accordingly.

GPC was created as a way to optimize user experience while visiting different websites and provide privacy controls. Before the Global privacy signal, if users wanted to opt out of having their personal information collected from a website, they would have to do this manually at each website.

Now, with GPC options for certain browsers , users set their preferences for all websites using the web browser settings, which means it uses your preferences automatically without needing to change them within each website.

GPC was also created to help consumers exercise their right to privacy by disabling third-party tracking and illegally selling and sharing consumers' data without their permission. This helps build up trust between the website and the users as they know their information is safe.

The GPC was also designed to support existing privacy legislation in the US to protect consumers' rights and ensure that businesses are following regulatory guidelines such as those set out by the California Consumer Protection Act (CCPA) .

For example, the CCPA will investigate where GPC picks up a conflicting signal when a consumer visits the website. It will also notify the business of the conflict and give the user a privacy notice and an opportunity to confirm their settings.

How Does Global Privacy Control Work?

Simply put, the GPC is a technical specification for a browser setting or enabled extension that notifies websites of the user's privacy preferences by transmitting universal opt-out signals using binary options to allow website visitors to opt out of sharing personal information at the browser level.

To exercise their right to opt out of any sharing and sale of their personal data, users need to only set up the GPC setting or extension once.

The GPC then subsequently communicates those preferences every time a user is asked for their consent. The GPC setting allows for automatically communicated responses to the likes of opt-in or opt-out choices regarding cookie use, data sharing or sale of personal data, or targeted advertising.

These preferences can be as simple as disallowing all access to the user's personal data or more specific requests by communicating permission for some uses and refusing other user data collection and usage.

Data security is important for private users and especially for business users, where websites with malicious intent can track sensitive, confidential information. Those serious about data protection should consider using dedicated GPC-native browsers like Firefox, Brave, and DuckDuckGo, which all support GPC.

Private and commercial users must bear in mind that not all consumer or corporate business websites are GPC compliant and, thus, should ensure that whatever browser they use can block requests from these sites.

How is Global Privacy Control Different from Do Not Track?

The GPC initiative differs from Do Not Track (DNT) as the GPC has become, in some cases, a legally enforceable and more standardized, more complete communication signal, allowing online users to communicate their privacy preferences compared to DNT.

DNT, as an earlier development, lacked any uniform legal enforcement, with many websites refusing to honor the DNT requests.

GPC, however, from the outset, was designed to comply with existing privacy laws and assist businesses in meeting their legal requirements as set by privacy regulations, including the California Consumer Protection Act ( CCPA ), where businesses are required to respect the GPC signal in California, where the data privacy laws include the requirement .

In the GPC proposal, the text outlines how the GPC signal will also be used to communicate the "Do Not Sell" requests to comply with the CCPA.

Another key difference is the wider recognition of GPC by advertisers and publishers alike. First seen in 2009, DNT suffered from the lack of support as no agreement was ever reached in finding a standard solution to respond to a browser's do not track signal. This lack of a solution was not beneficial to advertisers or publishers.

How is Global Privacy Control Different from Consent Management Platforms?

The GPC and Consent Management Platforms (CMP) must comply with any applicable data protection laws. However, they have distinct purposes. CMP assists businesses in collecting personal data only after receiving explicit consent from the user.

Internationally, laws like the European General Data Protection Regulation, China’s PIPL, and the Brazilian General Data Protection Law require businesses to obtain explicit user consent before data collection.

The CMP assists publishers in honoring customers' requests with built-in functionalities that make it easier for businesses to request data, obtain the data, and withdraw any consent previously given.

With the implementation of a GPC and a CMP, online businesses will ensure compliance with data protection regulations to avoid legal challenges and be able to prioritize their user's privacy, building trust with visitors to their websites.

Benefits of Global Privacy Control

The GPC, as initiated by the 50-plus organizations hosting tens of thousands of websites, set out to find a simplified and universal way to make it easy for the estimated 4.66 billion internet users to enhance their data privacy .

Enhanced User Privacy

With so many users online, GPC allows users to browse their favorite sites confidently, knowing that their personal privacy is automatically guaranteed.

Ease of Use

The GPC allows internet users the convenient solution of implementing a browser setting once only without the need to click on any pop-ups every time a new website is visited. This is of particular importance for business users where operational efficiency is key.

Compliance with Privacy Laws

Using the GPC will help businesses avoid the associated costs and inconveniences of legal actions by complying with all regulatory privacy laws like the CCPA.

Businesses should ensure that consumers are given a no-hassle and easy option to opt out of the collection and processing of their personal information to help them remain in compliance with privacy laws.

Increases Customer Trust

Commercial websites are the online face of any business. Building trust with visitors is essential to both encourage online traffic and retain visitors to the website.

This makes your company's websites and apps GPC compatible and will lead to transparency and building trust, promoting growth.

Limitations of Global Privacy Control

As mentioned, the State of California is the only US state enforcing the GPC with its privacy laws, with Colorado and Connecticut following suit in 2024 and 2025, respectively, with the Connecticut Data Privacy Act and Colorado Privacy Act. This effectively limits the implementation of GPC to users based only in California.

Limited adoption

The largest browsers, such as market leaders Google Chrome, with a share of internet users close to 64% , and Apple's Safari, at 19.85% market share, not supporting the GPC as anticipated, equates to a low 16% of the internet users that are not being offered the benefits of GPC.

Complex to implement

For any business, the implementation of GPC is not as simple as pushing a button. GPC needs to work with any compliance strategies in place to differentiate between selling or sharing data collection and usage and to ultimately link to the GPC signal.

Legal Enforcement

With only the CCPA regulations requiring legal compliance with the GPC, currently, businesses need only be concerned with Californian customers' data collection and privacy settings.

Not a replacement for privacy regulations

The GPC is merely a mechanism that makes it easy for an online user to opt out when visiting a website. The GPC does not replace any privacy regulations.

How Can Users Implement Global Privacy Control?

By using compatible browsers, users can enable settings or extensions to implement GPC.

A number of compatible browsers support GPC, such as:

Mozilla Firefox

Mozilla was one of the early supporters of the CCPA and, in 2020, became one of the founding members of the GPC.

Duck Duck Go

DuckDuckGo uses GPC as a default setting in their mobile apps on iOS/Android and on desktop extensions, helping users keep their privacy.

Privacy Badger

The extension Privacy Badger , prevents advertisers and other third-party trackers from secretly tracking users.

Badger disallows any "third party" scripts or images that may seem to be tracking a user despite the user having denied consent by sending the appropriate DNT and GPC signals.

What Happens if You Don't Comply with CCPA's GPC Regulations?

The bottom line is that if your online business is not compliant with the CCPA and GPC regulations, you may be the recipient of a CCPA fine .

If the CCPA made effective in January 2020 applies to your online business, any violation of the law will result in enforcement action by the California Attorney General along with the applicable fine.

Fines have an upper cap of $7,500 per intentional violation and $2,500 per non-intentional violation. These may appear to be small penalties, but it will be in a business's best interest to remember these penalties are for just a single consumer. Violate the trust of a few thousand consumers, and it adds up rather quickly.

Not only are penalties possible from the Attorney General, but consumers have the private right of action for these data breach violations that can also lead to civil penalties.

If found in violation, the Attorney General will give the business a 30-day remedy period to bring their procedures into compliance. If remedial action is not satisfactory after this period, penalties are imposed.

The buying and selling of information is big business not only in the US but globally. Advertisers and online commerce make good use of personal data to target prospective customers and grow their interests. However, not everybody is happy to share their details.

The GPC initiative was implemented to be on the side of the consumer, helping users to automatically protect their personal data simply by using the right setting on their browser of choice.

So, if you’re a business and you’re wondering what the next steps are - it’s action. If the CCPA applies to you, you need to follow its guidelines.

That’s where we come in. Captain Compliance has centuries of collective experience to help you navigate privacy regulations properly. Get in touch today!

How do I turn on global privacy control?

The best way to have GPC on your browser is to use a browser that has a GPC signal built in, such as Firefox, Brave, or DuckDuckGo.

Learn more about privacy regulations at our education page.

Does Chrome have global privacy control?

No, users can, however, download a GPC extension such as Privacy Badger to enable GPC.

Does Californian data regulations apply to you? Find out here.

How do you test global privacy control?

Enabling a GPC signal in a compatible browser and visiting supported websites will help verify whether those websites are respecting your privacy preferences.

Here’s our complete guide to implementing cookie consent on your website.

Can an American online business be fined for non-compliance with GPC?

If the online visitor happens to be in California, your business is under the scope of Californian law, and their personal data is collected without their express consent, then yes, a fine is possible.

Find out what the CCPA fines are and how to avoid them here.

Adrian Hori

Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Global Privacy Control Opt-In?

Is there a way to opt-in to the Global Privacy Control that works alongside the California Consumer Privacy Act of 2020, and the California Privacy Rights Act of 2020? Is that necessary to be done with my using the Safari browser made by Apple? Am I already opted-in by default, or is there a specific setting that I can use to make it clear to ALL websites on the internet that this is my intention?

iPhone SE, iOS 17

Posted on Sep 30, 2023 3:35 PM

Posted on Jan 12, 2024 6:11 PM

I love my Apple protections and use them all. However, starting Jan 1, 2024 businesses are required to honor GPC and to do it without any further action my me than sending the signal. This is valuable. It stops the automatic data theft-sell-share. It provides benefits that are different from the Apple benefits. It doesn’t make Apple privacy obsolete. They can complement each other. The California Attorney General has started enforcement actions. I want Apple to add it to our arsenal. This is a very visible chance for Apple to make good on privacy and get a lot of goodwill. I don’t want to have to learn some other system to get GPC. But I will have to give up Private Relay and Safari for a browser with GPC and VPN if Apple won’t get on board.

Loading page content

Page content loaded

Jan 12, 2024 6:11 PM in response to Lawrence Finch

Jan 17, 2024 7:38 PM in response to Lawrence Finch

I haven’t heard anyone say GPC is perfect. And no one will force you to use it, either. You are free to pass on it.

Yet it does offer something valuable to me, and I should not be prevented from making my own privacy choices.

FYI, I had occasion to read two privacy policies last week from respected national corporations with local stores for many years. Those ‘respectable’ websites did indeed offer a level of privacy. I would rate that level well below zero. They were scary bad. I would call it data rape. Yes, that bad.

First they raise the prices sky high to create interest for their ‘reward’s membership’ discounts. That worked. Trying to afford life, I inquired. I learned an ID plus email are required. The ID makes sure they can tie it to you and send ads, coupons, etc. These ‘discounts’ back off the inflated prices and get them back to the recent high levels. It’s blackmail, plain and simple. The ‘respectable’ privacy policies attached add up to data rape. It’s very calculated and amoral. And it is common and virtually unavoidable unless there is a tool like GPC to use. So, that’s how I came to be interested in GPC. That’s all just to give you some perspective. It doesn’t matter whether you or anyone thinks all that is A-OK.

What matters is that my privacy buddy Apple is denying me and you the right to make our own choices on GBC. The effort for Apple would be like the flick of a finger. Just a few lines of code in an update. Then each person decides for themselves. That is the American way, isn’t it?

Sep 30, 2023 5:18 PM in response to MoonDog2019

That’s a really good question. Safari has a number of privacy features, some of which exceed the requirements of GPC. But keep in mind that GPC just is a way to tell sites you don’t want to be tracked. Not all sites honor those requests; I would guess that the vast majority of the billions of sites in the world do not, as it is only a requirement in California and Colorado. There are other browsers that do implement GPC, but remember that it is only meaningful when you visit sites that have agreed to honor it. Here is a link to the browsers that support GPC→ https://globalprivacycontrol.org/#download

There are options in Safari to hide who you are when you visit sites; you can enable that in 2 places: Settings/Safari/Advanced/Advanced Tracking and Fingerprint Protection, and iCloud+ Private Relay. This will not prevent the site from using the information you enter to track you, but it will assure anonymity if you don’t identify yourself.

Here is more detailed information on Apple privacy features→ Privacy - Apple

Jan 13, 2024 8:17 AM in response to Jungleyard

I was going on a Wired article that said there were. However, you are correct, I couldn’t find any.

From my perspective, GPC is mostly smoke and mirrors, along with SPF, DKIM and DMARC for email, each of which, when implemented, was the Next Great Thing to block spam. Have you noticed how effective they are? Google has just announced that starting next month gmail will block all incoming email that does not implement all 3-SPF, DKIM and DMARC. We’ll see if it makes a difference.

GPC says to websites “please don’t track me”. Sites do not have to honor it, and the ones most likely to honor it already have similar policies. The ones that don’t currently aren’t going to change. So the choice of Apple’s iCloud Private Relay, which hides who you are, or GPC, which reveals who you are, but says “don’t use the information I have just given you” leans towards Private Relay.

I agree it would be the best of both worlds if Apple implemented GPC, but GPC is much less than meets the eye. It does NOT require sites to honor it, unless the sites are hosted in California (but not if they are hosted in the Maldives). And I suspect the reason Apple has not implemented it is they feel it would provide a false sense of security.

Jan 16, 2024 9:52 PM in response to Lawrence Finch

I think the reality is more complex and less anonymous than you describe. Are you claiming my ISP cannot see my search or which site I go to? I use all those options. I like them. I also do not want to be profiled by trackers. About Global Privacy Control: No one can say how the enforcement will play out. But it is a law, not just a nice idea. I suggest people do some reading and learn the facts. A search will bring up Global Privacy Control.org. There is no need for private relay and Global privacy control to be positioned as choose one over the other. I have uses for both. I want both. Apple says respect and defend privacy and I totally agree. Let’s defend! GPC helps with that.

Jan 17, 2024 7:54 AM in response to Jungleyard

My complaint with GPC is it promises much more than it delivers, and provides a false sense of security. Most “respectable” websites already provide some level of privacy. And the less respectable ones aren’t going to change their policies for no “stinkin’ GPC”.

Jan 12, 2024 6:43 PM in response to Lawrence Finch

See my previous post on the subject of GPC. In addition there are Safari and Firefox extensions that implement GPC, such as DuckDuckGo

Jan 12, 2024 7:07 PM in response to Lawrence Finch

Yes, I did read your reply before I spoke. This week I spent many minutes trying to get GPC onto my phone. I could not find a single Safari extension with GPC. Kindly name some.

--------------------------------

Privacy & Compliance

What is Global Privacy Control? How Universal Opt-Out is Changing Consent & Compliance

Jeffrey edwards.

Privacy & Compliance | December 13, 2022

Privacy is a growing priority for web users. An overwhelming 84 percent of Americans say they are concerned about the safety and privacy of their personal data on the Internet, according to recent research from Ipsos . And while the introduction of data privacy laws like the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the Colorado Privacy Act (CPA) has given consumers more control over their personal data and privacy than ever before, many privacy advocates, and even some regulators, argue that online privacy still has a long way to go.

One frequent sticking point is the complication of managing user privacy preferences. Frankly, managing privacy preferences across the web is not nearly as straightforward as it should be.

Users must interact with different consent forms, cookie banners, and privacy policies for every website they visit — a tedious process that confuses consumers and degrades the user experience, resulting in inconsistent privacy controls that can leave users unprotected and businesses non-compliant with legal regulations.

To address this problem, there’s a growing call to implement a Global Privacy signal, also known as a Universal Opt-Out Method (UOOM), or an opt-out preference signal: a browser feature that would signal the user’s privacy preferences to every website they visit, streamlining the consent management process across the internet and improving user experience.

In fact, some leading privacy laws, like California’s CPRA and Colorado’s CPA, have already set timelines for recognizing and implementing global privacy signals to manage consent for data collection and processing.

Let’s look at what the changes mean for users and marketing professionals, and how businesses can stay compliant with evolving regulations.

Note: We will primarily be covering the Global Privacy Control , the most widely adopted opt-out method so far, but the concepts covered apply to all universal opt-out methods.

Table of Contents

What is a Global Privacy Signal?

First off, it’s important to separate the concept of a universal out-out method from the technical reality of the Global Privacy Control.

What is a Universal Opt-Out Method AKA Opt-Out Preference Signal?

When regulators first began entertaining the idea of a universal opt-out for privacy concerns, no such tool actually existed, and so, rather than setting out technical requirements for privacy signals, regulators outlined the concept of universal opt-out signals as a universal mechanism or system that lets internet users easily signal their personal data and privacy settings on a global scale.

Law makers in California envisioned this signal as a way to convey the users preferences regarding the sale or sharing of their personal data, but other privacy advocates have imagined a broader toolset that lets users manage and control their data to a greater extent. This could include ability to view and control which personal information is shared, with whom it is shared, and for what purposes it is shared.

While regulators did not initially set forth technical requirements for universal opt-out methods, most set deadlines to do so once the number of available prefernce signals has grown, and many regulators, such as those in Colorado have promised to maintain a public list or recognized UOOMs.

Struggling with consent management and compliance? CHEQ can help. Schedule a demo today.

What is the Global Privacy Control?

The Global Privacy Control (GPC) is a proposed technical specification that transmits a binary code, which, when set to true, notifies websites of a visitor’s privacy preferences (e.g., not to share or sell their personal data.), giving internet users the ability to make a one-time privacy choice on their browser, rather than submitting consent manually to each website.

The Global Privacy Control is supported and developed by a group of privacy-focused organizations and businesses, including Mozilla, The New York Times, Brave, DuckDuckGo, The Washington Post, Consumer Reports, and the Electronic Frontier Foundation.

The current iteration of the Global Privacy Control is tailored to the CPRA and transmits do-not-sell and do-not-share preferences via a binary code, which, when set to true, indicates that the user does not wish for websites to sell or share their personal information with third parties.

To use the Global Privacy Control, users must download a browser or extension that supports the technology; from there, they can turn on the UOOM and set their privacy preferences. The browser will send the GPC signal to all the websites they visit, and participating ones will act on the requests automatically.

The Benefits of Global Privacy Signals

For users, the benefits of such preference signals are obvious. Consent banners are annoying and time-consuming, and having a one-stop shop to decline all of them would improve the browsing experience and save time.

Legal teams, like users, are another potential beneficiary of the technology. The GPC provides an open standard for businesses and advertisers to make compliance with an increasingly wide array of data privacy laws much less daunting — ultimately streamlining their online marketing efforts.

While GPC is currently a response to CCPA and CPRA , implementing the technology can help future-proof your compliance effort as California’s focus on GPC may trigger a wave of GPC enforcement across various states with similar privacy laws.

For marketers, on the other hand, the prospect of a blanket ‘no’ to all data collection and processing may seem daunting. At first glance, GPC may seem to hinder a company’s ability to collect customer data to inform its marketing decisions. However, it can help you build trust with consumers and reinforce your brand’s reputation in the long run by empowering website visitors to control their data, and, if certain processing is required to improve user experience or present valuable offers, it is still legal to request consent and make your case.

How are Global Privacy Controls Different from ‘Do Not Track’?

The main difference with GPC is that browser-level user-enabled requests could be made legally binding: CPRA final regulations already require all businesses to honor user requests via user-enabled global privacy controls.

In October 2021, the newly created California Privacy Protection Agency (CPPA) announced that Ashkan Soltani, former chief technologist at the FTC and one of the leading advocates for the GPC initiative, would be the CPPA’s first executive director.

Global Privacy Signals and Compliance Requirements

Some states, including California and Colorado, have already incorporated global privacy signals into their privacy laws:

California’s landmark privacy legislation, the California Consumer Privacy Act (CCPA) was updated in 2021 to clarify that global privacy signals“must be honored by covered businesses as a valid consumer request to stop the sale of personal information.” The California Privacy Rights Act (CPRA), which has further requirements to recognize GPC, goes into effect on January 1, 2023. Under the CPRA, covered businesses will be required to honor universal opt-out signals like the GPC, and treat them as a valid consumer request to opt out of the selling or sharing of personal information.

If the opt-out signal conflicts with other user elections, it will be given preference as a default matter. A business that recognizes these opt-out signals doesn’t need to provide opt-out links on its website but must disclose the decision in its privacy policy. CPRA also requires companies to let website visitors know they have processed their GPC signals.

But a business may be able to circumvent the requirements by providing a link to a web page where visitors can consent to its decision of not using the opt-out signal. The page must also give users the ability to revoke their consent without degrading the user experience on the website.

Lawmakers in California have wasted no time in moving forward with universal opt-out. In July 2022, California attorney general Rob Bonta publicly backed the Global Privacy Control specification by issuing letters to several companies reinforcing the requirement under CCPA to honor the signal, and in August 2022, Bonta announced a $1.2 million settlement with makeup retailer Sephora, based on allegations that the company had failed to comply with CCPA, and specifically :had failed to process user opt-out requests via user enabled global privacy controls.”

The Colorado Privacy Act (CPA) introduced UOOM to allow consumers to communicate their opt-out preferences to all data controllers without submitting individual requests. The draft rules also outline technical specifications for maintaining a public list of recognized UOOMs. The Colorado Attorney General (AG) will have until July 1, 2023, to finalize the details.

Data controllers must comply with the CPA by July 1, 2024 — making Colorado the first state that explicitly requires businesses to honor universal, user-selected opt-out signals for targeted advertising and sales of personal data. Additionally, the UOOM must meet the technical specifications issued by the state AG.

The UOOM cannot be a default setting under the CPA. It must represent a user’s affirmative and unambiguous choice to opt-out of the sales of personal data. The process must be consumer-friendly, communicated in clear language, and consistent with other mechanisms required by US laws.

Connecticut

Connecticut’s SB 6, signed into law by Governor Ned Lamont in May 2022, Gives Connecticut consumers the right to opt-out of processing personal data for the purposes of targeted advertising, profiling, or the sale of personal data. Websites are required to post opt-out links on their websites, and as of January 1st, 2025, will be required to recognized opt-out preference signal[s]” sent via a universal opt-out mechanism.

EU: The GPDR and Global Privacy Signals

The EU’s General Data Protection Regulation (GDPR), is widely regarded as the worlds strongest privacy law, and it sets out a number of principles and rights related to the protection of personal data, including the right of individuals to control how their personal data is used and shared. But, the GDPR does not specifically mention global privacy controls. While global privacy controls may be a useful mechanism for individuals to exercise their rights under the GDPR, the GDPR does not require organizations to implement them.

In the specifications of GPC , the signal’s creators outline a potential reading of the GDPR that would require recognition of the GPC, claiming that “The GDPR requires that “Natural persons should have control of their own personal data” ([GDPR], Recital 7). The GPC signal is intended to convey a general request that data controllers limit the sale or sharing of the user’s personal data to other data controllers ([GDPR] Articles 7 & 21). This request is expressed with every interaction that the user agent has with the server.” However, lawmakers in the EU have given no clarification on the matter.

What about other jurisdictions?

In jurisdictions where there are no universal opt-out signal compliance requirements, websites may choose to ignore opt-out signals.

What’s Next for Global Privacy Controls?

AG Rob Bonta issued a press release after bringing the first CCPA enforcement action against Sephora for violating the CCPA’s “Do Not Sell” provision. It stated that businesses must “[f]ollow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Since California is a technology and data privacy bellwether, its approach to GPC is likely a sign of things to come. As more states adopt data privacy laws, they’d likely model theirs after the CPRA. Fulfilling CPRA requirements can help you comply with other state regulations, stay ahead of the game, and position yourself as a trusted brand.

However, requirements for universal opt-out requests are still taking shape and are likely to present challenges to data controllers. For example, different organizations offer various opt-out methods, and there’s no consensus on how universal opt-out should work in today’s complex ad tech ecosystem.

The introduction of Global Privacy Control (GPC) will ultimately help brands create a better user experience to build trust with customers. But the successful implementation of global privacy signals does face some significant challenges, primarily from large players in the tech space. At present, neither Google Chrome nor Apple Safari–which represent a combined 84% of browser market share in 2022–support GPC. While users of these browsers can install extensions to support GPC, the lack of built-in support could represent the death knell for the still-nascent specification. So far, no regulators have required browser support for opt-out signals.

Global Privacy Signals FAQ

What is global privacy control (gpc).

The Global Privacy Control (GPC) is a proposed technical specification that transmits a binary code, which, when set to true, notifies websites of a visitors’ privacy preferences (e.g., not to share or sell their personal data.), giving internet users the ability top make a one-time privacy choice on their browser, rather than submitting consent manually to each website.

What Browsers Support Global Privacy Control?

Mozilla Firefox, Brave, and DuckDuckGo currently support GPC.

Does Chrome Support Global Privacy Control?

No, but Chrome users can download browser extensions, such as DuckDuckGo, Abine, and Privacy Badger to enable GPC.

Does Safari Support Global Privacy Control?

No, but Safari users can download browser extensions, such as DuckDuckGo, Abine, and Privacy Badger to enable GPC.

Which states recognize global opt-out signals?

California currently requires the recognition of global opt-out signals. Colorado and Connecticut will require recognition as of 2024, and 2025, respectively.

Does the GDPR require global privacy controls?

No. While global privacy controls may be a useful mechanism for individuals to exercise their rights under the GDPR, the GDPR does not require organizations to implement them.

Content Marketing Manager

Jeff is the resident content marketing expert at CHEQ. He has several years of experience as a trained journalist, and more recently in his career found a knack for communicating complex cybersecurity topics in an approachable yet detailed manner.

Unveiling the state of fake traffic 2024: insights, trends, and solutions, the bad actors awards: celebrating the most disruptive bots.

Subscribe to our newsletter!

How Retailers Can Use Holiday Shopping Findings to Fuel Growth in 2024

What is Click Fraud? How it Works, Examples, and Red Flags

Price Scraping Exposed: Who is at Risk and How to Prevent it?

Top 7 Ways to Detect Account Takeover Fraud

OTP Bots: The Achilles’ Heel of Your Digital Defense

How to target bottom of funnel customers with PPC content

Webinar Recap: How Junk Leads Impact Revenue Teams

How Bots and Bad Actors Bypass Web Application Firewalls (WAFs)

Don’t Fall Victim: How to Detect Bot Attack on Your Website

Comparing reCAPTCHA and hCAPTCHA: Are CAPTCHA still worth it?

Ready to secure your go-to-market efforts.

Affiliate Partner
About CookieYes

Run a free cookie audit of your website

Scan the URL specified

Entire domain

Scan the entire website (Signup required)

Back to blog

What is Global Privacy Control and Universal Opt-out?

September 6, 2023

15 min read

What is Global Privacy Control and Universal Opt-out?

71% of adults worldwide have taken proactive measures to protect their privacy online, according to a study by Norton . For users, these involved changing privacy settings on their devices, disabling third-party cookies, adding multi-factor authentication or even using a VPN. The evolving requirements of privacy laws like the EU’s GDPR or the various US state laws don’t make the process any easier.

Users are now often required to also engage with cookie banners , opt-in checkboxes, and accept privacy or cookie policies, to mark their privacy preferences. Clearly, handling privacy on the internet is not a one-click solution.

This is where Global Privacy Control (GPC) comes in, offering a simple solution to implement a universal opt-out signal for an easier and more cohesive privacy experience for users.

The Global Privacy Control (GPC) is a browser signal or extension that facilitates the process for users to indicate their privacy preferences while navigating the internet. At its core, GPC allows users to enable privacy preferences in their web browsers. This preference is then transmitted as a signal to every website they visit, indicating their respective choices, including the choice to either opt in or opt out of cookie usage, data sharing, data sale, and targeted advertising.

When a user enables their preferences via GPC and it is recognized by a website, the visitor is automatically opted out of targeted advertising and any activities that involve the sale or sharing of their personal data.

Many web browsers, browser extensions and tools have adopted GPC. These include browsers like Firefox, Brave, Privacy Badger and DuckDuckGo ( Full list here ). Browsers like Chrome that do not have an in-built GPC feature also support GPC extensions.

Global Privacy Control or GPC was developed in response to the CCPA, which envisioned the concept of a universal opt-out signal. An informal consortium of over dozen organizations including the Electronic Frontier Foundation (EFF), the National Science Foundation, Mozilla, The New York Times, and The Washington Post back the GPC.

In 2022, CCPA initiated its first-ever enforcement action of $1.2 million against Sephora and referenced the company’s alleged failure to honor a user opt-out through GPC.

GPC is increasingly recognised by global privacy laws as a requirement for a valid mechanism for honouring opt-out requests. Let’s take a closer look at how GPC is treated under different regulations:

California Privacy Rights Act (CPRA)

Under the CCPA/CPRA , the California Privacy Protection Agency mandates that businesses treat opt-out preference signals as valid requests to opt out of the sale or sharing of personal information. The CCPA regulations note that:

“If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or another mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted…for that browser or device, or, if known, for the consumer.”

The CCPA’s implementing regulations also state that:

Global privacy signals must clearly show a consumer’s intent to opt out of the sale of their personal information.
In cases where there are conflicting signals between a user’s GPC signals and their preferences made through a cookie banner, businesses should the GPC signal over any other user-stated preferences.

Colorado Privacy Act

From July 1, 2024, onwards, the Colorado Privacy Act (CPA) requires businesses to allow consumers to exercise their rights to opt out of the processing of their personal data for purposes of targeted advertising or sale through a “universal opt-out mechanism.”

Unlike California, CPA’s requirement to honor the universal opt-out mechanism is mandatory from July 2024.
The CPA Rules clarify the technical specifications for facilitating an opt-out through universal signals, what disclosures businesses need to make and how businesses must respond to user signals.
The Colorado Department of Law will publish a list of all Universal Opt-Out Mechanisms that have met the specified technical criteria on or before January 1, 2024.

Connecticut Data Privacy Act

Starting from January 1, 2025, the Connecticut Data Privacy Act (CTDPA) extends the existing opt-out obligations and requires businesses to facilitate consumers to opt out of the processing of their personal data for targeted advertising or sale via an opt-out preference signal. This signal should clearly indicate a consumer’s intention to opt out of any such data processing or sale.

Rules of universal opt-out mechanism

Both the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) require that the opt-out signal must:

Be based on clear and unambiguous choices made by consumers, rather than on default settings.
Not unfairly disadvantage other businesses.
Should be user-friendly and straightforward to use.
Be consistent with similar mechanisms required by other legislations.
Enable businesses to accurately verify whether a consumer is a resident of the state and has made a valid opt-out request.

Other US state privacy laws

US state privacy laws such as Virginia’s Consumer Data Protection Act (VCDPA) and Utah Consumer Privacy Act (UCPA) do not require businesses to respond to the GPC signal.

The General Data Protection Regulation (GDPR) has an opt-in framework for consent, meaning users must specifically take action to give consent before their data is processed by any business. So, organizations subject to the GDPR are not legally obligated to honor universal opt-out mechanisms like GPC. However, GDPR requires that “Natural persons should have control of their own personal data” (Recital 7). The use of a GPC signal can help to communicate the user’s intention to restrict their data processing, which businesses are required to respect.

GPC website also notes that it is “possible that a GPC signal opting out of processing could create a legally binding obligation for data processors” under GDPR in the future.

Implementing GPC within your business requires consideration of your overall privacy compliance strategy. Here are some key things to note:

Determine applicability of privacy laws : Evaluate which privacy laws apply to your business. Depending on the applicability, you may be required to comply with specific requirements for opt-out preference signals like GPC.

Enable GPC for consent management : GPC signals are often enabled by users to restrict the use of cookies, especially third-party tracking cookies. If you are using a consent management platform (CMP) on your website, ensure that it supports the GPC signals.

CookieYes CMP allows websites to detect these browser or plugin settings and honour the visitor’s signal preferences. You can enable the GPC feature on your banner, without any additional configuration.

Integrate with GPC signal : Identify the data collection practices within your business that can be linked to the GPC signal. Ensure that you can receive GPC signals, transmit them to your backend systems and respond in accordance with the user’s privacy preferences.

Even if your company isn’t obligated by a regulation to handle GPC signals, your business can demonstrate a commitment to respecting users’ privacy preferences and nurture their trust in your business.

Honour GPC signal – enable the option to respect Global Privacy Control and our CMP will automatically accept the visitor’s signal preferences. Your site visitors will also be informed of honouring the GPC signal via our opt-out banner.

Custom opt-out banner – display a fully customizable opt-out banner to support your compliance with CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), & UCPA (Utah) and other US privacy laws.

For compliance with GDPR (EU & UK), LGPD (Brazil) and other global opt-in laws, you can utilise our cookie consent banner.

Do not sell/share link – add the Do Not Sell/Share (DNS) link to your website footer. With this link, your site visitors can easily access the opt-out preference centre and mark their privacy preferences.

Integrate with tech stack – implement CookieYes on any CMS/HTML website and integrate with existing standards such as Google Consent Mode , Google Tag Manager and IAB TCF version 2.2 .

How do I turn on global privacy control?

To enable Global Privacy Control (GPC) you need to configure it on your browser or use browser extensions that support GPC.

For browsers that have built-in support:

Firefox: Access about:config from your browser and search for globalprivacycontrol, and enable the options.
Brave: GPC is a default feature.
DuckDuckGo: GPC is enabled by default.

For browsers that don’t have built-in support, use browser extensions or add-ons that implement GPC.

What is the global privacy control in California?

The GPC is a web browser setting that allows users to signal their preference for enhanced privacy controls when they browse websites. California’s state-level privacy laws, the California Consumer Privacy Act (CCPA) and its amendment California Consumer Privacy Act (CPRA) require businesses to respect Global Privacy Control signals set by users as a valid opt-out mechanism.

What is a global opt-out?

Global opt-out typically refers to mechanisms like the Global Privacy Control (GPC) that enable users to make a universal request for privacy control when browsing the internet.

Instead of having to individually configure privacy settings on each website they visit, users can employ a global opt-out mechanism to streamline the process and ensure consistent privacy preferences across the web.

Does CCPA require global privacy control?

Yes. A global privacy control signal must be honored by businesses in California as a valid consumer request to opt out of the sale or sharing of personal information. This obligation falls under the scope of both the California Consumer Privacy Act (CCPA) and the amended California Privacy Rights Act (CPRA) that grant California residents the right to opt out of the sale/sharing of their personal information.

What is the universal opt-out mechanism in Colorado?

Colorado Privacy Act (CPA) provides consumers the right to opt out of the sale of their personal information and targeted advertising. The CPA provides for a “user-selected universal opt-out mechanism” that businesses are required to implement beginning July 1, 2024.

Universal opt-out mechanisms are browser settings/extensions that enable users to send a standardized signal to websites they visit, indicating their preference to opt out of data collection and sharing, such as tracking for targeted advertising

What is an example of an opt-out preference signal?

Global Privacy Control (GPC) is an example of an opt-out preference signal, also referred to as a universal opt-out mechanism. The GPC is a standardized signal sent from a user’s web browser to the websites they visit. When a user enables the GPC in their browser settings, it sends a signal to websites, indicating the user’s intention to opt out of certain data collection and sharing practices.

Guide to India’s Digital Personal Data Protection Act, 2023 (DPDP Act)

Mar 28, 2024 21 min read

Guide to the Texas Data Privacy and Security Act (TDPSA)

Mar 19, 2024 20 min read

Should You Use AI to Generate Privacy Policy?

Feb 09, 2024 16 min read

Start your compliance right away

14-day free trial Cancel anytime

Get started for free

RFP Template
Customer Login
AI Governance
Geo-Specific Cookie Banner
Consumer Preference Management
Data Subject Request Automation
Data Mapping and Vendor Risk Management
Privacy, Vendor, and Risk Assessments
Privacy Program Management
Regulatory Guidance
Privacy Program Consulting
Certifications and Verifications
International Data Transfers

TrustArc commissioned a Forrester study to analyze the potential benefits of using our platform and the Forrester team found ROI linked to efficiency, compliance, and decreased cost in data breaches.

Consent & Consumer Rights
Privacy & Data Governance
Assurance & Certifications

Experience automated privacy solutions that simplify compliance, minimize risk, and enhance customer trust across your digital landscape.

Cookie Consent Manager Effortlessly manage cookie consent for global compliance, ensuring a secure, personalized browsing experience.
Consent & Preference Manager Easily manage customer consent across brands and platforms—email, mobile, advertising—with a centralized repository.
Individual Rights Manager Automate and streamline DSR workflows to ensure compliance and show your commitment to customer rights.

Simplify privacy management. Stay ahead of regulations. Ensure data governance with cutting-edge solutions.

PrivacyCentral Centralize privacy tasks, automate your program, and seamlessly align with laws and regulations.
Data Inventory Hub and Risk Profile Gain full visibility and control of your data and accurately identify and mitigate risks.
Assessment Manager Automate and score privacy assessments like PIAs and AI Risk, streamlining your compliance workflow.
Nymity Research Get instant access to the latest in privacy regulations, legal summaries, and operational templates.

Boost brand trust with TRUSTe's certifications, showing your privacy commitment with the most recognizable seal, assessed by unbiased experts.

Dispute Resolution
TRUSTe Enterprise Privacy Certification
TRUSTe EDAA Privacy Certification
TRUSTe APEC CBPR and PRP Certification
TRUSTe Data Collection Certification
CCPA/CPRA Validation
Data Privacy Framework Verification
GDPR Validation
Digital Advertising Alliance Validation
Responsible AI Certification
EU General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
Virginia Consumer Data Protection Act (CDPA)
NIST AI Framework
ISO/IEC 27001

Colorado's comprehensive privacy legislation

Transatlantic data transfer mechanism for EU-U.S., UK, and Swiss-U.S. commerce.

Flash Guidance
Industry Briefs
Infographics
Webinars and Videos
Whitepapers
Serious Privacy Podcast

What is Global Privacy Control and Why is it Such a Hot Topic?

In October 2020, an initiative to help keep consumer information safe and secure gained momentum among many large organizations worldwide . This initiative is known as global privacy control, or GPC.

How does global privacy control work?

Global privacy control gives consumers an easy way to universally opt-out of organizations selling or sharing their personal information under specific privacy laws.

The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) have led the change in the industry.

Together, and with other organizations that have followed suit, they have brought privacy rights back to the consumer.

Consumers can now control these privacy settings within their web browsers and apps.

This means that instead of consumers opting out of selling or sharing personal information for every website they visit, global privacy control communicates privacy preferences directly to the website visited.

It serves as an expression of user intent to invoke their online privacy rights.

How does global privacy control impact you and your customers?

A growing number of organizations, both web browser and browser plugin providers, have adopted GPC and now allow consumers to enable the signal if they want to.

Websites should detect and honor this signal. They should receive it as a ‘do not sell or share’ setting and, voilà – the consumer’s information is safe and secure.

Xavier Beccera, the former California Attorney General, has referenced global privacy control regarding the California Consumer Privacy Act (CCPA).

Does global privacy control have legal implications?

The short answer? It depends. GPC on its own does not create any legally binding obligations .

However, laws in some jurisdictions may mean a consumer’s expression through global privacy control has a legal impact.

For example, following the lead of the California Consumer Privacy Act (CCPA), in 2021 Colorado passed the Colorado Privacy Act (CPA) .

That same year, Virginia passed the Virginia Consumer Data Protection Act (VCDPA). Both go into effect in 2023 and, like the CCPA, they require honoring browser settings and opt-out controls .

Acts like these continue to be passed in the U.S. and around the world, and that’s great news for privacy and consumer rights.

What global privacy control-compliant software should I use?

Let’s face it, things change fast in the world of consumer privacy and data protection.

So, how can you and your business stay on top of these ever-changing laws and regulations regarding global privacy control?

The easiest way is to implement software that allows for GPC detection. TrustArc Cookie Consent Manager Advanced (CCM) allows this setting to be enabled in a way that is simple and stress free.

This is important for your business but also for your customers, who increasingly expect a seamless and branded consent experience .

Ensuring visible user consent goes a long way to building customer trust, confidence and loyalty.

What is cookie consent?

Cookie consent, or cookie compliance, is permission consumers give websites to place a cookie into their browser to gather specific data about them.

Cookie consent is required to obtain most of the different types of data businesses and third parties collect via cookies.

Since GPC emerged, TrustArc’s Cookie Consent Manager has expanded its functionality to comply with it.

If you’re already using the CCM advanced solution, you can activate GPC functionality now (if you haven’t already).

If you aren’t using our solution and would like to learn more about it and how it can support global privacy control and your organization – contact us.

How soon do I need to take action?

Google intends to phase out third-party cookies on Chrome in 2024. Since 65% of browser users use Chrome, this will impact most businesses , and cookie marketing.

If you have TrustArc Cookie Consent Manager, you are in good hands. It does not require third-party cookies to work and will remain compliant.

TrustArc will also continue to work with industry partners to ensure our products continue to adapt to ongoing changes to the digital landscape.

Key Global Privacy Control Takeaways

Global privacy control (GPC) allows consumers an easy way to opt out of organizations selling or sharing their personal information under specific privacy laws.
A growing number of organizations, both web browser and browser plugin providers, have adopted GPC.
TrustArc Cookie Consent Manager allows company websites to detect these browser or plugin settings and offer consumers the opt-out option.
Consent Management
Data Processing

Get the latest resources sent to your inbox

Open Policy & Advocacy

Mozilla's official blog on open Internet policy initiatives and developments

Implementing Global Privacy Control

UPDATE, December 2021: Global Privacy Control is now available in the general release version of Firefox (Firefox 95). People interested in turning it on can follow the steps outlined below.

We’ve taken initial steps in experimenting with the implementation of Global Privacy Control (GPC) in Firefox.

GPC is a mechanism for people to tell websites to respect their privacy rights under the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) and legislation in other jurisdictions.

At this moment, GPC is a prerelease feature available for experimental use in Firefox Nightly. Once turned on, it sends a signal to the websites users visit telling them that the user doesn’t want to be tracked and doesn’t want their data to be sold. GPC is getting traction both in California and in Colorado. Now that we expect websites to start honoring GPC, we want to start providing this option to Firefox users.

Mozilla was one of the early supporters of the CCPA and of the CPRA and, in 2020, we became one of the founding members of the Global Privacy Control . We endorsed this concept because it gives more control to people over their data online and sets a path for the enforcement of their privacy rights.

Here is how to turn Global Privacy Control on in Firefox Nightly:

1. Type about:config in the URL bar of your Firefox browser.

2. In the search box, type `globalprivacycontrol`.

3. Toggle `privacy.globalprivacycontrol.enabled` to true.

4. Toggle `privacy.globalprivacycontrol.functionality.enabled` to true.

5. You’re all set!

To make sure GPC is turned on in Firefox Nightly, visit https://globalprivacycontrol.org/ . The website will flag if the GPC signal has been detected.

“GPC signal not detected” by the globalprivacycontrol.org website = GPC is not on in your browser

“GPC signal detected” by the globalprivacycontrol.org website = GPC is on in your browser

clock This article was published more than 2 years ago

Your browser can tell websites how to treat your data. But companies didn’t have to listen — until now

Firefox joins other browsers to add a signal that sends mass ‘do not sell’ requests on your behalf.

Privacy-conscious Internet surfers will soon have an additional weapon on their side.

You can’t see it working, but a special signal known as global privacy control tells every website you visit not to pass around your personal data behind your back.

Global privacy control is already tucked away in Web browser Brave and browser add-on DuckDuckGo. Soon, the Firefox browser will be adding it. Chrome users, however, must continue to wait.

It’s a big deal because asking websites or apps not to share or sell your personal information involves hunting through company websites and submitting a “do not sell” request to each and every offender. If you live in California, you have some protection for your data under the California Consumer Privacy Act, and companies have to honor these requests. If you live elsewhere, you’re often out of luck. But tools like GPC lay the groundwork for easier management of personal data as more states consider passing data privacy legislation.

Firefox says it’s rolling out the global privacy control signal to its main product in the next two or three months, according to Chief Technology Officer Eric Rescorla. Firefox didn’t adopt the signal right away, instead waiting to see what sort of impact it would have to avoid making privacy promises that don’t hold water, Rescorla said. But the new privacy control has some teeth, its creators say, and it has the potential to make a real difference in your online privacy by opting you out of data sharing before it happens.

The move by Firefox comes after California Attorney General Rob Bonta made it clear in July that under the California privacy law, companies are expected to treat the signal as the same as any other do-not-sell request from consumers. Bonta’s stance is significant as many companies have ignored the signal, making it a less-effective tool despite its reported 40 million users worldwide.

Enforcement is ongoing, a representative at Bonta’s office said, and companies are legally obligated to honor the signals sent by California consumers.

What’s global privacy control and how does it work?

Global privacy control is a browser setting that notifies businesses of your privacy preferences, such as whether you want your personal information to be sold or shared, by sending out a signal to each site you visit.

GPC is a collaborative effort by privacy-focused organizations and advocates, including the Electronic Frontier Foundation and Consumer Reports, and is a successor to the ill-fated “Do Not Track” signal — you may remember when it popped up in browsers in the 2010s, then fizzled when companies failed to honor it. But global privacy control has the law on its side — at least in California.

The CCPA allows California residents to outsource “do not sell” and other data requests to someone communicating with companies on their behalf, or an authorized agent. That authorized agent doesn’t have to be a person — it can also be a piece of technology. That’s where GPC comes in.

Widespread interest in data privacy has surged in recent years as shady corporate data practices come to light. Companies take your data and sell it, or “share” it in exchange for services, says Don Marti, vice president of ecosystem innovations at CafeMedia, an ad management company and early supporter of GPC.

“Back in the day people used to say, ‘Oh, I ordered something out of one catalogue and then I started getting 50 catalogues,’ ” Marti said. The same is true today when you order something from a website, he explained: Soon, dozens of other companies may have their hands on your data.

The type of data sharing that GPC addresses goes beyond the Web, Marti said, so it should help cut down on junk mail, calls and faxes. It also theoretically stops big data companies like Facebook and Google from taking data gathered from one site and using it elsewhere, according to Jason Kint, CEO of Digital Content Next, a trade organization for digital content creators including The Washington Post that’s contributing to the development of GPC.

This isn’t to say that GPC is the privacy solution to rule them all, Firefox’s Rescorla said. The tool doesn’t prevent data sharing with official business partners providing services like fraud detection or site analytics. And right now, Californians are the only ones in the United States with assurance that GPC counts as an official opt-out request under their state’s privacy law. To find out whether a specific website honors GPC, you can type its Web address into this search tool .

Whether Virginia and Colorado, the only other states that have passed comprehensive privacy legislation, make companies honor GPC remains to be seen. But signs that California officials will enforce GPC bodes well for the tool’s efficacy.

Kint said it’s “inevitable” that big-name browsers like Google’s Chrome will face pressure to get on board, as well. Chrome, which has not implemented GPC, is by far the most popular browser with 66.7 percent of worldwide desktop traffic in the first quarter of 2021 compared to Firefox’s 8.1 percent.

“[Chrome] is the market leader and it’s owned by a company that makes most of its money off surveillance, targeting and tracking users, and collecting as much data as possible,” Kint said. “The browser itself is a user agent, it’s supposed to work for the user. This should be a no-brainer.”

A Google spokeswoman said the company is “following the developments” of GPC but stopped short of saying whether it would add the feature.

Google privacy settings to change now

What does this mean for you?

If you don’t want every website you visit to pass around your data, you can try sending the “do not sell” signal with GPC.

If you browse with Brave, GPC is already running. You can also install a browser extension like the Electronic Frontier Foundation’s Privacy Badger , Disconnect , DuckDuckGo , Abine and OptMeowt , all of which include GPC. (To find the extension, just search “Disconnect for Chrome” or whatever browser you’re using and download the extension.)

Right now, GPC is only available through Firefox Nightly, the browser’s early-stage testing and development platform, which you can download here . But in the next two or three months, it will get added to the Beta testing browser, then the main browser, Rescorla said. The process of turning on GPC should remain the same in the short term, he added, although Firefox will add an easy-to-use interface once enforcement and expectations around GPC solidify.

First, open the Nightly browser and type “about:config” into the search bar. Proceed through the warning. Then, type globalprivacycontrol into the bar at the top that says “search preference name” and two options should pop up: privacy.globalprivacycontrol.enabled and privacy.globalprivacycontrol.functionality.enabled.

Both preferences should read “false.” But if you go to the symbol that looks like two arrows on the right-hand side, you can toggle both to “true.”

Now, open a new browser tab and go to globalprivacycontrol.org . You should see a green light at the top of the page that says “GPC signal detected.” That means it worked, and GPC is sending out its “do not sell” beacon on your behalf.

When you ‘Ask app not to track,’ some iPhone apps keep snooping anyway

Help Desk: Making tech work for you

Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.

Take control: Sign up for The Tech Friend newsletter to get straight talk and advice on how to make your tech a force for good.

Tech tips to make your life easier: 10 tips and tricks to customize iOS 16 | 5 tips to make your gadget batteries last longer | How to get back control of a hacked social media account | How to avoid falling for and spreading misinformation online

Ask a question: Send the Help Desk your personal technology questions .

Delete your digital history from dozens of companies with this app October 3, 2023 Delete your digital history from dozens of companies with this app October 3, 2023
Clear vs. TSA PreCheck: What’s better for price and privacy? July 27, 2023 Clear vs. TSA PreCheck: What’s better for price and privacy? July 27, 2023
Your printing service might read your documents. Here’s what to know. July 10, 2023 Your printing service might read your documents. Here’s what to know. July 10, 2023

The day’s top stories from around the world

Stay on top of the latest AI governance news and developments of the profession.

Original reporting and feature articles on the latest privacy developments

Where the real conversations in privacy happen

Exploring the technology of privacy

A roundup of the top Canadian privacy news

A roundup of the top European data protection news

A roundup of the top privacy news from the Asia-Pacific region

A roundup of the top privacy news from Latin America

A roundup of US privacy news

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.

Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

Develop the skills to design, build and operate a comprehensive data protection program.

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

Introductory training that builds organizations of professionals with working privacy knowledge.

Meet the stringent requirements to earn this American Bar Association-certified designation.

The global standard for the go-to person for privacy laws, regulations and frameworks

The first and only privacy certification for professionals who manage day-to-day operations

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.

This tool identifies global data protection authorities and privacy legislation.

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.

Access all reports and surveys published by the IAPP.

This report shines a light on the location, performance and significance of privacy governance within organizations.

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

View our open calls and submission instructions.

Increase visibility for your organization — check out sponsorship opportunities today.

Start taking advantage of the many IAPP member benefits today

See our list of high-profile corporate members—and find out why you should become one, too

Don’t miss out for a minute—continue accessing your benefits

Resource Center

All the privacy tools and information you need in one easy-to-find place.

Tools and Trackers
Global Privacy Directory
Enforcement Database
Westin Research Center
Web Conferences
Career Central
Privacy Vendor Marketplace

Introduction to Resource Center This page provides an overview of the IAPP's Resource Center offerings.

Contact Resource Center For any Resource Center related inquiries, please reach out to [email protected] .

Global Privacy Control – Guidance and Resources

Nov 11, 2022

The following is a collection of guidance and resources covering the Global Privacy Control. In October 2020, the Global Privacy Control was created to allow consumers to exercise their privacy rights with the click of a mouse. In January 2022, the team behind the GPC announced a major milestone through the GPC's adoption by major publishers and consent management platforms. These resources cover the GPC, whether its similarity to "do not track" should be cause for concern, and whether it is here to stay.

GlobalPrivacyControl.org
Is GPC the new 'do not track'? - Article by IAPP Westin Fellow, Anokhy Desai, CIPP/US, CIPT
Global Privacy Control - Official Homepage
Termsfeed - What is GPC?
Transcend - Resources on GPC
Github - GPC Overview

DuckDuckGo Founding Member in Global Privacy Control (GPC) Standards Effort

We believe online privacy should be simple and accessible to everyone, period. With the introduction of privacy regulations worldwide, consumers are gaining more rights to limit the sale and sharing of their personal data. While this is a great idea in theory, it doesn't amount to much if it is hard for consumers to take advantage of their rights.

At present, consumers must invoke most all online privacy rights manually, website by website. That's why we're proud to be a founding member of a new effort to create a simple browser-oriented setting for users to more easily express their preference for privacy, called Global Privacy Control (GPC) . With this setting, users can enable it once, and then the browser will express their preference for privacy to every website they visit. We've been working with other organizations to define a technical specification for GPC that we hope becomes a widely-adopted standard.

Starting today, using the current technical specification, we are launching GPC in an initial experimental phase within our mobile DuckDuckGo Privacy Browser (for iOS / Android ) and within our desktop DuckDuckGo Privacy Essentials browser extension (for Firefox / Chrome ), making this new setting available to over ten million consumers.

How does GPC work in practice?

Browser settings such as "Do Not Track" have been available in the past, but most websites were not designed to recognize or respond to users' preferences, and they were not legally required to do so. For many years DuckDuckGo has advocated for laws worldwide that would bring legal teeth to browser privacy settings like Do No Track, going so far as to even draft our own legislation . Thankfully, the California Consumer Privacy Act (CCPA) is now leading the way here, requiring businesses to respect browser settings that allow consumers to opt out of the sale of their personal data. In his recent US Senate testimony , California Attorney General Xavier Becerra explained:

One provision of our regulations intended to facilitate the submission of a request to opt out of sale by requiring businesses to comply when a consumer has enabled a global privacy control at the device or browser level, which should be less time-consuming and burdensome. I urge the technology community to develop consumer-friendly controls to make exercise of the right to opt out of the sale of information meaningful and frictionless.

We are excited to be part of the answer to AG Becerra's call to action by offering consumers GPC as a means to invoke their CCPA “do not sell” rights across multiple websites. Although currently CCPA rights are only available to California residents, certain companies such as Microsoft have committed to extend this right to all US residents. And at the same time, we also intend to work with data protection authorities in other countries to help ensure GPC is legally binding in more jurisdictions, such as in the EU where the General Data Protection Regulation (GDPR) is in force.

In this initial experimental phase for GPC, you can participate by downloading our mobile app and desktop browser extension, and then enable GPC in Settings (see instructions below). Once enabled, we will send the “do not sell or share” GPC signal on your behalf to every website you visit. Then, when you visit early-adopting sites like The New York Times (while using our app or extension), those sites will accept the signal and respect your preference for more privacy.

We expect more commitments will follow from other organizations that will either send or respect the GPC signal. However, since Global Privacy Control (GPC) is a new standards effort, most websites won't recognize it yet. Currently websites are only required to act on the signal to the extent applicable laws compel them to do so.

How to enable GPC using DuckDuckGo

Duckduckgo privacy browser on android.

Download DuckDuckGo Privacy Browser from Google Play, or update to version 5.67.0 or newer.
Within the app, go to "Settings" from the main menu.
Tap "Global Privacy Control" and enable the setting.

DuckDuckGo Privacy Browser on iOS

Download DuckDuckGo Privacy Browser from the Apple App Store, or update to version 7.55.0 or newer.

DuckDuckGo Privacy Essentials Desktop Browser Extension

Download DuckDuckGo Privacy Essentials for Chrome , Firefox , Brave or Microsoft Edge (we're still working on updating our Safari extension), or update to version 2020.10.2 or newer.
Once installed, click the extension's icon in your browser's toolbar.
Click the cog icon at the top right and select "Settings".
In the "Global Privacy Control" section, enable the setting.

Once installed, you can test whether the GPC setting is working by going to https://global-privacy-control.glitch.me/ and checking the "Client-side detection" section.

For more privacy advice follow us on Twitter , and stay protected and informed with our privacy newsletters .

What is Global Privacy Control (GPC)?

Introduction to global privacy control.

Global Privacy Control refers to two things. It is an initiative and a tool developed by a group of people and organizations—including legal experts, technology professionals, and privacy activists and advocates—dedicated to improving privacy online. GPC is an open initiative, so participation is not limited to any specific person or group. Collaboration and consensus are major goals to empower internet users with greater control over their personal data.

GPC also refers to the specification resulting from the group’s work to enable a browser-based global standard for privacy control. It is also referred to as a universal opt-out signal or mechanism. The GPC is supported by the Electronic Frontier Foundation and Mozilla. To date, Mozilla’s Firefox, Brave, and DuckDuckGo are browsers that have the GPC signal built-in. A number of browser extensions also include the GPC, so even browsers like Chrome that do not have the specification built in can support it if users install an extension.

How does the universal opt-out signal work?

The Global Privacy Control mechanism enables people online to signal a preference to share or refuse access to their personal data, e.g. to be collected and shared with or sold to third parties. The goal is to enable users to select their privacy preferences once, and then the GPC communicates those preferences every time a user is asked for their consent, e.g. on websites where a cookie banner pops up or in setup for other online services. The GPC enables opt in and/or opt out, like for cookie use, data sharing or sale, or targeted advertising.

The GPC is a browser-based setting or extension where users can set their preferences once, and then they are automatically communicated wherever the user goes or whatever services they use via the browser. The preferences can be as basic as refusing all access to one’s personal data, or very granular, with permission for some specific uses, but refusal for others.

The GPC is not legally binding in many jurisdictions yet, though businesses will be required to respect the signal in places where data privacy laws include the requirement, like in California or Connecticut. Elsewhere, the GPC relies on websites and other online services to honor the user’s privacy choices. Browsers do not currently have to have the functionality built in, and some websites or apps may not be capable of enabling the GPC to function.

What does the Global Privacy Control mean for consumers?

GPC aims to provide consumers with a number of benefits.

A simplified, universal way to communicate privacy preferences . It is meant to work across a variety of online properties. No need to navigate settings or select privacy preferences every single property they visit.
More control over their personal data . Users can opt out of sharing their data broadly, or choose at a granular level what they are okay with sharing and what they aren’t. E.g. personalized advertising may be okay, but sale to third parties is not.
Consistency in expressing privacy preferences . People may make different privacy selections on different days depending on their mood, how busy they are, on how many sites they get asked, etc. With GPC, the same preferences are always communicated.
Contributing to advocacy for online data privacy and protection . Using GPC helps spread awareness about privacy issues. The initiative encourages transparency and accountability from organizations regarding data processing, and compliance with privacy standards and regulations.

What does the Global Privacy Control mean for businesses?

The universal opt-out mechanism is or will be legally binding only in some regions. At present it only applies in web browsers and on online platforms and services. So it may not affect all companies. However, it is a sign of evolution regarding data privacy online, especially regarding standards and user expectations about privacy, which can have significant effects on trust, brand reputation, and competitive differentiation.

Businesses that collect and use personal data online need to be aware of the GPC and users’ preferences. This may tie into complying with relevant privacy regulations, or it could just be a mark of respect for user preferences regarding their privacy for the time being.

Acknowledging the GPC encourages organizations to be transparent and accountable to those whose personal data they may collect and use. This builds better, more trustworthy customer relationships, and also streamlines privacy operations for companies, as they can receive and incorporate users’ preferences via the GPC.

The universal opt-out signal, while not a universal legal requirement, ties in to best practices and requirements of some data privacy laws. It’s referenced in some recent regulations, like in some of the US state-level privacy laws, and it may become an international standard eventually. Recognizing the signal can contribute to an organization’s privacy compliance efforts, or at least show a dedication to best practices.

It can be a serious resource drain when companies have to comply with or use tools or services with a common goal, but non-standard implementations and maintenance. Acknowledging and using the GPC helps contribute to a global standard for privacy protection and practices, simplifying adoption and enabling accelerated innovation.

Being trustworthy and transparent about respect for user privacy and data usage is a competitive advantage and increasingly good for brand reputation. Providing users with clear information and user-friendly ways to exercise their data privacy rights shows respect for privacy and encourages higher user engagement and long-term customer relationships.

Global Privacy Control and international data privacy regulations

European union, gdpr and gpc.

The European Union’s General Data Protection Regulation (GDPR) predates the GPC initiative, so the law does not specifically reference the universal opt-out signal. The GDPR came into effect in 2018 and the GPC initiative launched in 2020.

Concerns remain about whether the GPC can meet some data privacy law requirements, like the one for consent prior to data processing. One sticking point for the GDPR is whether consent can be considered to be informed and explicit if the GPC is used. This issue is likely to continue to evolve.

United States and state-level laws and GPC

Six new data privacy laws have been passed in the United States in 2023 alone between March and June. As of mid-2023 the US has 12 state-level privacy laws. However, reference to or requirements regarding the GPC remain inconsistent. The laws in California , Connecticut , Colorado , Montana , and Texas reference a requirement to respect Global Privacy Control. But the laws in Virginia , Nevada , Utah , Iowa , Tennessee , Indiana , and Florida do not reference or require it.

California’s Attorney General specifically recommended respecting the GPC , particularly for mobile platforms, early in 2023. It has also been referenced in relation to the CCPA-related penalties against beauty retailer Sephora.

Brazil, LGPD and the GPC

Brazil’s Lei Geral de Proteção de Dados (LGPD) does not specifically reference the Global Privacy Signal. Like the GDPR, the law came into effect before the GPC initiative was launched.

Like with the GDPR, concerns remain about whether the GPC can meet some data privacy law requirements, like the one for consent prior to data processing. One sticking point for the LGPD is whether consent can be considered to be informed and explicit if the GPC is used. This issue is likely to continue to evolve.

South Africa, POPIA and the GPC

South Africa’s Protection of Personal Information Act (POPIA) does not specifically reference the Global Privacy Signal. Like the GDPR, the law came into effect before the GPC initiative was launched.

Like with the GDPR, concerns remain about whether the GPC can meet some data privacy law requirements, like the one for consent prior to data processing. One sticking point for POPIA is whether consent can be considered to be informed and explicit if the GPC is used. This issue is likely to continue to evolve.

TCF 2.2 and the GPC

The Transparency and Consent Framework v2.2 and Global Privacy Control share common goals to provide transparency regarding data processing and empower users with control over their personal information. However, the TCF does not explicitly reference the GPC. The TCF 2.0 came out prior to the GPC initiative being launched.

The TCF 2.2 focuses mainly on providing a standardized framework for obtaining and managing user consent in the digital advertising ecosystem, whereas the GPC is meant to establish a universal consent preference mechanism on websites and online services. It is possible a future version of the TCF may include the GPC as both evolve.

Conclusion and the future of Global Privacy Control

New laws are being passed and existing ones are evolving as technologies and consumers’ expectations evolve. There are a number of prominent advocates in the data privacy sphere, and they have been influential in the development of the Global Privacy Control initiative. Everyone involved continues to work on awareness, adoption, and standardization.

The average online user has become aware of online privacy and the use of their data, and cares about what happens to it. However, many people are also experiencing consent fatigue from having to make frequent consent choices every time they use a browser. A single standard that enables “set it and forget it” makes sense and could solve a real need. It also helps encourage compliance with data privacy regulations, even if the GPC is not legally binding everywhere today.

At the same time, however, concerns remain about whether use of the GPC can be considered to enable and provide valid consent, like the GDPR’s requirement for it to be informed and explicit. This sticking point may become a strong driver for further study and change.

As technology continues to evolve, the universal opt-out signal will evolve as well, enabling even more streamlined, user-friendly, and powerful tools to help protect users’ data privacy online. Ideally, relevant parties and regulators can collaborate to make the smartest, most comprehensive, and most secure privacy tools available.

If you have questions or interest in understanding or recognizing the GPC for your website or app, or a consent management platform to help achieve compliance with privacy laws around the world, talk to one of our experts .

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

New Jersey Data Privacy Act (NJDPA): An Overview

The New Jersey Data Privacy Act is the 15th state-level data privacy law passed in the United States. It...

What is universal consent and how does it benefit companies and their customers?

Expanding data privacy regulation requires ever more robust consent management for compliance. There’s also innovation to...

IMAGES

How to Customize and Secure Your Safari Web Browser
2023
Safari: Privacy and Security in Safari
How to increase privacy in Safari on iPhone and iPad
How to view the website Privacy Report in Safari on iPhone & iPad
14 Safari Privacy Settings You Need to Check on Your iPhone « iOS

VIDEO

Media Availability on Global Privacy Breach
Safari Privacy Settings #tech #iphonetricks #techtips #ios #safari
Understanding Data Privacy
Private browsing in safari on iPhone
Data Security Implications in the Cloud: Episode 32
Unlock Privacy: A Beginner’s Guide to Private Browsing on Your Mac (Safari & Chrome)

COMMENTS

Global Privacy Control
The GPC signal will be intended to communicate a Do Not Sell request from a global privacy control, as per CCPA-REGULATIONS §999.315 for that browser or device, or, if known, the consumer. Under the GDPR, the intent of the GPC signal is to convey a general request that data controllers limit the sale or sharing of the user's personal data to other data controllers (GDPR Articles 7 & 21).
What Is Global Privacy Control? Here's What You Need to Know
A white circle with a black border surrounding a chevron pointing up. It indicates 'click here to go back to the top of the page.'
The Privacy Battle That Apple Isn't Fighting
A Mozilla spokesperson said the company is "looking into the global privacy control and actively considering next steps in Firefox.". It isn't clear why Apple hasn't yet joined the party ...
Global Privacy Control wants to succeed where Do Not Track failed
It's a small group compared to the billions of Chrome and Safari users out there, but it will provide a proof-of-concept for the more private web the GPC team is trying to build.
Google's Chrome versus everyone else: The best web browsers for privacy
A recent study said Edge was one of the worst browsers for privacy — worse than Chrome, even — because it sent an identifier back to Microsoft's servers. Because the identifier was linked to ...
What is Global Privacy Control? Frequently Asked Questions
PRIVACY MANAGEMENT Consent Management Capture, manage, and optimize consumer privacy preferences. Compliance Monitoring Automate your vendor assessment process.
Global Privacy Control: What is it & Why it Matters
The largest browsers, such as market leaders Google Chrome, with a share of internet users close to 64%, and Apple's Safari, at 19.85% market share, not supporting the GPC as anticipated, ... How do I turn on global privacy control? The best way to have GPC on your browser is to use a browser that has a GPC signal built in, such as Firefox ...
Global Privacy Control Empowers Individuals to Limit Privacy-Invasive
Open Policy & Advocacy. Mozilla's official blog on open Internet policy initiatives and developments
How to Enable Global Privacy Control, DNT's Successor
For this to happen, individuals need to use a supported browser or extension and turn on the GPC signal for specific/all sites. Sites that support GPC will register the consent and not collect any data about that specific user.. This is in direct contrast to most opt-out consent management frameworks, where users' information is collected even before they can opt-out.
Global Privacy Control Opt-In?
Google has just announced that starting next month gmail will block all incoming email that does not implement all 3-SPF, DKIM and DMARC. We'll see if it makes a difference. GPC says to websites "please don't track me". Sites do not have to honor it, and the ones most likely to honor it already have similar policies.
What is Global Privacy Control?
Global Privacy Control (GPC) is a method that allows digital consumers to opt out of allowing companies to track their online behavior or sell or share their personal ...
What is Global Privacy Control? How Universal Opt-Out is ...
Legal teams, like users, are another potential beneficiary of the technology. The GPC provides an open standard for businesses and advertisers to make compliance with an increasingly wide array of data privacy laws much less daunting — ultimately streamlining their online marketing efforts. While GPC is currently a response to CCPA and CPRA ...
What is Global Privacy Control and Universal Opt-out?
71% of adults worldwide have taken proactive measures to protect their privacy online, according to a study by Norton.For users, these involved changing privacy settings on their devices, disabling third-party cookies, adding multi-factor authentication or even using a VPN.
What is Global Privacy Control and Why is it Such a Hot Topic?
Global privacy control (GPC) allows consumers an easy way to opt out of organizations selling or sharing their personal information under specific privacy laws. A growing number of organizations, both web browser and browser plugin providers, have adopted GPC. TrustArc Cookie Consent Manager allows company websites to detect these browser or ...
Implementing Global Privacy Control
Open Policy & Advocacy. Mozilla's official blog on open Internet policy initiatives and developments
Global Privacy Control is coming to Firefox. Here's what that means
Global privacy control is a browser setting that notifies businesses of your privacy preferences, such as whether you want your personal information to be sold or shared, by sending out a signal ...
Global Privacy Control
CIPP Certification. The global standard for the go-to person for privacy laws, regulations and frameworks. CIPM Certification. The first and only privacy certification for professionals who manage day-to-day operations
DuckDuckGo Founding Member in Global Privacy Control ...
For more privacy advice follow us on Twitter, and stay protected and informed with our privacy newsletters.. Dax the duck. We're the Internet privacy company for everyone who's had enough of hidden online tracking and wants to take back their privacy now.
Global Privacy Control: How to honor consumer opt-out requests
Our Trust Intelligence Platform provides visibility, action, and automation across privacy and data discovery, GRC, ethics, and ESG.
What is Global Privacy Control (GPC)?
GPC aims to provide consumers with a number of benefits. A simplified, universal way to communicate privacy preferences.It is meant to work across a variety of online properties.