Global privacy controls & the CCPA/CPRA
The California Attorney General has given consumers the right to utilize the Global Privacy Control (GPC) as a legitimate opt out request for the sale of personal information that covered entities must recognize as part of the CCPA and CPRA. The first CCPA administrative action against Sephora (Source: https://www.wsj.com/articles/brands-review-data-privacy-policies-after-1-2-million-sephora-settlement-11664272801) which resulted in a fine of $1.2million highlights the importance of integrating GPC into compliance efforts and should serve as a wake up call to those companies that are looking to become fully CPRA compliant in 2023.
What is the Global Privacy Control (GPC)?
The Global Privacy Control (GPC) was developed by various stakeholders including; technologists, web publishers, technology companies, browser vendors, extension developers, academics, and civil rights organizations.” (source: https://globalprivacycontrol.org/#about). The GPC is a browser extension that allows consumers to set default privacy preferences for their personal data and to automatically transmit those signal preferences automatically when visiting host websites. Consumers that activate the GPC, will automatically generate a signal that host providers must recognize and honor on privacy preferences of that specific individual. When activated, the GPC sends a signal to publishers and platforms with privacy settings and allows consumers to opt out of the sale or sharing of data, and expresses the desire of the data subject to only allow data usage in the pursuit of a legitimate business purpose.
CCPA regulations require that covered entities must have at least 2 ways for businesses to receive and process Data Subject Access Requests. Recent administrative actions and fines point to the fact that CA regulatory authorities will be enforcing Global Privacy Controls as a valid method that businesses must take into account for compliance and starting January 1, 2023, the CPRA becomes effective with its own requirement to recognize the GPC.
From GlobalPrivacyControl.org:
“Global Privacy Control (GPC) is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user’s browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification.” SOURCE: https://globalprivacycontrol.org/#faq
Section 999.315(c) of the CCPA states that: “…….if a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid [opt-out of sale] request . . . .”
Covered entities must integrate GPC requests from consumers as a valid consumer access Data request and must make accommodations to respect and fulfill these requests to be fully compliant with CPRA regulations starting in JAN 2023 and covered entities will need to accommodate the new GPC technology into their privacy and data collection systems to record, recognize and honor such signals automatically.