What is Global Privacy Control and Universal Opt-Out?

What is Global Privacy Control and Universal Opt-Out?
By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

72% of US adults believe that there should be more regulation on what companies can do with the personal data of customers, according to research by the Pew Research Center. Users are already switching to more private browsers, blocking third-party cookies, and constantly adjusting privacy settings on each and every website.

However, the continuous development and complexity of privacy regulations can make it difficult to ensure your data remains secure. That’s why Global Privacy Control (GPC) is important – it ensures a simplified and streamlined solution for managing privacy preferences using a universal opt-out mechanism.

What is Global Privacy Control?

Global Privacy Control (GPC) is a specification made to help internet users notify companies and businesses about their privacy preferences, like requesting not to sell or share their personal information. 

The GPC eliminates the need to search for the “Do not sell or share” links on each website and fill out consent rejection forms. Instead, it lets you exercise your privacy rights by simplifying your privacy controls and communicates the request to websites automatically.

Under section 999.315 of the California Consumer Privacy Act (CCPA), companies are legally required to honor GPC requests as an opt-out method. Meanwhile, under the General Data Protection Regulation (GDPR), a more general request to limit the sale or sharing of the consumer’s personal data is sent.

You can locate the full list of companies that support GPC on the official Global Privacy Control website.

How does Global Privacy Control work?

Global Privacy Control is designed to communicate an opt-out user preference for data sharing and selling. It offers a streamlined way of opting out across websites without much user participation, giving users more control over their data privacy. However, GPC signals are not a legal requirement in every state or country, so not all businesses may honor them.

To make it easier to understand, here’s a simple step-by-step explanation on how Global Privacy Control works:

  1. The user enables GPC on their browser settings or through a plugin.
  2. When the user opens a website, the GPC automatically sends a request to opt the user out of data selling and sharing.
  3. A website receives the signal through GPC detection features and honors the request if legally required.

How does Global Privacy Control work?

When receiving the GPC signal, websites should detect it and automatically block any data-sharing actions or specific cookies on the user’s browser.

If the business processes data of users protected under privacy laws that acknowledge GPC signals as a valid opt-out method, it’s also useful to log GPC signal instances. It helps ensure legal proof of compliance.

Privacy regulations and Global Privacy Control

The Global Privacy Control initiative is fairly new and launched only in 2020, so not many regulations legally require businesses to recognize it as an opt-out method. Let’s take a look at some of the privacy regulations and their stance on GPC signals.

CCPA

Under the CCPA, complying with the Global Privacy Control signals is obligatory and cannot be denied unless a business believes that the request is fraudulent. In such cases, the business must inform the user that the request has been denied and explain why.

Section 999.315 (a) of the CCPA states that a suitable method for submitting an opt-out request includes “user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.”

The privacy legislation also states that GPC should be considered a request that directly comes from the consumer and does not need to be verified.

Other state privacy regulations in the US

Many US states are starting to adopt universal opt-out mechanisms, which include the Global Privacy Control signals. Universal opt-out is any method used to communicate an opt-out request for the processing of user personal data across multiple websites rather than through each site.

Here are the US state privacy laws that have adopted or will adopt the universal opt-out-mechanisms and when:

The Colorado Privacy Act (CPA) July, 2024
The Connecticut Data Privacy Act (CTDPA) January 1, 2025
The Texas Data Privacy and Security Act (TDPSA) January 1, 2025
Delaware Online Privacy and Protection Act (DOPPA) January 1, 2026
Montana Consumer Data Privacy Act (MTCDPA) January 1, 2025
Oregon Consumer Privacy Act (OCPA) January 1, 2026

Privacy laws that don’t require acknowledging universal opt-out mechanisms, including GPC signals, are Virginia’s Consumer Data Protection Act (VCDPA) and the Utah Consumer Privacy Act (UCPA).

GDPR

Unlike the CCPA, the GDPR uses an opt-in system to acquire consent. This means user data cannot be tracked or collected unless active consent is obtained.

So, the GDPR doesn’t explicitly mention Global Privacy Control as an opt-out method mandatory for businesses to adhere to. Instead, GPC serves as a general request for businesses to limit the sharing or selling of personal data to other data controllers.

Why is Global Privacy Control important?

Here are the main reasons why Global Privacy Control signals are crucial for both users and companies:

  • Improved personal data control. GPC signals allow users to easily manage how their personal data is used across multiple websites, empowering them with more control.
  • Compliance. For many businesses in the US, including the ones who operate under the CCPA and other state laws with universal opt-out mechanisms, honoring GPC signals is legally required. Non-compliance with such laws can lead to fines or penalties.
  • Increased user trust. Honoring GPC requests demonstrates that businesses respect their users’ privacy, ensuring a better company reputation.
  • Saves time. GPC signals don’t require user verification, and since they eliminate the need to fill out the “Do not sell” link forms on each website, it saves time for users and businesses.

How to enable Global Privacy Control in your browser

The process of enabling Global Privacy Control depends on your browser. Brave and DuckDuckGo are the only ones that offer it by default, but you can also enable it on Firefox. 

Meanwhile, GPC on Chrome only works with a plugin, while the feature is impossible to get on Safari. You can check GPC signal tests of various browsers on different devices at PrivacyTests.org.

Here are quick guides on how to enable it on Chrome or Firefox:

Chrome

Chrome doesn’t have built-in Global Privacy Control, so the only way is to install a plugin. Here’s how to do it:

  1. Choose a GPC plugin, like the free Global Privacy Control (GPC) Inspector.
  2. Click “Add to Chrome.”Download Global Privacy Control plugin on Chrome
  3. That’s it – you can open any website and check the tool. You’ll find out whether a website supports GPC, how many times the page accessed the GPC client signal and HTTP requests.Global Privacy Control Inspector plugin on Chrome

You can also test whether a GPC signal is detected on your browser by opening the Global Privacy Control website.

How to check if Global Privacy Control signal is detected

If it’s active, you’ll be able to locate a “GPC signal detected. Test against the reference server.” text by the header.

Firefox

You can enable the GPC privacy option in Firefox’s Settings. Here’s how to do it:

  1. Go to the Firefox Menu and click Settings > Privacy & Security.
  2. Scroll down and check mark the “Tell websites not to sell or share my data” option under Website Privacy Preferences.Enable Global Privacy Control on Firefox
  3. Close the Settings page – the changes are saved automatically.

What are the limitations of GPC?

While the future of Global Privacy Control seems promising, especially with many US states recognizing it as a universal opt-out mechanism, it still has some limitations. Here are some of them:

  • Voluntary compliance. In regions where privacy legislation does not legally require businesses to acknowledge universal opt-out mechanisms, such as Japan or the EU, companies may not honor the signal.
  • Lack of business awareness. Some businesses may not be aware of GPC signals and as a result, they may not set up detection tools to honor them.
  • Different jurisdiction laws. GPC is not yet globally recognized, so there are no clearly developed compliance enforcements, except for the CCPA and the CPA.
  • Difficult to verify. Since GPC signals or companies don’t provide any feedback on whether requests are honored, there’s no clear way to know if businesses don’t ignore them.

Future of Global Privacy Control

Many US state privacy laws are already set to adopt universal opt-out mechanisms that include GPC signals. As more regions implement similar laws, Global Privacy Control may receive more legal backing, helping it become a mandatory requirement for businesses around the globe.

Under the GDPR, GPC signals operate as a general request to limit sharing of data and businesses may not comply. However, the wider implementation across the US may influence GPC signals to be a right under the GDPR or other jurisdiction laws as well.

The growing GPC importance across privacy laws may also encourage more popular browsers, such as Safari or Chrome, to create built-in GPC solutions.

How to navigate Global Privacy Control with TinyCookie

Global Privacy Control is all about opting out of data selling and sharing. With TinyCookie, you can adopt a banner with opt-out options on your Shopify website in just a few clicks. It’s highly customizable, offering complete design, placement, layout, color, content, and font freedom.

TinyCookie cookie banner example

You may also include a “Do not sell or share my personal information” link or a consent rejection button depending on the privacy regulation you have to comply with.

TinyIMG is fully integrated with Google consent mode V2, Facebook Pixel, and Shopify Customer Privacy API, ensuring it manages privacy preferences in a compliant way.

Frequently asked questions

Global Privacy Control is an effective way to ensure the data privacy of consumers. However, it comes with limitations. For example, if companies ignore GPC requests to opt the user out of data selling or conceal their data processing practices, there’s no way to know it since the framework doesn’t provide feedback.

If you’ve installed a GPC extension on your browser and it’s not being recognized, it may be an extension conflict issue. Review your extensions and disable them one by one to see if the issue is resolved.

When Global Privacy Control is enabled in a browser, the user doesn’t notice any visible differences, but the browser or plugin sends a GPC signal to all websites. It states that the user doesn’t want their data to be shared or sold to third parties, and it’s the specific website’s responsibility to honor the request.

If the CCPA or any other regulation that has adopted universal opt-out mechanisms applies to your company, then acknowledging Global Privacy Control signals is mandatory. To comply with GPC signals, a business must get a CMP that supports them and honor these signals every time by default.

About the author
Kristina Jaruseviciute
Kristina is a Senior Writer at TinyCookie, where she specializes in providing educational content for readers interested in web cookies and compliance. She covers an extensive scope of subjects, from cookie types, definitions, and tutorials to compliance tips for website owners.