For legal teams - How does my business comply with GPC?
California’s Privacy Protection Agency, the CPPA (opens in a new tab), was the first regulator to formally confirm that they expect businesses to comply with GPC as part of California privacy regulations. In demonstrating their willingness to enforce, in August 2022, Sephora was fined $1.2M (opens in a new tab) for not complying with data sales consent requirements including the Global Privacy Control. However, other US States, like Colorado, Connecticut, Texas, Oregon, and Montana, have indicated that they will also require compliance with GPC under their respective privacy regulations.
More generally speaking, Ethyca’s recommended best practice is to interpret the GPC signal as contextually appropriate to the jurisdictions in which your business operates. In simple terms, if you are operating in Europe under GDPR, Brazil under LGPD, and the growing list of US States such as California, Virginia, Colorado, Connecticut, and Utah that have considerations around data sharing or targeted advertising, you should consider supporting the GPC signal as appropriate to that market.
It is important to note that this decision is subjective and one that a business must make, however in considering the consumer's best interests, expectations, and understanding of their rights to consent, here at Ethyca, we believe that where a user opts-out using the GPC, they would reasonably expect to be opted out of:
- Sale of their data
- Sharing of their data for the purpose of advertising
- Targeted advertising
Conversely, you can see that many of these regulations also perform “automated decision making” or “profiling,” which is something a business may reasonably expect to perform as part of the provision of its services; so of course you will need to provide a user the ability to consent. However depending on what you do within your automated decision making systems, this may not constitute something that a GPC opt-out signal should reasonably enforce.
Here’s a helpful chart of how to think about what the GPC is likely analogous to in each jurisdiction. As you can see, here we’ve mapped these to whether or not it would be reasonably expected by a consumer that the GPC should honor this data processing right.
|Jurisdiction||Regulation||Data Process||Mechanism||GPC Suitability|
|California, USA||CCPA||Data Sales||Opt-out||YES|
|California, USA||CPRA||Data Sharing||Opt-out||YES|
|California, USA||CPRA||Automated Decision Making||Opt-out||NO|
|Virginia, USA||VCDPA||Data Sales||Opt-out||YES|
|Virginia, USA||VCDPA||Targeted Advertising||Opt-out||YES|
|Connecticut, USA||CTDPA||Data Sales||Opt-out||YES|
|Connecticut, USA||CTDPA||Targeted Advertising||Opt-out||YES|
|Connecticut, USA||CTDPA||Automated Decision Making||Opt-out||NO|
|Colorado, USA||CPA||Data Sales or Sharing||Opt-out||YES|
|Colorado, USA||CPA||Targeted Advertising||Opt-out||YES|
|Colorado, USA||CPA||Automated Decision Making||Opt-out||NO|
|Europe||GDPR / ePrivacy||Essential||Mandatory||NO|
|Europe||GDPR / ePrivacy||Functional||Opt-in||NO|
|Europe||GDPR / ePrivacy||Analytics||Opt-in||NO|
A note on Europe and Brazil: While Europe’s consent requirements tend to be opt-in and don’t immediately map to the opt-out nature of GPC, thoughtful user experience considerations are vital.
If a user has set GPC to
true, it would be reasonable to assume that they do not give opt-in consent to the advertising category of consent under European privacy regulations.
If you're unsure how to setup GPC support you can ask the Fides Slack Community (opens in a new tab), or get Privacy Engineering Intelligence from Ethyca (opens in a new tab) now.