What is Global Privacy Control?

Global Privacy Control (GPC) is a technical specification for transmitting a browser-level opt-out request. The extent of that opt-out—whether it refers to the processing or sale of personal information generally, or for targeted advertising—varies by jurisdiction. 

The requirement to honor global privacy control is already being enforced in California — and enforcement is escalating. Meanwhile, similar requirements to honor privacy preferences sent via a browser mechanism will soon go into effect in other states and are being considered at the federal level.  

It’s time to start thinking about whether it makes sense for your organization to support the signal, and how. 

Here’s how you can use the Sourcepoint CMP to start honoring the GPC signal today, and as regulations evolve. 

Capture and ensure user GPC settings are respected

In order to respect the GPC signal, you will need to enable the Respect Global Privacy Control setting at the vendor list level. The setting will then apply to any web properties associated with that list. For now, this only applies to CCPA vendor lists.

With this setting enabled, properties associated with your CCPA vendor list will automatically pick up and respect a user’s GPC signal, assuming they are accessing your site while using a supporting browser or extension that transmits the signal for them. 

Upon receiving a GPC signal, we will also update the user’s US privacy string, as defined by the IAB’s CCPA Compliance Framework. This means that the user’s US privacy string, or uspString value, will be changed to reflect an opt-out, without them needing to make that request themselves. 

Expand geotargeting as new jurisdictions become relevant

For now, the GPC signal is tailored for California’s Consumer Privacy Act (CCPA). But as respect for universal opt-out mechanisms, and thus the GPC signal becomes required in other states, you will have to make choices about the scope of your support. 

Fortunately, you can easily adjust scope as regulations evolve. Just [] of the relevant CCPA vendor list on a state by state basis in order to geotarget jurisdictions where respect for the GPC signal is required. 

Pass opt-out choices downstream

While vendors or third parties that participate in the IAB CCPA Compliance Framework will pick up on a user’s US privacy string and acknowledge values that indicate opt-outs, there are also vendors that do not participate in that framework. 

For such vendors, you can ensure that a GPC setting is acknowledged downstream using the Sourcepoint CMP’s reject actions. Reject actions, which can include custom JS or Google Tag Manager events, will be triggered when an opt-out request is received, which is exactly what the GPC signal transmits. 

By setting up reject actions on a per vendor or per processing category basis, you can stop selected third parties from firing when a user has GPC enabled. 

Let users know their choices are respected

You may want to display notifications to users who have a GPC signal enabled on their browser to let them know that you’ve acknowledged their desire to opt-out. This could look like a simple “GPC signal received,” or go as far as providing the status of their US Privacy String. 

After deciding the content of your message, you can target your message by creating a scenario that checks if the user has a GPC signal enabled on their browser. 

For more on the origins of Global Privacy Control and how it works, check out our FAQ. To see a demo of how to use the Sourcepoint CMP to respect GPC, and where enforcement currently stands, view our webinar on demand. 

As one of the first consent management platforms to support GPC in the market, we think we can shed some light on the topic.

View the webinar recording to learn:

• The relationship between GPC and universal opt-out
• Relevant jurisdictions and effective deadlines
• Use cases for creating friction
• Market adoption of GPC so far
• Best practices for respecting the GPC signal 
• How to set up the Sourcepoint CMP to respect the signal