Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
A simple browser signal may have the power to reshape online privacy.
Most websites and apps are now collecting, processing, and swapping information about their users in the blink of an eye. Laws such as the California Consumer Privacy Act (CCPA) seek to address this by creating a new set of privacy rights regarding consumers’ personal data, but exercising those rights can be cumbersome in practice.
Enter Global Privacy Control (GPC), which allows website visitors to exercise some of their privacy rights automatically.
The idea behind GPC is simple: consumers can enable an option in their web browser that sends a signal to every site they visit indicating their privacy preferences. If GPC is turned on and the site recognizes the signal, the visitor is automatically opted out of targeted advertising and anything that could be considered “selling” their personal information.
Global Privacy Control was developed in response to the passing of the CCPA, which contemplated the possibility of a universal opt-out signal. Though it is far from universally adopted, GPC is now available on Firefox and several other privacy-centric browsers, and is recognized by major publishers like the New York Times and the Washington Post.
Depending on which privacy laws apply to a particular business, it may be required to recognize the GPC signal as a valid request to opt out.
According to the latest regulations from the California Privacy Protection Agency, all businesses required to comply with the CCPA must treat “opt-out preference signals” as valid requests to opt out of the sale or sharing of personal information. (“Sharing” in this context means the disclosure of personal information for cross-context behavioral advertising.) While GPC is not specifically named in the regulations, it has been mentioned favorably on multiple occasions by the California Attorney General and is almost certain to be considered an opt-out preference signal.
Businesses that fully process opt-outs via GPC in a frictionless manner are exempt from having to include a “Do Not Sell or Share My Personal Information” link on their website. “Frictionless” means the business may not charge a fee, change the user’s experience on the site, or display any pop-up or notification in response to the opt-out.
However, this exemption only applies if the GPC signal opts the consumer out of all selling or sharing practices without requesting additional information.
Virginia’s privacy law does not currently require businesses to respond to the GPC signal.
Businesses have one year from the Colorado law's effective date to implement GPC and recognize any “user-enabled universal opt-out mechanism” as a valid request to opt out of targeted advertising.
Utah’s privacy law does not currently require businesses to respond to the GPC signal.
Businesses have 18 months from the Connecticut law's effective date to implement GPC and recognize “opt-out preference signals” as valid requests to opt out of targeted advertising.
The GDPR’s legal framework is different from the US data privacy laws, so GPC is not an exact fit for submitting a data subject request. For example, there is no specific right to opt-out of targeted advertising. Also, under the ePrivacy Directive (the “Cookie Law”), websites may not place marketing cookies on a person’s computer without first obtaining consent.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.