An update to California Attorney General (AG) FAQs on the California Consumer Privacy Act of 2018 (CCPA) has garnered a substantial amount of interest. Under a new FAQ—What is the GPC?—the AG explains that the Global Privacy Control (GPC) is a “stop selling my data switch” that is available on some internet browsers or as a browser extension to help consumers broadly signal their request to opt out of the “sale” of their personal information. It is the last sentence of the FAQ, however, that has readers paying close attention: “Under law, [the GPC] must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”
This statement from the AG does not come as a complete surprise. Under the AG’s regulations, covered businesses have to provide consumers with two or more designated methods for submitting opt-out of sale requests. One method must be via an interactive webform, but businesses are permitted to choose from among a variety of second opt-out methods, including a toll-free phone number, a designated email address, a form submitted in person or through the mail, or user-enabled global privacy controls.
No matter which second opt-out method a business chooses to provide, however, if that business collects personal information from consumers online, then under the CCPA Regulations it must “treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request . . . for that browser or device, or, if known, for the consumer.” The AG has clarified in its FAQs that the Global Privacy Control (the “GPC”) qualifies as such a mechanism that businesses must treat as a valid opt-out of sale request.
As the AG notes, the GPC is available on some internet browsers, like Mozilla Firefox, DuckDuckGo, and Brave, or as a browser extension. The AG describes the GPC as a way to provide consumers with an option to signal a comprehensive opt-out request, “as opposed to having to make requests on multiple websites on different browsers or devices.” On the operational side, businesses will need to implement the GPC spec on their websites and other services so that they can detect the GPC and respond by opting out the browser or device.
The AG’s updated FAQs reflect a growing trend towards providing individuals not only with greater and more comprehensive control over their personal information but also with “ease” of control. This trend is amplified both by public demand and by the advent of privacy laws beyond California’s, such as the newly passed Colorado Privacy Act, which will also require covered entities to respond to a user‑selected universal mechanism to opt out of the sale of personal information, as well as to opt out of targeted advertising.