Do you want to know if your website will respond to Global Privacy Control (GPC) signals and accommodate a user who doesn't want to be tracked across the internet? The California Consumer Privacy Act (CCPA), upcoming legislation in other US states, and Europe's Global Data Protection Regulation (GDPR) introduced laws about internet tracking in the last few years and qualifying companies need to comply with privacy policies. Understanding these laws and being able to handle end-user requests for data privacy can help immensely if clients, companies, or users come to you with a request to implement GPC functionality. This article will answer many of the questions surrounding GPC and will better prepare you to handle such requests.
What is a GPC signal?
A GPC signal is a small snippet of code sent to any website a user visits which tells websites that the user has elected that their data should not be sold or shared. Previously, users had to elect this manually on each website they visited if they had the option. Now with the GPC specification, users can broadcast their privacy election to any site they visit, so being able to handle that GPC signal is important to understand.
Who created GPC?
GPC was developed by a large group of stakeholders from tech and civil rights organizations with the common goal of providing users global control over their personal data instead of being forced to handle that election on each individual website they visit. This initiative was initially started by Ashkan Soltani (Georgetown Law) and Sebastian Zimmeck (Wesleyan University) in collaboration with The New York Times, The Washington Post, Financial Times, Automattic (Wordpress.com & Tumblr), Glitch, DuckDuckGo, Brave, Mozilla, and more.
How do users send a GPC signal to a website?
In order to have a user's privacy settings sent to each website they visit, either a browser or a browser extension is required. These browsers and extensions have settings that can allow a user to whitelist/blacklist certain websites as well as tailor the level of privacy they wish to keep. A full list of all browsers and extensions that can send out a GPC signal can be found on GPC's list of Founding Organizations. If your company does implement code to handle GPC signals, it is important for your developer to test across all GPC accessible browsers and browser extensions in addition to testing your site across many different browsers as well.
Do I need to comply with GPC signals?
Not all companies are required to comply with GPC unless they qualify under either the GDPR or CCPA. Under the GDPR, a company will qualify if the following criteria are met:
- The company markets its products or services to citizens of the EU
- The company monitors the behavior of citizens of the EU
As for the CCPA, there are more specific requirements to meet before being required to comply. This is based on whether your company qualifies as a 'business' under CCPA guidelines. The criteria to be considered a 'business' is as follows:
- The company is a for-profit, private entity
- The company collects personal information
- The company determines the means of processing that personal information
- The company does business in California
- The company meets at least one of the following criteria:
- The company annual gross revenues exceeding $25 million
- The company annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers
- The company derives 50% or more of its annual revenue from selling personal information.
Even if your company isn't required to comply with either law based on the above criteria, it is still recommended to familiarize yourself with GPC if your company deals with user data in any way. Following in the footsteps of California, other US states are enacting more privacy-related legislation that could apply similar and even more extensive criteria to be met regarding the use and processing of personal information. Virginia is now the second state to have enacted a consumer privacy act, with other states such as Washington, New York, Connecticut, Oklahoma, Minnesota, Mississippi, New Jersey, and Utah expected to have consumer privacy laws in place by the end of 2021. Although a federal privacy act may still be a few years away, keeping up to speed with the new policies and laws surrounding personal data on a state level may help avoid legal pitfalls for your company down the road.
When does this go into effect?
GDPR went into full effect in the European Union in May 2018, while the CCPA became effective and enforceable in California in January 2020. This means that if your company qualifies as a 'business' under the CCPA or markets to people in the EU, knowing how to handle GPC signals appropriately is a necessity.
What should I do?
To comply with this law, it's important that you update how you handle the storage of user-related data such as IP addresses, user agent strings, and cookie data so they don't get tracked across the website when visiting. This is accomplished by checking for the special 'Sec-GPC' request header either on the back-end of the site through an HTTP request or through a script that runs once a page loads. Once the signal is detected through either of these methods, your company needs to decide how to turn off data tracking dependent on which CMS, CRM, and tech stack the company uses. Also, it is best practice that website visitors should be given a manual option to opt-out of being tracked on your website so they can choose how their data is used by you if they allow sharing that data. For more information regarding the implementation of a GPC signal checker, visit GPC's official guide to Interacting with Global Privacy Control.
Where do I get more information?
There are many resources available to help website owners comply with these laws and regulations. For an overview and frequently regarding the CCPA, the California Attorney General's website provides detailed information surrounding the act. Similarly, GDPR's information and FAQ can be found on its standalone site. As for GPC, you can learn more information, get questions answered, explore compliant browsers and extensions, and even get source code to implement your own GPC signal check on the official GPC website.
There is no doubt that GPC is an excellent solution to global privacy settings for end-users, but it also comes with additional company considerations if implemented. If your client asks you for data privacy features or if the government requires them as part of their compliance requirements, then implementing this feature will be worth your time and effort. There are many laws surrounding what companies can do with personal information on a state level so it's important that you stay up-to-date on these changing policies in order to avoid legal issues down the road. Blue Frog exercises constant vigilance when it comes to policy changes like GDPR and CCPA, so be sure to subscribe to get the latest in web privacy as well as website design, development, SEO strategy and insights, and more.