California Requires Global Privacy Control Signals Opt-Out

Written by: Alyssa Feliciano, Esq.

The CCPA gives authority to its Attorney General (“AG”) to determine how businesses must comply with the opt-out of the sale of personal information requirement under the law. California’s recently inaugurated AG, Rob Bonta, announced that businesses will be required to accept Global Privacy Control (“GPC”) signals as an opt-out method under the CCPA (which is presently required under the GDPR).  Businesses were already required to include a clear and conspicuous link on the business’s website homepage titled ‘Do Not Sell My Personal Information’ prior to this announcement.  AG Bonta has initiated several steps to strengthen the data privacy rights of consumers, including the use of GPC signals. Businesses will need to remain vigilant to ensure their policies are up to date with California’s requirements.

What is GPC?

GPC signals provide an easier method for individual’s to exercise their privacy rights through a one step process.  Individuals can access this function through several means, including Mozilla Firefox, Duck Duck Go, or downloading a browser extension which will allow for a single preference to opt-out of the sale of their data.  When visiting covered websites, the extension will send a signal indicating that individual’s opt-out preferences.  This eliminates the need for consumers to opt-out every time they visit a new website.

Who will be impacted?

Any business that is currently covered under the CCPA will be required to honor GPC signals as a method of opting out of the sale of their personal information.  Data shared among third parties for behavioral advertising is considered a data sale under the CCPA.

When is it Effective?

The AG’s Office has indicated that enforcement is ongoing.  Thus, businesses should not delay their compliance with the GPC signal requirement.