Back in 2020, GPC was introduced in the CCPA as a way to help keep consumer information safe by allowing users to opt-out with a single click rather than manually selecting each opt-out. However, the recent CCPA regulations create greater obligations for certain companies, specifically those that can identify known users and those that provide loyalty programs. Being unprepared for the new Global Privacy Control (GPC) obligations under the CPRA can open your company to risk.
Prepare your business for compliance with GPC and other browser signals.
Join the TrustArc privacy experts to learn:
- What is GPC & why is it important
- How does GPC impact your business and your customers under the new CCPA regulations?
- How to operationalize GPC requirements using software for your business
3. 3
Agenda
● First poll
● Key CCPA terms for the day
● Operationalizing the Global Privacy Control (GPC) under the CCPA
● Privacy Control (GPC) Recap
● GPC obligations before July 1, 2023
● GPC obligations starting July 1, 2023
● GPC obligations when a user is “known” §7025 c(1)
● When a GPC obligation with a financial incentive program §7025 c(4)
● Q&A
6. 6
Key CCPA Terms
● Personal Information Broad definition that includes identifiers, unique personal identifiers,
online identifiers, electronic network information, and geolocation.
● Right to opt-out of a Sale/Share The exchange of personal information for any benefit,
including monetary or non-monetary (PI, analytics, or free or discounted services).
● Global Privacy Control - Developed in response to the CCPA and to enhance privacy rights,
the GPC provides a ‘stop selling or sharing my data switch’ that is available on some internet
browsers, offering a legally valid method for consumer to opt-out of a Sale/Share.
● Financial Incentive Practices Includes payments to consumers as compensation, for the
collection of personal information, the sale or sharing of personal information, or the retention of
personal information. Compensation may include offering a different price, rate, level, or quality
of goods or services to the consumer if that price or difference is reasonably related to the value
provided to the business by the consumer’s data.
8. 8
Authority, Obligations, and Enforcement
Authority: No mention of it in the the original text of CCPA (2018).
Obligations: Attorney General’s CCPA FAQ states the the GPC is an
acceptable method to offer an opt-out of sales or sharing that “must
be honored by covered businesses as a valid consumer request to stop
the sale or sharing of personal information. (990.316 now §7026).
Enforcement: The AG with sole enforcement authority. Previously
administered monetary and non-monetary penalties associated with
failure to implement, honor, and process user-enabled GPC signals
10. 10
Operationalizing Global Privacy Control
How is the GPC operationalized in our products?
● Cookie Consent Manager (assists with browser level compliance)
● Individual Rights Manager (assists with internal compliance)
● Consent and Preference Manager (assists with Internal Compliance)
12. 12
Recognizing GPC using Cookie Consent Manager
Step 2 - Enable GPC Signal in Browser (Enabled by default on Brave Browser)
13. 13
Recognizing GPC using Cookie Consent Manager
Step 3 - Visit website with CCM
● A frictionless experience is recommended
where Cookie banner does not automatically
show but consumer is automatically opted out of
Advertising Cookies which can be used for
monetization
● If one clicks "Do Not Sell / Share" link in the
footer one can confirm Advertising Cookies
were Automatically Opted Out.
18. 18
Known User Requirement §7025 c(1)
(c) When a business that collects personal information from consumers online
receives or detects [a GPC signal,] ... [t]he business shall treat the opt-out preference
signal as a valid request to opt-out of sale/sharing … for that browser or device and
any consumer profile associated with that browser or device, including
pseudonymous profiles. If known, the business shall also treat the opt-out
preference signal as a valid request to opt-out of sale/sharing for the
consumer….”
19. 19
When is a user “Known”?
What was the need for the known user?
“This change is necessary to address the realities of how the internet works.” - CPPA
When the business has associated the browser or device with a consumer profile:
● A logged-in consumer account
● Any unique identifier (e.g., pseudonymous profile)
○ Examples of unique identifiers: …. “and persistent or probabilistic identifiers that
can be used to identify a particular consumer or device that is linked to a
consumer or family.” § 1798.140 (aj).
○ A consumer may be identified by any “Unique Identifier.” § 1798.140 (i).
● Any online identifier
○ Examples of online identifiers that can be associated with pseudonymous
profiles: Custom IDs, Cookies, Ad Network Accounts, Subnetwork ID, Identity
Link, IP Address, Mobile Advertising ID, Mobile User ID, Connected Television ID,
TV subscriber ID, or Identity envelopes
20. 20
Are we surprised pseudonymous profiles are in scope ?
A reflection that the definition of personal information is broad: The definition of personal information
includes online identifiers and unique identifiers, § 1798.140(aj), which could be used to recognize a
device linked to a consumer or family.
A broader scope to address the realities of how the internet works: Even pseudonymous profiles tied to a
device must be opted-out because “...sometimes the business may only know the consumer
pseudonymously or/ and other times they may match the online actions with an offline consumer.”
“[including pseudonymous profiles]....appreciates how businesses may currently use probabilistic
identifiers to identify a particular consumer or device linked to a consumer or family.”
21. 21
What is this about? / Synchronized Consent Choices
Known user capability for CPRA
User ID
CPRA requires Usersʼ consent
choices are synchronized across
multiple devices and web
browsers (tracking using the user
ID) so a user does not need to
provide consent more than once
(frictionless experience).
Honour your customersʼ choices
seamlessly across all experiences
with your website/brand.
22. 22
User Flow
Known user capability for CPRA
Unknown User Visits
acme.com from California
Ops out of all cookies
Safari
1
Known user logs in
Previous opt out is stored.
Safari
2
Unknown User Visits
acme.com from California
User ignores cookie banner
Firefox
3
Known user logs in
Previous opt out is
automatically restored
Firefox
4
START
consumer
Consent Preference Restored
END
Consent Preference Stored
23. 23
Absence of a GPC signal does is not consent to opt-in
7025c5: Where the consumer is known to the business, the business shall not interpret the
absence of an opt-out preference signal after the consumer previously sent an opt-out
preference signal as consent to opt-in to the sale or sharing of personal information.
CPPA Analysis: Subsection (c)(5) has been modified to clarify that, where the consumer is
known to the business, the business shall not interpret the absence of an opt-out
preference signal as consent to opt-in to the sale or sharing of personal information.
This is necessary to clarify that the absence of such a signal would not meet the requirements
of Civil Code sections 1798.120(d) and 1798.140(h).
24. 24
How to work without a GPC signal using CCM
TrustArc CCM can honor a known user's opt-out
across browsers and devices when GPC signal is NOT
enabled on a subsequent visit
26. 26
Financial Incentive (Reward/Loyalty Programs)
Financial Incentive: (insert definition from CCPA) A business
that does not offer a financial incentive or price or service difference is not required to
provide a Notice of Financial Incentive.
Examples and how sales work
Airlines, Hotels, and Ecommerce Sites etc.
What does it mean for the business? The business has the option of notifying
the consumer of the conflict and asking whether they intended to withdraw from the
financial incentive program.
Positives for business/Needs
The Law: If the opt-out preference signal conflicts with the consumer’s participation in a
business’s financial incentive program that requires the consumer to consent to the sale or
sharing of personal information, the business may notify the consumer that processing the
opt-out preference signal as a valid request to opt-out of sale/sharing would withdraw the
consumer from the financial incentive program and ask the
consumer to affirm that they intend to withdraw from the financial incentive program.
27. 27
Different Scenarios Business May find themselves in
1. Customer is enrolled in a financial incentive program with business X..
2. Customer enables GPC
3. Customer visits X’s website with TA’s CCM GPC/DNT enabled
4. Customer is Known (either via logged or matched online identifiers)
5. X recognizes GPC signal
6. X has two options:
a. Do not notify customer that GPC conflicts with practices of the
financial incentive program -> X must then opt-out user
b. Notify Customer of conflicting preferences
i. If customer takes action - process accordingly / drop cookie
ii. If customer takes no action to withdraw consent or does
not affirm their intent: “the business may ignore the
opt-out preference signal with respect to the consumer’s
participation in the financial incentive program for as long
as the consumer is known to the business” FSOR.
31. 31
GPC Considerations
● Other Jurisdictions
○ Europe empowers citizens to object to third-party processing under the General Data
Protection Regulation (GDPR). The GPC intends to communicate a general request to limit
the sale of data, as protected by GDPR.
○ Other State Privacy Laws:
■ Future: universal opt-out mechanisms like GPC include the Colorado Privacy Act
(2024) and Connecticut Data Privacy Act.
■ Virginia
● Honoring the Do Not Sell Requests throughout the programmatic advertising supply chain:
○ Interactive Advertising Bureau has created a privacy compliance framework called the
Multi-State Privacy Agreement.
○ The need for tracking technology vendors to have CCPA assessments
32. 32
Thank You!
See http://www.trustarc.com/insightseries for
the 2023 Privacy Insight Series and past
webinar recordings.
If you would like to learn more about how TrustArc can support
you with compliance, please reach out to sales@trustarc.com for a
free demo.