Is your site ready for new regulations going into effect this month?
Attention: Global Privacy Control (GPC) signal compliance arrived in California on January 1, 2023, and is expected to come to Colorado in July 2024
Background: New regulations around cookies and personal information have taken effect, with more coming in the following months. The California Privacy Rights Act (or CPRA, an amendment of the California Consumer Privacy Act (CCPA)), Europe’s Global Data Protection Regulation (GDPR), and future additions to the Colorado Privacy Act (CPA) are requiring websites to allow visitors to automatically opt-out of whether the website/business can process personal information via Global Privacy Control (or “GPC”) signals.
Why this is important: GPC signals enable website visitors to communicate the individual’s intention to invoke their rights as defined here. This ensures visitors can control how their data is used, shared, and sold to others across all web properties without individual, per-website cookie consent banners. Once a visitor enables GPC in their browser, this information is communicated to any website they visit so that each website knows that visitor's privacy preference.
GPC Signal Compliance on Google Chrome, the most widely used web browser: GPC signals work through a visitor’s web browser. While Mozilla Firefox is noted as the most popular web browser supporting the GPC initiative, it’s important to note that Google Chrome (which accounts for ~65% of the total browser market share), does not yet support the GPC signal by default. Currently, this means that visitors browsing the web via Google Chrome need to have an unofficial extension for their GPC opt and/or use other extensions like DuckDuckGo Privacy Essentials Extension for GPC.
In order for GPC signals to work on Google Chrome, visitors are required to actively download and install these extensions. This, in itself, can potentially render the websites visitors visit to be in non-compliance. Google Chrome may comply with allowing GPC signals out-of-the-box in the future. However, Google tends to lean towards creating its own alternatives (e.g., Do Not Track) when it comes to data privacy (see the Privacy Sandbox initiative for more info). It is not clear at this time whether GPC signals, Google Chrome’s Do Not Track, and/or other generic “global privacy controls” will be accepted as the standard for the new CPRA regulation.
What can we do to be prepared?: In addition to conducting independent research, we recommend bringing this matter to the attention of your general counsel and/or data privacy attorney(s) to determine whether you must comply with upcoming regulatory changes and/or to ensure you are in full compliance. This may also include updating your website’s Privacy Policy and other materials.
With GPC signals affecting the cookie-driven Google Analytics, etc., incorporating RubyLaw Analytics into your site may be a good alternative. RubyLaw Analytics is fully privacy-compliant and offers added features and benefits integrated directly into the latest version of RubyLaw in 2023. Please contact support@rubensteintech.com for more information.
What action will RubensteinTech take and when? Our guidance for firms that are looking to prepare for GPC signal compliance and other potential data privacy regulations is to update your website source code with a code snippet specially designed to detect GPC signals and automatically determine a visitor’s GPC settings. This is an update that is not editable in RubyLaw, but we can make it to your website, upon request.
With your website enabled to detect GPC signals, visitors can explicitly choose to not be tracked via GPC. Once that signal is detected, it becomes possible to automatically decline cookies for visitors. Further, depending on whether your site has a cookie banner (and the type of cookie banner), we may also recommend not displaying the cookie banner to provide a more user-friendly experience.
Other GPC-related aspects of the website can also be considered depending on your website’s specific features and functionality.
Please contact support@rubensteintech.com for more information.
Firms looking to take a more comprehensive stance on GPC and overall data privacy will implement cookie managers on their website. The most notable cookie manager supporting the GPC initiative is OneTrust, which also shares some insights on GPC and their Cookie Consent offering, and includes options for GPC signal compliance regardless of the visitor’s browser. (Please note that the CivicUK Cookie Control and Cookiebot cookie managers do not appear to include GPC compliance by default. Please contact your cookie manager support teams for more information.)
If not already implemented as part of previous GDPR/CCPA measures, website administrators should also ensure visitor IP addresses are anonymized within Google Analytics. More, website administrators should also consider reaching out to all current marketing technology providers (e.g. email marketing, CRM, site checkers, etc) and inquire whether any measures surrounding GPC signals are necessary.
Please note: The above information should not be construed as legal advice.
For more information on this matter, please visit the following websites:
—California Consumer Privacy Act
—Colorado Privacy Act
—Europe’s General Data Protection Regulation
—Global Privacy Controls Official Site
—CCPA vs CPRA: What’s the Difference?
The above alert references one of the many regulatory changes surrounding data privacy and the web. For more information on previous data privacy posts, please review the following past client alerts and/or contact support@rubensteintech.com:
—The Switch to GA4
—The California Consumer Privacy Act (CCPA) Enforcement Date Is Approaching
—If Your Firm Has An Active Security Policy, Considering Implementing CSP And HSTS
—The European Union Parliament has approved the General Data Protection Regulation
