On October 7, 2020, an organization named Global Privacy Control (“GPC”) issued a press release announcing an initiative to make a new “global privacy control” available to consumers as contemplated by the CCPA Regulations. As analyzed in prior advisories, the CCPA Regulations appear to revive the possibility for Do Not Track technology, albeit in the form of Do Not Sell signals automatically broadcast by user-controlled tools. The CCPA Regulations require businesses operating online to treat “user-enabled global privacy controls” – like “browser plug-in[s] or privacy setting[s]” – as valid Do Not Sell requests when the user controls “communicate or signal the consumer’s choice to opt-out of the sale of their personal information.” However, to date, it has been questionable whether any technology exists that fulfills this requirement. This is particularly the case since, despite years of discussion, an industry standard for Do Not Track does not yet exist.
GPC appears to be endeavoring to introduce the first technology that will enable users to send “global”, CCPA-relevant Do Not Sell signals as contemplated by the CCPA Regulations. In the initial experimental phase of the project, individuals will be able to download browser extensions from Abine, Brave, Disconnect, DuckDuckGo, and the Electronic Frontier Foundation that will communicate their “do not sell or share” preferences. An initial group of participating publishers (which appears to include the New York Times and the Washington Post) and content hosters (which appears to include WordPress), will implement a standard published by GPC that responds to the browser-transmitted Do Not Sell signal.
GPC indicates that it hopes for this project to lead to “an open standard that many other organizations will support.” At the same time, it also states it “look[s] forward to working with [California] AG [Xavier] Becerra to make GPC legally binding under CCPA.”
GPC is potentially an initial step towards global user controls and/or standards that companies may be obligated to implement under the CCPA Regulations. However, the CCPA Regulations do not themselves state how a browser plugin or technology standard will be recognized as a “global privacy control” that businesses are legally obligated to respond to. Industry participants will also recall the complexities that attended discussions to arrive at a universal Do Not Track standard.
Alston & Bird will closely follow this technology and provide updates as it develops.