In November 2020, California voters enacted the California Privacy Rights Act (CPRA) by ballot initiative. The law endorses a new option for businesses to accept consumer requests under CPRA to opt out of the sale or sharing of their personal information and to limit the use or disclosure of their sensitive personal information. In lieu of a “Do Not Sell/Share” button or webform, the ballot initiative encourages businesses to recognize signals from Global Privacy Controls (GPCs) sent via “platform, technology, or mechanism” to a business. At the same time, CPRA leaves many details undefined pending regulatory input on technical specifications and operational considerations.
Today, IAB is releasing a white paper that explores key topics that will determine if GPCs succeed in reflecting consumer preferences in an efficient manner that balances business, consumer, and regulator interests. Our white paper reviews the legal basis for GPCs in California law, discusses operational considerations for GPCs related to identity verification, consent, and preference management, and explores the built-in safeguards included in the CPRA to protect both consumers’ interests and competition in the design and implementation of GPCs. We also discuss pertinent considerations for design of technical standards to implement GPCs consistent with IAB Tech Lab’s work on the opt out of sale preference signal.
Our white paper comes at a significant time of transition in California privacy law. In 2019, the California Attorney General issued rules under the CCPA requiring that companies comply with GPC signals. Recently, the California AG has signaled its intent to continue actively enforcing these rules. However, the CPRA takes a markedly different approach to GPCs, focusing on competition, fairness, and choice in adoption of GPCs, and providing the new California Privacy Protection Agency (CPPA) broad rulemaking authority to set fair rules of the road for implementation of GPCs. IAB’s white paper informs the discussion during this period of transition between these differing approaches to GPCs.
Successful implementation of GPCs will require a thoughtful approach to the upcoming rulemaking process with feedback from industry, regulators, and consumers. IAB is committed to convening and facilitating discussions on GPCs as this issue becomes increasingly important to provide a common technical solution for complying with new privacy laws enacted at the state level.
Download the Global Privacy Controls White Paper