This article was co-authored with Lucas Walshe, digital analytics consultant at fifty-five.
Privacy is becoming increasingly important in the U.S. With more than 20 states now enforcing privacy laws, companies face a patchwork of regulatory requirements, further complicated by limited case law and formal guidance. However, the state leading the way — California — has ramped up enforcement of its landmark legislation, the CCPA, with fines multiplying since 2021.
This increase in regulatory action is giving marketers and legal teams clearer signals about expectations. One of the main areas of focus is Global Privacy Control (GPC), a mechanism that allows users to explicitly opt out of the sale or sharing of their personal data. In this article, we’ll explain what GPC is, how to ensure GPC signals are respected on your website and what the impacts of GPC are on your activities.
What is GPC?
Global Privacy Control was created in 2020 by a coalition composed primarily of academics, privacy-focused technology companies, including Brave and DuckDuckGo, and newspapers such as The New York Times and the Financial Times. Its goal was to simplify online personal data protection. One of its objectives was to establish a system that would be truly actionable, unlike options such as Do Not Track, a browser setting that’s ignored mainly by websites and carries no enforcement consequences.
The feature is accessible through plug-ins on major browsers, including Chrome and Safari, and through built-in settings on others, especially Mozilla Firefox and Brave. Once activated, the signal can be read by websites via JavaScript.
California quickly recognized GPC as a valid way for users to signal to every website they visit that they don’t agree to their data being sold or shared, using the terminology defined in the CCPA. Beginning in 2022 with the Sephora case, which carried a $1.2 million fine, regulators have issued multiple penalties to companies that failed to respect GPC signals. Given the increased pace of enforcement actions by the CPPA, more companies are now scrambling to implement tools that enable them to honor GPC signals properly. However, it isn’t always clear how to do so.
How to ensure GPC signals are honored
Option 1: Via your CMP provider
Consent management platforms (CMPs) offer multiple products, the best known being cookie banners. Although each provider uses its own system, the baseline is similar across providers. A hyperlink is placed on every page and loads the cookie banner when users first land on the website. Marketing or legal teams can configure the banner through an online platform and update it in real time. They also have access to detailed records to support traceability.
Today, most CMP providers offer GPC signal features, enabling websites to detect when GPC has been activated automatically. Once detected, data collection related to data sales or sharing can be blocked using standard variables, usually through a tag management system (TMS).
This is by far the easiest method. Given current trends in U.S. privacy regulation, if you don’t yet have a cookie banner provider, it’s worth considering this option to simplify privacy management in the near term.
The SEO toolkit you know, plus the AI visibility data you need.
Option 2: Via a custom system
All websites can read GPC signals, and custom methods are available for organizations that don’t use a CMP or prefer a different approach.
The best-known custom system was developed by The Washington Post and Wesleyan University and involves implementing a JSON file. This system offers greater transparency, but it may be more difficult to deploy at scale, especially for websites with thousands of pages, and may provide less traceability.
Whichever method you choose, conduct extensive testing to ensure that all data sale or sharing has been effectively blocked. You should also work closely with your legal department to determine whether records of those tests should be retained.
Impacts of GPC on your company
Marketing impacts have been very limited to date. Although GPC proponents claim that 150 million people use GPC, which would represent about 3% of all internet users, the share of traffic carrying the signal appears to be much lower. Many users don’t consistently activate GPC across devices. For example, they may enable it on a laptop but not on mobile.
Based on our investigations, it’s virtually impossible to determine the share of traffic with GPC activated. Precise figures can’t be calculated because GPC limits specific data collection mechanisms. When we’ve activated these features with clients, we haven’t observed any measurable impact.
In other words, traffic carrying GPC is indistinguishable from normal traffic variation, at least for now. As a result, U.S. marketers tend to show less interest in the topic than their European counterparts, who face cookie rejection rates of up to 50%.
However, legal risks are real and immediate. As noted earlier, multiple fines above $1 million have already been levied against businesses for, among other things, failing to comply with GPC signals.
As privacy lawsuits increase in California and elsewhere, legal departments must work closely with marketing and IT teams to ensure tracking implementations are compliant. They also need to establish processes to maintain compliance over time. This often depends on translators — team members who understand both legal requirements and marketing data collection.
In the future, GPC may become more widespread, especially if major browsers such as Chrome and Safari integrate it natively. In that scenario, data volumes could decrease significantly. Marketers should continue monitoring these developments. If adoption accelerates, they’ll need to take steps to mitigate potential data loss.
Limited marketing impact, rising legal risk
Privacy in the U.S. is here to stay. GPC, driven in part by California’s leadership, is now a meaningful component of the compliance framework companies across the country must follow. Although the impact on data collection remains limited, enforcement actions and fines are increasing.
Organizations need to act now to remain compliant and avoid unexpected penalties. They should also continue monitoring privacy trends to ensure both compliance and effective marketing performance.
The post GPC compliance must be a legal priority for U.S. marketers appeared first on MarTech.