Blog Post

Global Privacy Control Returns to the Spotlight for Numerous State Regulators

  • LinkedIn icon
  • X/Twitter icon
  • Print icon

Earlier this month, California Attorney General Rob Bonta and the California Privacy Protection Agency joined the attorneys general of Colorado and Connecticut in announcing an investigative sweep to enforce compliance with the states’ Global Privacy Control requirements. The sweep follows previous million-dollar settlements across several industries for failures to comply with GPC laws. 

GPC is a specification that can be implemented via web browser settings or extensions to inform businesses of website visitors’ privacy preferences, specifically regarding selling and sharing of the user’s data. When users have GPC settings turned on, websites that are obligated under data privacy laws with do not share or do not sell requirements are expected to honor the user’s choices set within GPC. It also acts as a mechanism that websites can use to indicate their support for the specification.

As part of the regulatory sweep, an initial group of businesses that have been identified as potentially in violation of GPC requirements have received letters demanding immediate action to come into compliance with the states’ regulations. Despite that these requirements have been in place for approximately five years (since the California Consumer Privacy Act was enacted) many organizations, including those that have or are set to receive a notification from the California, Colorado, Connecticut coalition are unaware that their website consent management controls are not acting in compliance with GPC requirements. In fact, a study from researchers at Arizona State University found that out of approximately 2,000 sites that serve California residents, including many large brands, only 14% were implementing the GPC signal in compliance with the researchers’ interpretation of California law. 

A large part of the challenge in establishing GPC compliance is that the backend systems that manage websites and online trackers are part of a complex technical ecosystem that is not always easily understood or managed. Moreover, organizations often have a false sense of security that they are automatically in compliance if they have a consent management platform — technology used to capture and manage user opt-in and opt-out choices — in place for their websites. Simply having the technology does not guarantee compliance with state-by-state privacy laws. 

These tools, their integration with other systems and the data sharing agreements an organization has in place with partners must all be understood, inventoried, configured and designed to adhere to customer requests for their information to not be sold or shared with third parties. This requires evaluating infrastructure and making necessary adjustments to online and offline actions and agreements to be sure they are consistent in defaulting to their site visitors’ GPC signals. 

FTI Technology supports clients with this complex process, helping to test the GPC on their websites to determine whether the controls are working, how the technologies are categorized, and what potential risks exist in their third-party contracts. In looking at online and offline data flows, experts can help organizations mitigate the risk of a GPC violation. Key areas of review and remediation include:

  • Online systems integration. If a user has GPC, that should trigger the site to do a series of possible but complicated actions requiring a consent management platform integrated with a tag management system (controls which pixels and tags are deployed for each site visit) and suppression of trackers that collect, sell and share data with third parties. It is easy for regulatory agencies to visit any website and determine whether this is being handled correctly.
  • Consent management configuration. It’s important to understand how a consent management platform handles turning off data sharing mechanisms when they detect that a website visitor has GPC turned on. Is it the most restrictive application of GPC, or would explicit user choice take precedence (i.e. interacting with the banner while GPC is enabled)? In these instances, companies need to ensure their notice is accurate and explains the functioning. Additional configuration and coding to alert the user where changes occur may also be required. Regulatory agencies appear keen to enforce that websites always honor GPC when it is turned on, and that by not defaulting to the user’s strictest settings, they are violating the do not sell and do not share requirements.
  • Tracking technology categorization. Websites often contain hundreds of trackers and cookies that collect and transfer information in the background. It’s common for businesses to not have these properly mapped out and categorized by how they collect, interact with, store and share user data. Any incorrect categorizations can lead to failures in suppressing the correct trackers in response to GPC, even if the consent management platform is properly configured. Organizations should perform due diligence to categorize and test trackers in both the consent management platform and tag management system to bring them into compliance.
  • Offline controls. The general expectation of laws like the California Consumer Privacy Act and other state-based privacy laws is that once an organization has the identifiers in place to recognize users, users’ online privacy preferences should be carried over into the offline world in customer data platforms, membership applications, patient portals, etc. So, if a user has told the business not to sell their data through GPC, the company should suppress that data without the appropriate contractual requirements in place from leaving internal platforms to external ones. 

This is a common problem for many organizations and leaves them potentially exposed to GPC violations and other data privacy compliance failures. To ensure proper offline data handling, organizations should establish a clear understanding of their data flows and ensure that suppression flags follow the data throughout its offline lifecycle. This includes analyzing and managing contracts with service providers and partners to avoid any agreements that allow non-compliant data sharing with third parties. 

As the GPC sweep gets underway, many organizations that think they are acting in compliance may find that there are serious gaps in their controls. Having some controls in place through an out-of-the-box consent management platform is a good starting place and may seem sufficient. However, that is but one step, as those platforms alone do not ensure compliance. Further testing, auditing and configuration across the nuanced adtech ecosystem, along with an understanding of the contractual obligations and an ongoing governance process are required to continue to meet the requirements of GPC and other data privacy obligations. Getting ahead of an enforcement action with a proactive assessment and remediation exercise will be key in avoiding regulatory scrutiny and the possibility of facing a large penalty or litigation exposure like some companies already have. 

FTI Technology’s adtech privacy compliance experts reduce risk for clients and provide expert guidance related to the use of ad tracking tools by employing technology and workflows to perform forensically sound assessments, data collection, source code review and remediation, as well as ongoing monitoring, technology advisory and implementation services.

Related topics:
Data Privacy

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.

Related Solutions