Global Privacy Control

Global Privacy Control (GPC) is a browser standard that provides users with a cross-domain way to indicate that they generally don’t consent to the sale or sharing of their personal data.

How it works

Global Privacy Control (GPC) is a browser standard that provides users with a cross-domain way to indicate that they generally don’t consent to the sale or sharing of their personal data. GPC is similar to the Do Not Track option already offered by many browsers. It’s a browser-level opt-out option designed to save users from having to manually opt out on each individual website.

The flow between GPC and Tealium consent management is described in the figure below. It’s important that users have the ability to opt in to individual websites and override their GPC signal.

Server-side support

The GPC spec exposes a global boolean which is used in the client-side code below:

navigator.globalPrivacyControl

and sets a header on all outgoing requests:

Sec-GPC: 1

Tealium server-side customers can add the event-level attribute global_privacy_control_opt_out, which is populated on each event with the Global Privacy Control header (Sec-GPC). No event-level attribute is added automatically in the UI. Possible values are true (Sec-GPC: 1) or false (Sec-GPC:0). When there is no header, that attribute is not added to the incoming event payload at all.

Client-side support

Since the signal is a simple Boolean, CCPA and similar regulations are the most relevant and accepted application today. However, there are plans to develop a similar standard for GDPR in the future.

CCPA Module

From cmDoNotSell v1.1.0, the logical flow from the diagram above is implemented in the CCPA module.

Since the GPC signal is intended for opt-out models such as CCPA/CPRA and not opt-in models such as GDPR, no other modules have been updated. However, GPC logic can be added individually by editing templates as needed.

Was this page helpful?

This page was last updated: January 7, 2023