I have been interested how brands and publishers have treated GPC (Global Privacy Control) after AG Bonta's action against Sephora:
As part of his ongoing efforts to enforce CCPA, Attorney General Bonta also sent notices today to a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC. A global privacy control allows consumers to opt out of all online sales in one fell swoop by broadcasting a "do not sell" signal across every website they visit, without having to click on an opt-out link each time. Under the CCPA, businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link.
I expected quick response from brands and vendors doing business in California, but that doesn't seem to be the case -- yet.
Our browser fleet temporarily relocated to Bay Area 🌁 and then visited about 31 thousand sites that support the USP standard. The US Privacy String is not a perfect tool to understand data supply chains, but is by far the clearest message a site can send about its understanding of user choice in the US and a pleasure compared to the complex Transparency and Control Framework (TCF) in the EU/EEA.
Our browsers visited with both the header and Javascript GPC signal active, then checked the USP.
The results weren't great.
Fewer than 10% of sites assigned the correct value ("Y"), indicating the user has opted-out, after seeing our GPC signal. In our "control" visits without sending GPC signals about 2% of sites indicated a USP opt-out, meaning an even smaller portion actively flipped the opt-out bit. The remainder of sites either ignored GPC, or worse, declared that CCPA didn't apply to our throughly Californian browsers. OneTrust was the only consent platform that seemed to accept the signal at any material volume, though Google Funding Choices had a single success sneak in!
The silver lining is that the most highly-trafficked sites were significantly more likely to respect GPC: of the top five sites that support USP, four of them honored GPC. I hope their example will cascade down in short order, though CMP leadership is clearly needed as well.
We will continue to monitor GPC and hope to see improvement ahead of CPRA becoming operative on January 1st, 2023.
Questions and Thoughts?
We love leveraging data to answer questions about the adtech and media ecosystem. Drop us a line: hello@sincera.io.
--
*The best way to see the impact of GPC is to monitor which data flows are shut off in the event of a GPC-signalled opt-out. Sincera collects this data and may provide a deeper public analysis along these lines in the future.
I have been interested how brands and publishers have treated GPC (Global Privacy Control) after AG Bonta's action against Sephora:
As part of his ongoing efforts to enforce CCPA, Attorney General Bonta also sent notices today to a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC. A global privacy control allows consumers to opt out of all online sales in one fell swoop by broadcasting a "do not sell" signal across every website they visit, without having to click on an opt-out link each time. Under the CCPA, businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link.
I expected quick response from brands and vendors doing business in California, but that doesn't seem to be the case -- yet.
Our browser fleet temporarily relocated to Bay Area 🌁 and then visited about 31 thousand sites that support the USP standard. The US Privacy String is not a perfect tool to understand data supply chains, but is by far the clearest message a site can send about its understanding of user choice in the US and a pleasure compared to the complex Transparency and Control Framework (TCF) in the EU/EEA.
Our browsers visited with both the header and Javascript GPC signal active, then checked the USP.
The results weren't great.
Fewer than 10% of sites assigned the correct value ("Y"), indicating the user has opted-out, after seeing our GPC signal. In our "control" visits without sending GPC signals about 2% of sites indicated a USP opt-out, meaning an even smaller portion actively flipped the opt-out bit. The remainder of sites either ignored GPC, or worse, declared that CCPA didn't apply to our throughly Californian browsers. OneTrust was the only consent platform that seemed to accept the signal at any material volume, though Google Funding Choices had a single success sneak in!
The silver lining is that the most highly-trafficked sites were significantly more likely to respect GPC: of the top five sites that support USP, four of them honored GPC. I hope their example will cascade down in short order, though CMP leadership is clearly needed as well.
We will continue to monitor GPC and hope to see improvement ahead of CPRA becoming operative on January 1st, 2023.
Questions and Thoughts?
We love leveraging data to answer questions about the adtech and media ecosystem. Drop us a line: hello@sincera.io.
--
*The best way to see the impact of GPC is to monitor which data flows are shut off in the event of a GPC-signalled opt-out. Sincera collects this data and may provide a deeper public analysis along these lines in the future.