Search every question across sub-FAQs

GPC, or Global Privacy Control, is a browser or device privacy signal that tells a business the consumer wants to opt out of sale or sharing of personal information. Under the CCPA, businesses that sell or share personal information must process a valid opt-out preference signal as an opt-out request for that browser or device, and for the consumer when the business knows who the consumer is.

Teams should treat a GPC signal as an opt-out request, not as a general privacy preference. The practical response is to stop the sale or sharing that the signal covers, update the consumer's status where the business knows the consumer, and keep evidence of how the request was handled and when it was reviewed.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

Teams should treat Thresholds under the US CCPA as a source-linked operating decision: first check whether the organization meets the definition of a business by doing business in California and satisfying at least one of these thresholds - annual gross revenues in excess of $25 million in the preceding calendar year, annually buying, selling, or sharing the personal information of 100,000 or more consumers or households, or deriving 50 percent or more of annual revenues from selling or sharing consumers' personal information. If a company does not meet one of those thresholds, it may still be covered if it controls or is controlled by a business and shares common branding with it and shares consumers' personal information, or if it is a joint venture or partnership in which each business has at least a 40 percent interest, or a person that voluntarily certifies compliance to the California Privacy Protection Agency.

Once the threshold test is met, confirm which CCPA duties apply at the collection point, including notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, and enforcement exposure, then assign the team that can change the process and keep evidence showing the action and review trigger.

The safest first step is to identify the collection point, consumer right, sale/share status, GPC signal, vendor role, and applicable threshold before assigning the CCPA action.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

Teams should treat DSAR Verification under the US CCPA as a source-linked operating decision: confirm which request is being handled, whether verification is required, what method the business must offer, and what evidence shows the process was documented and applied consistently.

The safest first step is to separate requests to delete, correct, or know from requests to opt out of sale/sharing or to limit the use of sensitive personal information, because the CCPA treats those request types differently.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request-form screenshots, verification rules, request logs, and approval trail together.

The common failure pattern is treating every request the same instead of checking whether the business must offer two designated submission methods, whether the request is verifiable, and whether the consumer is already using a password-protected account.

Teams should treat Dark Patterns under the US CCPA as a source-linked operating decision: confirm whether the issue affects business-threshold status, notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the collection point, consumer right, sale/share status, GPC signal, vendor role, and applicable threshold before assigning the CCPA action.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

Teams should treat Data Broker Crossover under the US CCPA as a source-linked operating decision: confirm whether the issue affects business-threshold status, notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the collection point, consumer right, sale/share status, GPC signal, vendor role, and applicable threshold before assigning the CCPA action.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

Start with what the right means: "sell" is disclosing personal information to a third party for monetary or other valuable consideration, and "share" is disclosing it to a third party for cross-context behavioral advertising, with or without payment. A business that does either must let consumers opt out (usually a "Do Not Sell or Share My Personal Information" link), must honor an opt-out preference signal such as Global Privacy Control as a valid request, and must then stop selling or sharing that consumer's data.

Teams should then treat Do not sell or share as a source-linked operating decision: confirm whether the issue affects business-threshold status, notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the collection point, consumer right, sale/share status, GPC signal, vendor role, and applicable threshold before assigning the CCPA action.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

Teams should treat Financial Incentives under the US CCPA as a source-linked operating decision: confirm whether the issue affects business-threshold status, notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the collection point, whether the business offers a financial incentive or price or service difference, and what information the notice must explain before a consumer opts in.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.