GPC under the GDPR

As always, this blog post is not legal advice. If you're tempted to take legal advice from some guy's blog on the Internets, don't.

The Global Privacy Control is making steady progress towards adoption. As a global signal supported by browsers, it's a natural question to ask what it means under regimes such as the GDPR. Here's my personal take.

The CCPA has a "Do Not Sell" right that allows people to opt out of their data being sold to third parties. The GPC spec is meant to support that right, but not just in California: I believe that it work under the GDPR as well. The GDPR equivalent of a Do Not Sell / Do Not Share mechanism is processing that is limited to a single data controller, which has to be the first party (as defined in DNT, being the party the data subject intends to interact with).

The manner in which this is implemented depends on the legal basis that the first party data controller is relying upon:

• Where the legal basis is consent, the data subject is withdrawing their consent under Article 7(3) specifically to processing by data controllers other than the first party and to processing of the first party to transfer data to other data controllers. (As understood in FashionID.)
• Where the legal basis is legitimate interest or public interest, the data subject is objecting to processing by data controllers other than the first party and to processing of the first party to transfer data to other data controllers under Article 21(1-3, 5).
• The signal has no effect if the legal basis is contractual, legal obligation, or vital interests.

It is important to note that the GPC signal does not withdraw consent to local storage under the ePrivacy Directive nor does it convey an objection to the first party’s direct marketing processing carried out under legitimate interest, as described in Article 21(2). There may be value in thinking about those rights as well, but they do not correspond to refusing the sale of one's data.

The Article 21 right to object is not an absolute right and, similar to the CCPA, the data controller may assert that it has compelling legitimate grounds to continue processing data. I would note however that carrying out controller-to-controller data processing under legitimate interest could already be seen as risky; continuing to do so over the objection of the data subject strikes me as at best an adventurous position.

Lawyers often react to this understanding by stating that withdrawal of consent or objection to processing can only be for specific purposes. I know of no part of the GDPR, EDPB guidance, or jurisprudence supporting that view. Obtaining consent and producing a Legitimate Interest Assessment do indeed need to work from specific purposes; but this does not entail that exercising data subject rights falls under the same obligations.

A salient question is whether the GPC signal can, when exercising the Article 7(3) withdrawal of consent, take precedence over consent that may have been obtained in other ways. Which has the final say as representing the data subject’s intent? One misperception is that if the data subject configures their browser to transmit a GPC signal and later consents to a site’s processing, then the latter would take precedence. This is misunderstanding the architecture of the Web. As described in Architecture of the World Wide Web, Volume One, “[a] user agent acts on behalf of a user.” The underlying idea is that the user gives instructions to their agent such that the agent will then represent them — automatically — in all future interactions.

Understanding that the browser, being the user’s agent, is acting as an automated mean to tirelessly represent the user’s will makes it clear that a GPC signal, being attached to each request as if it were the user’s action repeated each time, takes precedence over a previously given, less specific consent for instance using a CMP banner meant to apply to the whole site. One clear goal of GPC is to rely on the browser to rectify the automation asymmetry between data subjects and websites, and to render user-hostile practices such as modal banners. Understanding the browser's role in proxying for the data subject is key to making it work.

This leaves the case in which the user is providing consent not for a whole site but specifically for one given interaction with the service (for instance the users is submitting a form that is clearly labelled to indicate that the data will be shared with another controller). I would say that within the scope of this request and this request only which has a clear user action associated with it, then the attached consent, assuming it is sufficiently informed, would take precedence over the automated GPC signal.