Global Privacy Control (GPC): Everything you need to know for 2026 (and beyond)

Global Privacy Control (GPC) has been recognized as a mechanism under the California Consumer Privacy Act (CCPA) for several years, requiring businesses to detect and honor the signal. Starting in January 2027, California will require all major browsers to include built-in functionality that allows users to enable GPC. This shift reinforces its position as a key compliance mechanism in the U.S., one that organizations operating in California must be ready to support.

‍

Beyond compliance, GPC has potential operational and revenue implications for publishers and advertisers. As browser-level opt-outs become more common, businesses may see a measurable increase in automatic opt-out traffic affecting audience addressability, ad personalization, and monetization strategies.

‍

For a brief overview on the latest news surrounding GPC in California, check out what our Chief Privacy Officer, Thomas Adhumeau, had to say when we discussed the topic with him in the video below, or continue reading to learn about how GPC works, why it matters, and why it is rapidly becoming a crucial standard for companies operating in the U.S.

‍

‍

What is Global Privacy Control (GPC) and how does it work?

GPC is a browser-level signal that automatically communicates a user’s choice to exercise certain applicable opt-out rights across all websites that the user visits.

‍

It was developed by a coalition of privacy advocates, academics, and companies as a universal, machine-readable “Do Not Sell” signal, and it has been recognized under many state comprehensive privacy laws as a valid “universal opt-out mechanism” (UOOM) or “opt-out preference signal” (OOPS), triggering the obligation to opt the user out of the sale and sharing of personal information or targeted advertising, depending on the applicable law.

When a user enables GPC in their browser or a browser extension, it sends a signal to every website they visit. For organizations, this signal must be detected and treated in accordance with applicable privacy laws.

‍

For example, if the user is a California resident (and the organization is subject to the California Consumer Privacy Act (CCPA)), the signal must be treated as a valid request to opt the user out of the sale and sharing of personal information. 

‍

Now that we’ve covered what GPC is and how it works, let’s look at why adoption and enforcement are accelerating.

‍

Why GPC is gaining momentum (2025–2027)

In October 2025, California Governor Gavin Newsom signed the Opt Me Out Act (AB 566), making California the first state to require all browsers to include built-in functionality by January 1, 2027, enabling consumers to send opt-out preference signals to all websites they visit. 

‍

Such functionality must be easy to locate and configure, and public disclosures must clearly describe how the opt-out preference signal works, its intended effect, and whether the company has processed its consumers’ opt-out preference signals.

‍

This follows years of relatively sparse voluntary adoption by browsers (Mozilla Firefox, Brave, and DuckDuckGo) and browser extensions. Under the new law, however, major browsers, such as Google Chrome, Apple Safari, and Microsoft Edge, will be required to offer GPC capabilities and take measures to ensure they are clearly described, easy to locate, and easily configurable. At the very least, this will lead to increased consumer awareness of GPC and likely increased consumer adoption as well. 

‍

For businesses, this means a likely increase in opt-out requests submitted automatically and at scale, without necessarily considering the website at issue. 

‍

That shift has immediate compliance implications. Starting in 2026, multiple states require businesses to recognize universal opt-out signals

‍

GPC requirements for businesses in 2026

As of January 1, 2026, twelve U.S. states will require businesses that sell or share personal information (or engage in targeted advertising) to honor opt-out preference signals (OOPSs) or universal opt-out mechanisms (UOOMs):

‍

• California (California Consumer Privacy Act)
• Colorado (Colorado Privacy Act)
• Connecticut (Connecticut Data Privacy Act)
• Delaware (Delaware Personal Data Privacy Act)
• Iowa (Iowa Consumer Data Protection Act)
• Nebraska (Nebraska Data Privacy Act)
• New Hampshire (New Hampshire Privacy Act)
• New Jersey (New Jersey Data Privacy Act)
• Oregon (Oregon Consumer Privacy Act)
• Texas (Texas Data Privacy & Security Act)
• Utah (Utah Consumer Privacy Act)
• Virginia (Virginia Consumer Data Protection Act)

‍

In practice, this means that when a resident of one of these states visits a website with an OOPS or UOOM enabled (such as Global Privacy Control), businesses must treat that signal as if the user had manually opted out through the site’s own privacy settings. The opt-out must be applied automatically, without requiring any additional action from the consumer.

‍

That said, guidance on detecting and processing these signals varies from state to state. 

‍

Colorado remains the only jurisdiction with a formal application and approval process for recognized UOOMs. California, meanwhile, has issued some of the most detailed rules, describing how businesses should handle conflicts between an incoming signal and existing website-level preferences or financial incentive programs. New California regulations, also effective January 1, 2026, go one step further: businesses must visibly indicate whether the consumer’s opt-out preference signal was processed, displaying, for example, an “Opt-Out Request Honored” message when a user with such a signal visits the site.

‍

Now, let’s look at how these requirements are being enforced and at some of the landmark decisions we’ve seen so far.

‍

A closer look at GPC enforcement cases so far

The first significant enforcement action related to GPC dates back to 2022, when the California Attorney General fined Sephora $1.2 million for failing to honor opt-out signals, including GPC. That case set the precedent for recognizing GPC as a valid opt-out mechanism and marked the beginning of active enforcement under the CCPA.

‍

More recently, we have seen an increase in the enforcement of GPC obligations. In September 2025, the California Privacy Protection Agency, alongside the Attorneys General of California, Colorado, and Connecticut, announced a coordinated sweep targeting businesses that fail to honor GPC signals.

‍

This multi-state action follows significant enforcement cases throughout 2025, all addressing failures to compliantly offer or effectuate opt-out requests:

‍

• Sling TV (October 2025): $530,000
  
  • Made opt-out confusing and hard to find by combining cookie preferences with CCPA opt-out
  • Required logged-in customers to fill out webforms with information the company already had
  • Failed to provide opt-out mechanisms within streaming apps on living-room devices
  • Failed to protect children's privacy adequately
• Tractor Supply Company (August 2025): $1.350.000 
  
  • Failed to provide an effective opt-out mechanism to stop the selling/sharing of personal info, including through third-party trackers. 
  • Did not process opt-out preference signals (such as GPC) until July 2024. 
  • Provided deficient privacy notices for consumers and job applicants, and did not include required disclosures or update annually. 
  • Failed to enter into compliant contracts with service providers and third parties regarding data sharing.
• TicketNetwork (June 2025): $85.000 (Connecticut)
  
  • Failed to timely correct deficiencies in its privacy notice after receiving a “cure notice” under the Connecticut Data Privacy Act. 
  • The privacy notice lacked required disclosures of consumer rights and rights mechanisms (opt-out links/targeted-ad options), and the mechanisms were misconfigured or inoperable.
• Healthline Media (July 2025): $1.55 million (the largest CCPA settlement to date) 
  
  • Failed to honor opt-out requests (including requests from GPC) exhaustively
  • Shared sensitive health data revealing medical diagnoses with advertisers
  • Used a deceptive consent banner that didn't actually disable tracking
• Todd Snyder (May 2025): $345,178
  
  • Improper CMP implementation
  • Failed to honor opt-out requests
• Honda (March 2025): $632,500
  
  • Made opt-out requests unnecessarily difficult with excessive verification requirements
  • Failed to apply GPC signals to user accounts

‍

These cases illustrate how enforcement is expanding beyond large consumer brands to include retailers and service providers of all sizes. For Julie Rubash, General Counsel and Chief Privacy Officer, the message is clear: 

‍

If you have a privacy mechanism on your website that’s not working, it’s a tell for regulators that you’re not paying attention. If they see that, they’re likely to assume that there are further issues going on and initiate an investigation to dig deeper.

- Julie Rubash, General Counsel and CPO at Sourcepoint by Didomi

‍

So what should organizations focus on to avoid becoming the next enforcement case?

‍

What does GPC mean for businesses, and how can you ensure compliance? (checklist)

With enforcement ramping up and the 2027 mandate approaching, companies need to act now. Here's a practical compliance checklist covering the three key areas regulators are scrutinizing:

Navigating complex scenarios: When GPC conflicts with business models

One of the most challenging aspects of GPC compliance is when the opt-out signal conflicts with existing user preferences or business models. The CPRA regulations (sections 7025(c)(3)-(4)) provide specific guidance for two critical situations:

‍

Scenario 1: GPC conflicts with account-level privacy settings

A logged-in user has GPC enabled in their browser, but their account settings allow data sharing.

‍

What you must do

• Process the GPC signal as a valid opt-out request (the browser signal takes precedence)
• You may notify the user of the conflict and give them an opportunity to consent to sharing.
• If the user consents, you can ignore the GPC signal for that known user going forward.
• You must clearly display the status of their choice in your privacy settings.

‍

Real-world example

A customer has an account with default settings that allow data sharing for personalized recommendations. They enable GPC and visit your site while logged in. You must honor the GPC signal immediately, but can display a message along the lines of: 

‍

We noticed your browser is set to opt out of the sale or sharing of personal information, but your account settings allow data sharing. Would you like your account settings to override your browser settings? You can change your settings at any time by visiting [link to settings].

‍

Scenario 2: GPC conflicts with financial incentive programs

A user participates in a loyalty program, subscription discount, or “pay or consent” model that requires data sharing, but they enable GPC.

‍

What you must do:

• Process the GPC signal as a valid opt-out request.
• You may notify the user that honoring GPC would withdraw them from the program.
• Ask them to affirm whether they want to withdraw from the program.
• If they don't affirm withdrawal, you can ignore the GPC signal for that known user.
• If you don't ask for affirmation, you must still honor the GPC signal.

‍

Real-world example

A subscriber gets a discounted rate in exchange for allowing targeted advertising. They enable GPC and visit your site. You can display a message to them indicating something like: 

‍

Your browser is requesting we stop sharing your data, but this would end your subscription discount. Do you want to keep your discount and allow data sharing, or honor your browser's opt-out preference?

‍

Key compliance requirements for both scenarios

1. The GPC signal must be honored immediately unless the user explicitly consents otherwise or you give them the opportunity to withdraw from a financial incentive program.
2. Once a user elects to opt out, you cannot ask them to opt back in for at least 12 months.
3. The notification and consent process must comply with CPRA requirements (clear, conspicuous, and symmetrical).
4. You must maintain clear documentation of the user's choice.

‍

Preparing for the GPC mandate: Where to start

The shift from voluntary adoption to mandatory enforcement means organizations can no longer treat GPC as a "nice-to-have" feature. With the 2027 browser mandate on the horizon and multi-state enforcement already underway, the window for proactive compliance is closing.

‍

The good news? The technical requirements are well-defined, and the right tools can automate much of the heavy lifting. Our Consent Management Platform is built to handle the complexity:

‍

• Automatic GPC detection and processing across all user touchpoints
• Audit trails that document compliance for regulatory inquiries
• Multi-jurisdiction support for managing CCPA and emerging state laws
• Complex scenario handling for subscriptions, incentives, and account-based services

‍

As Julie Rubash noted in her comment, a broken privacy mechanism signals deeper issues. The inverse is also true: getting GPC right demonstrates operational maturity and positions your organization ahead of the regulatory curve.

‍

Learn how we can help by discussing your challenges with one of our experts:

‍

{{talk-to-an-expert}}

‍

Frequently Asked Questions (FAQ)

What is Global Privacy Control (GPC)?

GPC is a browser-level signal that automatically communicates a user’s choice to opt out of the sale or sharing of personal information (or targeted advertising, depending on the law) across every website they visit.

‍

When enabled, the signal must be treated by applicable businesses as a valid opt-out request under many U.S. state privacy laws.

‍

Which states require businesses to honor GPC or other universal opt-out mechanisms in 2026?

By January 1, 2026, twelve states will require recognition of universal opt-out mechanisms (UOOMs) or opt-out preference signals (OOPSs): California, Colorado, Connecticut, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia.

‍
Among them, California, Colorado, and Connecticut have explicitly confirmed that GPC qualifies as such a mechanism.

‍

How does GPC affect businesses and publishers?

GPC can automatically opt users out at scale, which may affect audience addressability, personalization, and monetization strategies, especially as major browsers begin building GPC directly into their interfaces. Companies must detect the signal, apply the opt-out immediately, and ensure the user experience clearly reflects their choice.

‍

With enforcement increasing, GPC is quickly becoming a core operational requirement.

‍

What happens if a user’s GPC signal conflicts with their account-level settings or a financial incentive program?

Under CPRA rules, the GPC signal generally takes precedence. Businesses must honor it immediately, then notify the user of the conflict and offer them a chance to consent to data sharing (for account settings) or to affirm whether they still want to participate (for financial incentives). If the user actively chooses to override the signal, the business may honor their explicit choice going forward.

‍

What are some of the enforcement actions related to GPC so far?

Regulators have already brought several high-profile cases involving failures to honor opt-out requests, including actions against Sephora, Sling TV, Tractor Supply Company, Honda, Healthline Media, and others.

‍

Penalties ranged from hundreds of thousands to more than a million dollars and highlighted issues such as misconfigured banners, failure to detect GPC, misleading UX design, and inadequate disclosure practices.

‍

How can businesses prepare for increasing GPC adoption and upcoming browser mandates?

Organizations should ensure their consent and privacy systems can automatically detect and process GPC, display the required notices (such as “Opt-Out Request Honored”), apply opt-outs across all devices and accounts, and maintain clear audit trails.

‍

With the 2027 requirement for all major browsers to include GPC functionality, now is the time to implement scenario-based handling, update UX flows, and validate that opt-out mechanisms work across every user touchpoint.