Global Privacy Control (GPC) Compliance: Universal Opt-Out Guide 2026

What Is Global Privacy Control (GPC)?

Global Privacy Control is a browser-level signal that tells every website a user visits: “Do not sell or share my personal data.” It is built into browsers like Firefox, Brave, and DuckDuckGo, and is available as an extension for Chrome and Safari.

Unlike the older “Do Not Track” header — which was voluntary and widely ignored — GPC now has the force of law behind it. Multiple US state privacy laws require businesses to treat a GPC signal as a legally binding opt-out request.

Which States Require GPC Compliance in 2026?

As of early 2026, the following states have enacted laws that require businesses to honour universal opt-out mechanisms like GPC:

• California (CCPA/CPRA) — Required since January 2023. The California Attorney General has explicitly recognised GPC as a valid opt-out mechanism. Fines up to $7,500 per intentional violation.
• Colorado — Universal opt-out mechanism mandate effective July 2024. GPC is the de facto standard.
• Connecticut — Required since January 2025. Must honour universal opt-out signals for targeted advertising and data sales.
• Texas — Required since January 2025. Applies to businesses that process data of Texas residents.
• Montana — Required since January 2025.
• Oregon — Required since January 2026. Includes a visual notification requirement.
• Delaware — Required since January 2026.
• New Hampshire — Required since January 2026.
• New Jersey — Required since January 2026.
• Nebraska — Required since January 2026.
• Maryland — Coming July 2026 with some of the strongest protections yet.
• Minnesota — Coming July 2026.

If your website has visitors from any of these states — which is virtually guaranteed for any US-facing site — you are legally required to detect and honour GPC signals.

How GPC Works Technically

When a user enables GPC in their browser, every HTTP request their browser sends includes a header:

Sec-GPC: 1

Additionally, the browser sets a JavaScript property that your code can read:

navigator.globalPrivacyControl === true

Your website must check for either of these signals and, when detected, suppress any data selling, sharing, or targeted advertising for that user — without requiring them to fill out a form or click anything else.

What Your Website Must Do When GPC Is Detected

When you detect a GPC signal, you must:

1. Stop selling personal data for that user. If you share data with third-party advertisers, data brokers, or analytics providers that constitute a “sale” under state law, you must cease for that user.
2. Stop sharing data for targeted advertising. This includes behavioural advertising pixels, retargeting tags, and cross-site tracking cookies.
3. Suppress non-essential cookies. Third-party cookies used for advertising or cross-site tracking must not be set when GPC is active.
4. Log the opt-out. Several states require that you maintain records of opt-out requests, including those received via GPC.

You do not need to block all analytics. First-party analytics (like a self-hosted solution or aggregated analytics) are generally permitted. The restriction targets data sharing and selling, not internal measurement.

Oregon's Visual Notification Requirement

Oregon's law, effective January 2026, adds a unique twist: when your website detects and honours a universal opt-out signal, you must display a visible notification confirming that the opt-out has been honoured. This could be a banner, badge, or icon that says something like “Your opt-out preference has been honoured.”

How to Implement GPC Compliance

Step 1: Detect the GPC Signal

Add a check to your website's JavaScript (or your consent management platform) that detects GPC:

Check navigator.globalPrivacyControl on the client side, or check the Sec-GPC request header on the server side.

Step 2: Configure Your Consent Management Platform

If you use a Consent Management Platform (CMP) like OneTrust, Cookiebot, Osano, or Termly, check their settings for GPC support. Most major CMPs now offer GPC detection as a built-in feature. Enable it and configure it to treat GPC as an opt-out of data selling and targeted advertising.

Step 3: Suppress Third-Party Tags

When GPC is detected, ensure that advertising tags (Google Ads, Facebook Pixel, TikTok Pixel, etc.) and data-sharing scripts do not fire. Your tag manager (e.g. Google Tag Manager) should be configured to check for GPC consent status before loading these scripts.

Step 4: Update Your Privacy Policy

Your privacy policy must explicitly state that you honour universal opt-out mechanisms, including GPC. Include language like:

• What universal opt-out mechanisms you recognise (GPC specifically)
• How users can enable GPC in their browser
• What happens when a GPC signal is detected (which data processing stops)
• That no further action is required from the user beyond enabling the signal

Step 5: Add Visual Confirmation (for Oregon Compliance)

Display a non-intrusive notification when GPC is detected. A small banner or status badge confirming “Your opt-out preference has been honoured” satisfies Oregon's visual notification requirement.

Common Mistakes to Avoid

• Ignoring GPC entirely. The most common (and riskiest) mistake. Unlike Do Not Track, GPC is legally enforceable in 10+ states.
• Treating GPC as just a “preference.” It is a legal opt-out request, not a suggestion. You must act on it.
• Requiring users to do something extra. GPC must be sufficient on its own. You cannot require the user to also fill out a form or click a “Do Not Sell” link.
• Only honouring GPC for California residents. Multiple states now require it. Apply GPC compliance universally rather than trying to geo-target.
• Forgetting server-side checks. If your backend sends data to third parties, you need to check GPC server-side too, not just in the browser.

GPC and Your Privacy Policy: Template Language

Here is sample language you can add to your privacy policy to address GPC:

“We honour the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we will treat it as a valid request to opt out of the sale or sharing of your personal information as defined under applicable US state privacy laws. No further action is needed from you. We do not require separate opt-out requests for users who have GPC enabled.”

Enforcement and Penalties

Enforcement of GPC compliance is already happening. California has issued enforcement actions against businesses that failed to honour GPC signals. In 2024, the California AG reached a settlement with a major retailer that included fines and a mandate to implement GPC detection.

Penalties vary by state but can be significant:

• California: Up to $7,500 per intentional violation (per consumer, per incident)
• Colorado: AG enforcement with injunctive relief and civil penalties
• Connecticut: AG enforcement with penalties up to $5,000 per violation
• Texas: Up to $7,500 per violation, enforced by the AG

Do I Need to Comply?

You likely need to comply with GPC if your website:

• Receives visitors from US states with universal opt-out requirements (almost any US-facing website)
• Uses third-party advertising or retargeting pixels
• Shares user data with data brokers or advertising partners
• Sets third-party cookies for cross-site tracking
• Meets the threshold requirements of any applicable state law (e.g., annual revenue, number of consumers whose data you process)

Even if you are a small business, if you use Google Ads, Facebook Pixel, or similar advertising tools, you are likely sharing personal data in a way that triggers these requirements.

Next Steps

Getting compliant with GPC does not need to be complicated:

1. Check your CMP: Enable GPC detection in your consent management platform.
2. Audit your tags: Identify which third-party scripts share personal data and ensure they are suppressed when GPC is active.
3. Update your privacy policy: Add explicit language about GPC compliance.
4. Test: Install the GPC browser extension and verify that your website correctly detects and responds to the signal.