Global Privacy Control (GPC): The Multi-State Mandate Every Website Owner Must Know

A browser signal is now a legal opt-out in 12 states

Global Privacy Control (GPC) is a standardized browser signal that functions as a legally binding opt-out of data sale, sharing, and targeted advertising in 12 US states. It is not a suggestion. It is not a preference. Under the laws of these states, when a visitor's browser sends a GPC signal, websites are required to treat it as an affirmative opt-out, carrying the same legal weight as a user clicking "Do Not Sell My Personal Information" on a privacy page.

Most websites still ignore GPC. Many consent banners do not detect it. Some detect it and proceed to fire tracking scripts anyway. Regulators have noticed. Since 2022, state attorneys general and the California Privacy Protection Agency have issued millions of dollars in fines specifically targeting organizations that failed to honor opt-out preference signals, including GPC. In September 2025, California, Colorado, and Connecticut announced a coordinated enforcement sweep: three states sharing intelligence to find non-compliant sites.

For compliance officers, DPOs, and web leads at mid-market companies operating across the United States, GPC is no longer a technical curiosity from the privacy community. It is a legal obligation with active enforcement, expanding jurisdiction, and a clear deadline: by July 2026, 12 states will mandate recognition of universal opt-out mechanisms like GPC.

Which states mandate GPC and when each law took effect

The US approach to privacy legislation is state-by-state, and universal opt-out mechanism (UOOM) mandates have followed the same pattern. Ten states already require businesses to honor opt-out preference signals such as GPC. Two more, Maryland and Minnesota, join with UOOM requirements in July 2026, bringing the total to 12.

State	Law	Effective Date	UOOM Mandate Date
California	California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)	Jan 1, 2023	Jan 1, 2023
Colorado	Colorado Privacy Act (CPA)	Jul 1, 2024	Jul 1, 2024
Montana	Montana Consumer Data Privacy Act (MCDPA)	Oct 1, 2024	Oct 1, 2024
Connecticut	Connecticut Data Privacy Act (CTDPA)	Jan 1, 2025	Jan 1, 2025
Texas	Texas Data Privacy and Security Act (TDPSA)	Jan 1, 2025	Jul 1, 2025
Oregon	Oregon Consumer Privacy Act (OCPA)	Jan 1, 2025	Jan 1, 2025
Delaware	Delaware Personal Data Privacy Act (DPDPA)	Jan 1, 2025	Jan 1, 2025
New Hampshire	New Hampshire Privacy Act (NHPA)	Jan 1, 2025	Jan 1, 2025
New Jersey	New Jersey Data Privacy Act (NJDPA)	Jan 15, 2025	Jan 15, 2025
Nebraska	Nebraska Data Privacy Act (NDPA)	Jan 1, 2025	Jan 1, 2025
Maryland	Maryland Online Data Privacy Act (MODPA)	Oct 1, 2025	Jul 2026
Minnesota	Minnesota Consumer Data Privacy Act (MCDPA)	Jul 31, 2025	Jul 2026

The practical implication: any website that receives visitors from these states needs to detect and honor GPC signals. Given that geo-targeting is imperfect and many of these states represent significant online populations, most US-facing websites should treat GPC compliance as a baseline requirement rather than a jurisdiction-specific exception.

How GPC works under the hood

GPC is a W3C specification that defines a simple, machine-readable signal for communicating a user's privacy preferences. The mechanism is deliberately straightforward: it works at the protocol level, requiring no user interaction beyond enabling the signal in a browser or extension.

The request header. When GPC is enabled, the browser sends a Sec-GPC: 1 HTTP request header with every request to every website. This header is present on page loads, API calls, and resource requests. It is the primary detection mechanism for servers and consent management systems.

The JavaScript property. Browsers that support GPC also set navigator.globalPrivacyControl to true in the JavaScript environment. This allows client-side scripts (including consent banners and tag managers) to detect the signal without inspecting HTTP headers directly.

The compliance signal. Websites can publish a .well-known/gpc.json file containing {"gpc": true} to declare that they recognize and honor GPC signals. This is not required by any state law, but it provides a public, machine-readable statement of compliance that regulators and privacy advocates can verify programmatically.

Browser support. Firefox, Brave, and DuckDuckGo Browser have native GPC support, where the signal is enabled by default or available as a first-party setting. Chrome, Safari, and Edge do not include native GPC support as of early 2026, but users can enable it through third-party extensions such as OptMeowt or the Privacy Badger extension from EFF.

The specification is maintained by the Global Privacy Control community group and published as a W3C draft. Adoption is growing, and the combination of legislative mandates and browser-level defaults means the volume of GPC-enabled traffic is increasing regardless of whether Chrome or Safari add native support.

Regulators are already fining for non-compliance

GPC enforcement is not theoretical. Attorneys general and privacy regulators have moved from guidance to action, and the pattern of enforcement reveals what regulators expect and where organizations are falling short.

Sephora, $1.2 million (2022). The California Attorney General's office brought the first major GPC enforcement action against Sephora for failing to honor opt-out signals, including GPC. Sephora's website continued to share consumer data with advertising partners after receiving opt-out signals. The settlement required Sephora to implement GPC recognition and established the precedent that browser-based opt-out signals carry legal weight under CCPA/CPRA.

Healthline, $1.55 million (July 2025). Healthline's opt-out mechanism, including its handling of GPC signals, was found to be deficient. Data continued flowing to downstream advertising and analytics partners even after users had opted out. The fine underscored a pattern regulators watch for: websites that technically detect the signal but fail to propagate the opt-out to every system that processes visitor data.

Disney, $2.75 million (February 2026). Disney honored GPC on the specific device where the signal was detected but did not propagate the opt-out to the user's account across the Disney ecosystem. A visitor who opted out on their laptop was still tracked on their phone if they were logged into the same Disney account. This enforcement action clarified that honoring GPC means honoring it for the user, not just the device.

Ford, $375,703 settlement (March 2026). Ford's settlement requires a full audit of every tracking technology deployed across its web properties for GPC handling. The case highlighted that organizations with dozens of marketing technologies and third-party scripts face particular exposure, as each integration point is a potential failure to propagate the opt-out.

Tractor Supply, $1.3 million. Tractor Supply failed to provide an effective opt-out mechanism, including proper GPC handling. Like the Healthline case, the issue was not the absence of a consent banner but the gap between what the banner appeared to do and what the downstream data flows actually did.

The coordinated enforcement sweep (September 9, 2025). The California Privacy Protection Agency, the Colorado Attorney General, and the Connecticut Attorney General announced a joint investigative sweep targeting non-compliance with opt-out preference signals. Three state offices sharing intelligence and coordinating investigations. This is not a single enforcement action. It is an infrastructure for ongoing, multi-state enforcement that signals where the regulatory posture is heading.

The fines to date total over $7 million across a handful of cases. The coordinated sweep suggests the next wave will be broader and less patient with technical excuses.

What "honoring GPC" actually requires from your website

The enforcement cases above define, in practice, what regulators consider compliant GPC handling. The requirements go well beyond detecting the Sec-GPC: 1 header.

Treat GPC as equivalent to a manual opt-out. When a visitor's browser sends a GPC signal, your website must treat it identically to the visitor clicking an opt-out link on your privacy page. This means opting the user out of the sale of personal information, sharing of personal information, and targeted advertising. The specific categories depend on the applicable state law.

Propagate the opt-out across devices and accounts. The Disney enforcement action made this explicit. If you can associate a GPC signal with a logged-in user account, the opt-out must apply to that account across all devices and sessions, not just the browser that sent the signal.

Do not use dark patterns to override the signal. Regulators have made clear that presenting a pop-up asking a user to reconsider their opt-out, or requiring additional steps to "confirm" what GPC already communicated, constitutes a dark pattern. The signal is the opt-out. Full stop.

Stop data flows to downstream partners. This is where organizations most commonly fail. Detecting GPC and suppressing first-party cookies is not sufficient if data continues flowing to third-party advertising platforms, analytics partners, or data brokers through server-side integrations, pixels, or API calls. Every downstream data-sharing agreement must account for GPC.

Apply jurisdiction-specific logic. GPC only triggers legal obligations when the visitor is in a state that mandates it. An organization may choose to honor GPC for all visitors as a simplifying policy, but the legal requirement is jurisdiction-specific. This means consent logic must incorporate geo-detection to determine which visitors fall under a mandating state's law.

Provide visible confirmation (California, effective January 1, 2026). Under California's updated CCPA/CPRA regulations effective January 1, 2026, businesses must provide visible confirmation when a user's opt-out is processed. This means the consent interface should acknowledge that a GPC signal has been received and that the opt-out has been applied, not simply suppress cookies silently.

The technical requirements above (header detection, geo-targeting, real-time blocking, cross-device propagation, downstream signal management, and audit logging) are substantial to build and maintain in-house. This is the core problem that modern consent management platforms solve.

A well-configured consent management platform detects the Sec-GPC: 1 header and the navigator.globalPrivacyControl JavaScript property automatically on every page load. The detection happens before any cookies or scripts fire, which is the sequence that matters: if a tracking script loads before the consent logic evaluates the GPC signal, you are non-compliant for the duration of that page load.

Geo-targeting determines the visitor's jurisdiction and applies the correct regulatory response. A visitor from California triggers CCPA/CPRA opt-out handling. A visitor from Colorado triggers CPA handling. A visitor from a state with no UOOM mandate may see a different consent experience entirely. The consent management platform handles this logic centrally so that engineering teams do not have to build and maintain state-by-state rule sets.

Real-time auto-blocking ensures that cookies, scripts, pixels, and other tracking technologies do not fire before the consent logic resolves. This is not a nice-to-have. It is what separates compliant GPC handling from the pattern regulators are fining: websites that detect the signal but allow data to flow before acting on it.

Consent logs record the GPC signal receipt, the jurisdiction determination, and the action taken, creating audit-ready documentation. When a regulator or an internal compliance review asks "Did you honor GPC for this visitor?", the answer needs to be in a timestamped log, not a verbal assurance that the system was configured correctly.

The alternative to a consent management platform is a patchwork of custom scripts, manual geo-detection, hand-maintained blocking lists, and per-integration opt-out logic. For organizations with more than a handful of third-party scripts, this approach is both more expensive and more likely to produce the gaps that enforcement actions target.

A compliance checklist before July 2026

With Maryland and Minnesota's UOOM mandates taking effect in July 2026, now is the window to verify that your GPC handling meets regulatory expectations. The following steps map directly to the requirements regulators are enforcing.

Audit your current GPC handling. Open your website in Firefox or Brave, both of which send GPC natively. Check whether your consent banner detects the signal and suppresses tracking accordingly. If your banner loads the same way regardless of GPC, you have a gap.
Verify your consent management platform detects and respects the Sec-GPC: 1 header. Not all consent tools handle GPC. Check your platform's documentation or test it directly by inspecting network requests and cookie behavior when GPC is enabled.
Confirm the opt-out propagates across sessions, devices, and accounts. If users can log in on your website, test whether opting out via GPC on one device applies the opt-out to the same account on another device. The Disney precedent makes this an enforcement priority.
Review downstream data-sharing agreements. Identify every third-party that receives visitor data: ad platforms, analytics tools, data brokers, CDPs. Verify that each integration respects the opt-out when GPC is active. Server-side integrations are especially prone to missing this.
Publish a .well-known/gpc.json file. Add {"gpc": true} at yourdomain.com/.well-known/gpc.json to signal your compliance publicly. While not legally required, it demonstrates good faith and can be verified by regulators and automated compliance scanners.
Update your privacy policy to disclose how you handle universal opt-out mechanisms. State laws require transparency about how you process opt-out signals. Your privacy policy should explicitly mention GPC and describe the actions taken when the signal is received.
Test from multiple states. If your consent logic includes geo-targeting, verify it functions correctly for visitors in each mandating state. Use VPN testing or geo-spoofing tools to simulate visits from California, Colorado, Connecticut, Texas, and the other mandating jurisdictions.
Document everything. Consent logs should capture the GPC signal receipt, the action taken, and a timestamp. If regulators request evidence of compliance, these logs are your first line of defense. Reconstruct-after-the-fact is not a defensible compliance posture.

Key takeaways

GPC is a legally binding opt-out in 12 US states by July 2026. It is not a recommendation or a voluntary standard. State attorneys general are actively enforcing it, with over millions in fines issued to date.
Enforcement targets the gap between detection and action. Regulators are not just checking whether your consent banner exists. They are checking whether tracking actually stops when GPC is detected, whether the opt-out propagates to downstream partners, and whether it applies across the user's account.
The July 2026 deadline is the next milestone, not the finish line. Maryland and Minnesota bring the total to 12 states, and more legislatures are considering similar mandates. Organizations that build GPC compliance now are building infrastructure that scales as the map expands.
A consent management platform like Concord handles the hard parts (geo-targeting, real-time blocking, audit logging, and jurisdiction-specific rules) so your team does not have to maintain them manually.

The enforcement pattern is clear, the deadline is set, and the technical requirements are well-defined. The question is not whether to comply but how quickly you can verify that your systems are doing what the law requires.