What is Global Privacy Control (GPC)? The opt-out signal 12 US states now require you to honor

If you have a cookie consent banner on your website, you might think your privacy obligations are covered. They are not. There is a separate, automated privacy signal that millions of users are sending to every website they visit, silently, before they ever click anything. It is called the Global Privacy Control, and 12 US states now legally require your website to honor it.

In this post, we will explain exactly what Global Privacy Control is, which states require it, what the fines look like when businesses ignore it, and the three steps your website needs to take to address it.

What is Global Privacy Control?

Global Privacy Control (GPC) is an open technical standard that allows users to signal their privacy preferences through their browser. When a user turns on GPC, their browser sends an automatic HTTP header to every website they visit. That header says, in effect: do not sell or share my personal data.

The signal is sent automatically, before any user interaction. Under US state privacy laws that recognize GPC, this signal carries the same legal weight as if the consumer had manually clicked a "Do Not Sell or Share My Personal Information" link on your website.

Browsers that send GPC signals include Brave (50+ million monthly active users) and DuckDuckGo's mobile browser. Firefox and several Chrome extensions also support it. Estimates from 2025 put GPC signals at roughly 5 to 10 percent of all web traffic, a share expected to grow as browser adoption expands.

Which 12 states require businesses to honor GPC signals?

As of 2026, 12 US states legally require businesses to recognize and act on GPC signals, according to legal analysis from Gunster. Connecticut and Oregon joined the group in 2026. The full list is: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.

That covers a significant share of the US population, and some of the largest e-commerce markets in the country. If you sell to customers in any of these states and process their personal data, you are expected to detect the GPC signal and stop selling or sharing that data, without waiting for the user to ask.

Importantly, there is no small-business exemption under most of these laws. If your business meets the applicability threshold for the state law, the requirement applies to you. You can view details on each relevant regulation through Clym's regulation guides.

GPC enforcement: the fines businesses have paid

This is not a theoretical risk. Regulators have already issued significant fines tied directly to GPC non-compliance.

In 2022, Sephora paid $1.2 million in California, partly for failing to honor opt-out requests sent through GPC signals. In 2025, Tractor Supply Company settled for $1.35 million over similar failures. Then in February 2026, the California Privacy Protection Agency broke its own record, issuing a $2.75 million settlement against a streaming platform for opt-out failures.

California has since tightened its rules further. Under regulations that took effect January 1, 2026, businesses must now do more than silently process a GPC signal in the background. They must also display a visible confirmation to users, such as a badge or notification confirming that their opt-out request has been honored. A cookie banner alone does not satisfy this requirement.

Why most websites are not ready

The core problem is awareness, and it is most acute among smaller businesses. Cisco's 2025 Data Privacy Benchmark Study found that organizations with 50 to 249 employees were the only company size category to reduce their privacy spending year over year, even as the number of state laws requiring action continued to grow.

Cookie consent banners became familiar after GDPR. They gave business owners something visible to point to. The GPC signal is invisible by design. It arrives in the HTTP header of a web request, before any user interaction takes place, and most website owners have no idea it is being sent.

The scale of the gap is striking: the GPC protocol has grown from fewer than 7,000 active domains in 2022 to more than 459,000 by mid-2025 (a roughly 67-fold increase). That growth reflects rising browser adoption among users, not rising compliance among businesses.

What your website needs to do to honor GPC

Addressing the universal opt-out requirement involves three steps:

1. Detecting the signal. Your website needs to be able to identify when an incoming HTTP request carries a GPC header. This requires technical implementation, either through custom code or a consent management platform that handles detection automatically.

2. Acting on it. When the signal is detected, you must stop selling or sharing that user's personal data for the duration of that session and beyond. This typically means suppressing third-party tracking scripts and data-sharing integrations for that user.

3. Confirming it (California only, from Jan 2026). In California, you must also display a visible confirmation to the user that their opt-out preference has been registered.

For most websites, implementing GPC detection from scratch requires developer resources and ongoing maintenance. The more practical approach is a consent management platform that supports GPC detection natively, so the signal processing and privacy controls happen automatically.

How Clym supports Global Privacy Control

Clym's Global Privacy Control solution is built into the platform's consent management framework. When you add Clym's script to your website, it automatically detects GPC signals from all major browsers and extensions, then applies the appropriate privacy controls based on the user's jurisdiction, with no custom development required.

Here is how it works in practice:

• Automatic signal detection. Clym reliably identifies GPC signals from browsers, including Brave, DuckDuckGo, and Firefox, without any manual configuration.

• Jurisdiction-based application. GPC signals are applied based on the user's location and the applicable privacy regulations in that jurisdiction, using Clym's geofencing capability.

• Seamless integration with consent. GPC signals are processed within the same consent framework as your explicit opt-out mechanisms, including Google Consent Mode and IAB TCF.

• User override option. You can optionally allow users to override their browser's GPC signal if they want to provide different preferences, giving you flexibility in how you manage user choice.

• Pre-configured regulatory profiles. Clym's ReadyCompliance^® feature means your GPC settings are pre-configured based on your regulatory profile, so the implementation is structured from day one.

Conclusion

Global Privacy Control is no longer a technical curiosity. It is a legal requirement in 12 US states, it is enforced with real fines, and it is already arriving on your website whether or not you are detecting it.

The gap between user adoption and business readiness is growing. GPC-enabled browsers are adding millions of users each year. Enforcement activity from California is escalating. And the requirement to visibly confirm opt-out requests adds a layer that a traditional cookie banner cannot cover.

The practical path forward is to use a consent management platform that handles GPC detection, jurisdiction-based processing, and user confirmation automatically. That way, when a user arrives with a GPC signal active in their browser, your website is already set up to respond correctly.