There should be more regulation on how companies use their personal data – 72% of US adults believe, according to a study by the Pew Research Center. Consumers are taking more measures to protect their privacy, such as choosing more secure browsers, blocking third-party cookies, and more.
However, the continuous development and complexity of privacy regulations can make it difficult to ensure your data remains secure. That’s why Global Privacy Control (GPC) is important – it ensures a simplified and streamlined solution for managing privacy preferences using a universal opt-out mechanism.
What is Global Privacy Control?
Global Privacy Control (GPC) is a browser feature that makes the process of notifying businesses about the privacy settings of users easier, like a preference to stop collecting personal data. It’s required to honor GPC signals under many privacy regulations, including the CCPA, and it’s also a general recommendation under the GDPR.
The way it works is that websites recognize the GPC signal and automatically opt the user out of data sharing and selling practices.
GPC signals were created as a means to provide users with a universal opt-out signal that would give more control over their privacy. The project was backed by many trusted organizations, including Firefox, Brave, Washington Post, and New York Times.
The difference between GPC and “Do not track” requests is that the latter was voluntary, meaning companies didn’t face any consequences for not complying. Meanwhile, GPC signals are enforced under privacy laws, so companies must comply or face hefty fines.
For example, in March 2025, the CCPA issued a fine of over $345,000 for a clothing brand that didn’t honor GPC signals.
Which laws recognize GPC?
Global Privacy Control was created in response to the CCPA as a universal opt-out signal. Since it only launched in 2020, it has gained recognition as an opt-out method in major privacy laws, mostly in the US.
CCPA
Under the CCPA, complying with the Global Privacy Control signals is obligatory and cannot be denied unless a business believes that the request is fraudulent. In such cases, the business must inform the user that the request has been denied and explain why.
Section 999.315 (a) of the CCPA states that a suitable method for submitting an opt-out request includes “user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.”
The privacy legislation also states that GPC should be considered a request that directly comes from the consumer and does not need to be verified.
Connecticut Data Privacy Act (CTDPA)
The Connecticut Data Privacy Act (CTDPA) is another US state law that adopted universal opt out preference signals from January 1, 2025. It encompasses opt-out methods that clearly communicate the preference of the user, such as Global Privacy Control.
Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) adopted the universal opt-out mechanism from July, 2024 that allows users to opt out of personal data selling or sharing. According to the Colorado Attorney General, the GPC is the first universal opt-out mechanism recognized under the CPA.
Other state privacy regulations in the US
Many US states are starting to adopt universal opt-out mechanisms, which include the Global Privacy Control signals. Universal opt-out is any method used to communicate an opt-out request for the processing of user personal data across multiple websites rather than through each site.
Here are the US state privacy laws that have adopted or will adopt the universal opt-out-mechanisms and when:
US privacy regulation |
GPC signal adoption |
The Texas Data Privacy and Security Act (TDPSA) |
January 1, 2025 |
Montana Consumer Data Privacy Act (MTCDPA) |
January 1, 2025 |
Delaware Online Privacy and Protection Act (DOPPA) |
January 1, 2026 |
Oregon Consumer Privacy Act (OCPA) |
January 1, 2026 |
Privacy laws that don’t require acknowledging universal opt-out mechanisms, including GPC signals, are Virginia’s Consumer Data Protection Act (VCDPA) and the Utah Consumer Privacy Act (UCPA).
Why does GPC matter for businesses?
Here are the main reasons why Global Privacy Control signals are crucial for both users and companies:
- Improved personal data control. GPC signals allow users to easily manage how their personal data is used across multiple websites, empowering them with more control.
- Compliance. For many businesses in the US, including the ones who operate under the CCPA and other state laws with universal opt-out mechanisms, honoring GPC signals is legally required.
- Large fines. Non-compliance with laws that require honoring universal opt-out mechanisms can lead to penalties, such as large CCPA fines.
- Increased user trust. Honoring GPC requests demonstrates that businesses respect their users’ privacy, ensuring a better company reputation.
- Saves time. GPC signals don’t require user verification, and since they eliminate the need to fill out the “Do not sell” link forms on each website, it saves time for users and businesses.
How to comply with GPC?
Complying with GPC requires detecting and honoring the signal if the privacy laws applicable to your business demand it. Here are the main steps to comply with GPC signals:
- Detect GPC signals. The easiest way to ensure you detect GPC is to use a Consent Management Platform (CMP) that supports it. For example, TinyCookie lets you enable GPC signal detection in just one click on Shopify.
- Honor GPC signals. When a GPC signal is detected, you must treat it as a proper opt-out request. This means avoiding sharing or selling personal data or cross-site behavioral advertising.
- Review your privacy policy. Check that your privacy policy states that your company honors GPC signals so users would be aware of it.
What are the limitations of GPC?
While the future of Global Privacy Control seems promising, especially with many US states recognizing it as a universal opt-out mechanism, it still has some limitations. Here are some of them:
- Voluntary compliance. In regions where privacy legislation does not legally require businesses to acknowledge universal opt-out mechanisms, such as Japan or the EU, companies may not honor the signal.
- Lack of business awareness. Some businesses may not be aware of GPC signals and as a result, they may not set up detection tools to honor them.
- Different jurisdiction laws. GPC is not yet globally recognized, so there are no clearly developed compliance enforcements, except for the CCPA and the CPA.
- Difficult to verify. Since GPC signals or companies don’t provide any feedback on whether requests are honored, there’s no clear way to know if businesses don’t ignore them.
Future of Global Privacy Control
Many US state privacy laws are already set to adopt universal opt-out mechanisms that include GPC signals. As more regions implement similar laws, Global Privacy Control may receive more legal backing, helping it become a mandatory requirement for businesses around the globe.
Under the GDPR, GPC signals operate as a general request to limit sharing of data and businesses may not comply. However, the wider implementation across the US may influence GPC signals to be a right under the GDPR or other jurisdiction laws as well.
The growing GPC importance across privacy laws may also encourage more popular browsers, such as Safari or Chrome, to create built-in GPC solutions.
How to navigate Global Privacy Control with TinyCookie
TinyCookie is a Shopify cookie banner solution that can help you detect GPC signals and manage consent. Here’s what you can do with the app:
- Honor GPC signals. You can set up TinyCookie to automatically detect and honor GPC signals in one click.
- Display a custom banner. You can use TinyCookie to add a customized cookie consent banner on your website. It helps become compliant with many privacy regulations, such as GDPR, CCPA/CPRA, PIPEDA, LGPD, and APPI.
- Include a cookie rejection button. TinyCookie lets you easily add a “Do not sell or share my personal information” or “Reject cookies” button in your banner.
- Add privacy integrations. TinyCookie is fully integrated with Google consent mode V2, Facebook Pixel, and Shopify Customer Privacy API, ensuring it manages privacy preferences in a compliant way.
Frequently asked questions
Yes, Global Privacy Control is a legitimate mechanism used to automatically signal user privacy preferences to companies. However, it’s only effective when websites actually comply with GPC under privacy laws and if your browser supports it.
Global Privacy Control helps Internet users to send a notification to businesses that they prefer their personal information not to be sold or shared with other parties.
If a website doesn’t recognize your GPC signal, it may be that they haven’t implemented the honoring of such signals or you haven’t properly enabled it. Here are a few things you can do:
- Verify that it’s enabled. Go to the globalprivacycontrol.org website to test if your GPC signal is detected. If it’s not, enable it in your browser (Firefox, DuckDuckGo, or Brave) or download an extension on Chrome or Safari.
- Contact the site. If your GPC signal is detectable, contact the website that doesn’t honor it to explain the situation.
- Contact local authorities. As a last resort, if the company is refusing to honor your GPC signal, you can contact the Attorney General to file a complaint.
No, there are no downsides to enabling Global Privacy Control on your browser. Your browser or extension used to enable GPC sends the GPC signal to all websites you visit in the background.