Global Privacy Control (GPC) for U.S. Websites

GPC is the most widely recognized universal opt-out mechanism (UOOM) required by U.S. state privacy laws. Usercentrics detects and honors GPC signals automatically, supporting U.S. privacy compliance as enforcement expands.

Start Free Contact sales

GPC requirements may apply to your website

If your website is accessible to U.S. visitors, you may be required to detect and honor GPC signals.

This signal tells your website that a visitor wants to opt out of data sale, sharing, or targeted advertising.

If your website isn’t detecting and responding to them correctly, you could be out of step with an increasing number of state laws. And enforcement is increasing.

Read our GPC guide

What is Global Privacy Control (GPC) and why does it matter?

GPC is a browser-based signal that individuals activate in their settings. Visitors don’t have to interact with a consent banner or fill out a form. Their browser sends the opt-out signal automatically, across every site they visit.

States are actively fining businesses that fail to honor these signals, and regulators use automated scanning tools to find non-compliant sites at scale.

California will require major browsers to include built-in GPC support by 2027, significantly increasing the volume of GPC signals received.

U.S. privacy enforcement is accelerating

In 2025, privacy regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon formed the Consortium of Privacy Regulators to coordinate enforcement across state lines.

Their first joint action was an investigative sweep targeting businesses that failed to honor GPC signals.

Regulators use automated tools to scan websites for GPC compliance at scale. Non-compliant sites are not hard to find. There is no low-visibility way to ignore these requirements.

View enforcement actions

20+

states with active privacy laws

7

states coordinating enforcement through the Consortium

12

states requiring recognition of opt-out signals

1

joint GPC enforcement sweep and other enforcement actions already completed

How to handle GPC signals

Honoring opt-out signals correctly takes more than a privacy policy update. It requires detection, consistent application, and documentation across every visitor session.

Detect every signal automatically

Usercentrics identifies GPC signals from browsers, devices, and extensions. Where required, it displays “Opt-Out Request Honored” confirmation to visitors. No manual monitoring required.

Apply opt-out preferences correctly

Visitor preferences for data sale, sharing, and targeted advertising are applied automatically, in line with applicable U.S. state requirements.

Stay consistent across your systems

Respect opt-out signals across vendors, platforms, and channels. Your consent logic stays aligned throughout your digital ecosystem.

Extend opt-outs to known users

If you can identify a returning visitor across devices or browsers, California requires you to extend their GPC opt-out to all those sessions.

Read GPC setup documentation

Start with what’s on your website

Run a free scan to surface the cookies and trackers active on your site and understand where your consent setup may need attention.

GPC compliance works better when every team is aligned

A well-implemented GPC strategy with your CMP can do more than support privacy compliance.

For legal and compliance teams

Automated signal detection and documented opt-out records reduce manual oversight and support audit readiness across U.S. state requirements.

For marketing teams

Correct opt-out signal handling helps protect your data operations. Unhandled GPC signals can limit analytics reporting and measurement in Google and other ad platforms.

For web and technical teams

Usercentrics integrates with your existing consent setup. No custom development required to detect and honor GPC signals correctly.

How Usercentrics handles GPC for you

Usercentrics CMP is already built to handle GPC signals. Detection, application, and audit-ready records are included and don’t need additional development.

Automatically detects GPC signals from browsers, devices, and extensions
Displays “Opt-Out Request Honored” confirmation to visitors where required
Applies opt-out preferences consistently across vendors, platforms, and touchpoints
Maintains documented consent records to support regulatory inquiries and audit readiness
Adapts automatically as U.S. state opt-out signal requirements expand
Works within your existing consent infrastructure — no custom development required

See how website consent management works

Get expert help with GPC

Not sure where to start with GPC? Our team can help you understand what applies to your business and how to implement it correctly.

Talk to our team

Learn more about GPC

Article

Apr 14, 2026

Introduction to the IAB Global Privacy Platform (GPP): What U.S. publishers need to know

The Global Privacy Platform (GPP) enables publishers to signal consent and preference information obtained from users to third parties. This IAB initiative helps publishers evolve their compliance efforts and stay ahead of the rapidly evolving privacy landscape in a cost- and resource-friendly way.

Article

Mar 27, 2026

CPPA Enforcement Is Escalating: The Legal and Financial Risks U.S. Businesses Face Now

CalPrivacy’s enforcement apparatus has expanded dramatically: a new Audits Division, automated website scanning, the nine-state Consortium of Privacy Regulators, and a deterrence-first penalty philosophy. For U.S. businesses, the risk is no longer theoretical as investigations can open without warning, and fixing a violation before agency contact doesn’t guarantee avoiding a fine. Learn about the 10 areas driving enforcement.

Article

Feb 7, 2025

U.S. data privacy laws by state: rights and requirements

In 2025 more U.S. state privacy laws came into effect than in any previous year. Three more followed in 2026 and new ones continue to be passed. We compare what U.S. state-level data privacy laws mean for businesses and consumer rights in light of increasing regulation and enforcement.

Frequently asked questions

GPC is a browser-based signal that individuals activate in their settings to communicate their privacy preferences automatically. It tells websites to opt them out of data sale, sharing, and targeted advertising without requiring them to interact with each site individually.

A UOOM is a signal that enables website visitors to communicate their privacy preferences automatically via their browser, without interacting with each website individually. GPC is the most widely recognized UOOM under U.S. state privacy laws.

Not yet, though the trend is toward broader recognition. As of early 2026, California, Colorado, and Connecticut explicitly require recognition of GPC by name. Nine additional states require recognition of a UOOM more broadly: Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. More states are expected to follow.

Colorado is currently the only state with a formal application and approval process for recognized UOOMs. California, Colorado, and Connecticut have each explicitly confirmed that GPC qualifies as an approved mechanism under their respective laws.

Yes. In April 2025, privacy regulators from seven U.S. states formed the Consortium of Privacy Regulators to coordinate enforcement: California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.

That September, California, Colorado, and Connecticut launched a joint investigative sweep targeting businesses failing to honor GPC signals. More multistate sweeps are expected in 2026. Regulators use automated tools to scan for non-compliant sites at scale.

Your website may be out of step with an increasing number of U.S. state privacy laws. That exposes you to regulatory fines, enforcement actions, and reputational damage. It can also affect your marketing data, as some ad platforms require correct consent signals to function properly.

Yes. California’s AB 3048 requires major browsers to include built-in GPC support by January 1, 2027. This will significantly increase the number of visitors arriving at your website with GPC already active. Businesses that are not already set up to detect and honor these signals will face substantially higher compliance exposure from that date.

The most reliable way is to test it directly. Enable GPC in a supported browser or extension, visit your website, and check whether the signal is being received and applied to your consent configuration. If you have Usercentrics CMP implemented, GPC detection is built in, you can verify signal handling through your Usercentrics dashboard.

Usercentrics CMP automatically detects and honors GPC signals as part of your consent management setup. Your team doesn’t have to manage it manually, and you won’t risk missing signals.