What is Global Privacy Control? Frequently Asked Questions

Updated: November 24th, 2025

What is Global Privacy Control?

Global Privacy Control is a technical specification for transmitting opt-out preference signals from a browser to a website; it is sometimes referred to as a universal opt-out mechanism. The initiative is supported by a consortium of privacy-focused organizations such as the Brave browser and DuckDuckGo, as well as well-known publishers like the New York Times and The Washington Post and consent management platforms such as Sourcepoint and Didomi.  

How does Global Privacy Control work?

To take advantage of the GPC tool, users need to download a browser or extension that supports the signal. Similar to managing an ad-block extension, users can turn on the GPC signal for all websites they visit or each individual website. When visiting a website that supports GPC, that website will automatically register the browser opt-out request. Here’s what that experience looks like with the Blur extension by Abine. 

How is Global Privacy Control different from Do Not Track (DNT)? 

Do Not Track was a plug-in offered by major browsers that, when turned on, added a header to browser metadata when initiating a connection with servers. However no servers knew how to interpret the header, nor were they required to, so they often ignored it. With lack of legislative action, it became clear that it would fail. The nail in the coffin was when Apple disabled DNT on Safari because websites could single out its users, making it (ironically) particularly useful for fingerprinting.

The main difference with GPC is that recognition by websites of browser-level user-enabled requests is legally required under several state laws.

What Are the Legal Requirements Around GPC?

As of January 1, 2026, twelve state comprehensive privacy laws require that businesses or controllers subject to the law who engage in the sale or sharing of personal information or targeted advertising (as applicable) recognize opt-out preference signals (OOPSs) or universal opt-out mechanisms (UOOMs). Essentially, businesses are required to treat residents of those states who visit their websites with an OOPSl or UOOM enabled as having exercised their right to opt out of the sale or sharing of personal information or targeted advertising under the applicable law in the same manner as if the user had individually exercised such option through the business’s website-level privacy controls.  

The guidance around OOPSs and UOOMs are more detailed in some laws than others. Colorado, for example, is the only state so far to implement an official application and selection process for approved UOOMs. California regulations include detailed rules and examples governing how businesses must or can respond to opt-out preference signals, including methods for addressing conflicts between the signal and website-level default privacy settings or financial incentive programs. Updated California regulations effective January 1, 2026 require that businesses display whether the business has processed the consumer’s opt-out preference signal as a valid request to opt out (for example, by displaying “Opt-Out Request Honored” when a consumer using an opt-out preference signal visits the website).     

Are GPC Requirements Enforced?

Regulators in California, Colorado and Connecticut have officially recognized Global Privacy Control as an opt-out preference signal or universal opt-out mechanism that requires such treatment under the law and, in 2025, announced a joint investigative sweep to check for business compliance with GPC requirements. 

The California Attorney General and California Privacy Protection Agency (CalPrivacy) have previously enforced GPC requirements. On August 24, 2022, AG Bonta announced a $1.2 million settlement with retailer Sephora, resolving allegations that it violated CCPA, including failure to process opt-out requests communicated via GPC signals. More recently, in October 2025, CalPrivacy issued a $1.3 million fine against rural lifestyle retailer Tractor Supply Co. based, in part, on allegations that the company’s website was not configured to honor GPC signals. 

What’s next for Global Privacy Control?

In October 2025, Governor Newsom signed the Opt Me Out Act into law, mandating that all browsers enable the setting of opt-out preference signals by January 1, 2027. Although recognition of the GPC signal by websites has been mandatory in California for several years, enablement of the signal by browsers has previously always been voluntary, and most major browsers (including Google Chrome, Apple Safari, and Microsoft Edge) have so far elected not to support it. Beginning in January 2027, however, all browsers will be required to support the signal. They must also make it easy for a reasonable person to locate and configure it, and clearly disclose in public statements how the opt-out preference signal works and its intended effect. This forced enablement could result in an increase in user awareness and adoption, leading to a potential increase in opt-out rates across websites. 

Learn more

As one of the first consent management platforms to support GPC in the market, we think we can shed some light on the topic. 

Watch our webinar on demand to learn:

• The relationship between GPC and universal opt-out
• Relevant jurisdictions and effective deadlines
• Use cases for creating friction
• Market adoption of GPC so far
• Best practices for respecting the GPC signal 
• How to set up the Sourcepoint CMP to respect the signal

As always, you can read our product documentation about how to respect Global Privacy Control (GPC) signals or get in touch.