Global Privacy Control (GPC): What Publishers Need to Know
As of January 2026, twelve US states legally require websites to honor Global Privacy Control (GPC) signals – and regulators are already issuing fines for non-compliance.
Global Privacy Control has moved from a niche browser experiment to a legally mandated opt-out signal. In this article, we explain what GPC is, how it works technically, what it means for your ad revenue, and what publishers need to do to stay compliant.
What Is Global Privacy Control (GPC)?
Global Privacy Control is a browser-level signal that lets users automatically communicate their privacy preferences to every website they visit. When enabled, the browser sends a machine-readable opt-out request indicating the user does not want their personal data sold or shared.
You can think of GPC as the successor to Do Not Track (DNT) – but with one critical difference: GPC carries legal weight. While DNT was voluntary and widely ignored, GPC is explicitly referenced in state privacy laws as a valid mechanism for exercising opt-out rights. The Global Privacy Control specification is maintained by the W3C Privacy Working Group.
GPC is currently supported in browsers including Firefox, Brave, and DuckDuckGo, as well as through browser extensions for Chrome and Edge. As adoption grows, the percentage of your traffic sending a GPC signal will continue to increase.
Why GPC Matters for Publishers in 2026
GPC is no longer optional. Multiple US state privacy laws now explicitly require businesses to treat GPC signals as valid consumer opt-out requests. Ignoring them is a compliance violation that carries real financial consequences.
Enforcement is already underway. In 2022, the California Attorney General’s office fined Sephora $1.2 million in a landmark settlement that specifically cited failure to honor GPC signals as a violation of the California Consumer Privacy Act (CCPA). In 2025, the California Privacy Protection Agency (CPPA) fined Tractor Supply $1.35 million for similar GPC non-compliance. These are not theoretical risks – they are documented enforcement actions with public settlements.
State attorneys general have also begun coordinated enforcement sweeps, sending compliance letters to hundreds of websites at once. The California AG’s GPC page explicitly states that businesses must treat the signal as a legally binding opt-out request.
How GPC Works (Technical Overview)
GPC operates through two complementary mechanisms that websites and CMPs can detect:
- HTTP Header: The browser sends a
Sec-GPC: 1header with every request. This is a standardized header that servers can read before rendering the page. - JavaScript API: The property
navigator.globalPrivacyControlreturnstruewhen the user has GPC enabled. CMPs and consent scripts check this value on page load.
When a Consent Management Platform (CMP) detects a GPC signal, it should automatically apply the user’s opt-out preference without requiring them to interact with the consent banner. This means the CMP treats the GPC signal as an instruction to restrict data sale and sharing, and adjusts the consent state accordingly.
For publishers using Clickio Consent, this detection and response happens automatically once GPC support is enabled in the dashboard.
GPC and Google: What Happens to Your Ads
When a GPC signal is detected and honored, the practical impact on Google advertising is straightforward: the user is treated as having opted out of personalized advertising.
Here’s what that means:
- Restricted Data Processing (RDP) is triggered for Google Ad Manager and AdSense. Google applies its RDP framework, which limits data usage to what’s permitted under applicable US state privacy laws.
- Non-personalized ads only: The user will see contextual ads rather than behavioral/interest-based ads. While CPMs for non-personalized ads are typically lower, they still generate revenue.
- Cross-exchange bidding impact: Some demand sources may reduce bids or opt out of bidding entirely when RDP is active, since they cannot use audience data for targeting.
- Conversion tracking still works: First-party conversion measurement (such as Google Ads conversion tags) continues to function, as it relies on first-party data rather than cross-site tracking.
The revenue impact depends on what percentage of your audience has GPC enabled. For most publishers, this is currently a single-digit percentage of US traffic, but it is growing as more browsers adopt the standard.
Which US States Require GPC Recognition?
As of January 2026, twelve US states have privacy laws that require businesses to honor universal opt-out mechanisms like GPC. Here is a summary of each state and the date its opt-out signal requirement took effect:
| State | Law | Effective Date |
|---|---|---|
| California | CCPA / CPRA | January 1, 2023 |
| Colorado | CPA | July 1, 2024 |
| Connecticut | CTDPA | January 1, 2025 |
| Montana | MCDPA | January 1, 2025 |
| Texas | TDPSA | January 1, 2025 |
| New Hampshire | NHPA | January 1, 2025 |
| Nebraska | NDPA | January 1, 2025 |
| New Jersey | NJDPA | July 15, 2025 |
| Minnesota | MCDPA | July 31, 2025 |
| Maryland | MODPA | October 1, 2025 |
| Delaware | DPDPA | January 1, 2026 |
| Oregon | OCPA | January 1, 2026 |
Additional states are expected to pass similar legislation in 2026 and 2027. The trend is clear: universal opt-out mechanism support is becoming a baseline compliance requirement for any website with US traffic.
What Publishers Need to Do
For Clickio Consent Users
Enabling GPC support in Clickio Consent takes one click. Navigate to your Clickio dashboard, find the GPC toggle in the consent settings, and enable it. Once activated, Clickio Consent will automatically detect GPC signals and apply the appropriate opt-out state for all applicable US privacy laws.
No code changes are required. The CMP handles GPC detection, consent state adjustment, and Consent Mode parameter updates entirely on its own.
For Publishers Using Other CMPs
Check with your CMP provider to confirm whether they support GPC signal detection and automatic opt-out handling. Key questions to ask:
- Does your CMP detect the
Sec-GPC: 1header andnavigator.globalPrivacyControlAPI? - Does it automatically apply the opt-out state when GPC is detected?
If your CMP does not support GPC, you may need to implement custom detection logic or consider switching to a CMP that handles it natively.
Conclusion
Global Privacy Control has evolved from a proposal into a legally enforceable standard that publishers cannot afford to ignore. With twelve US states now requiring GPC recognition, active enforcement sweeps, and real fines being levied, compliance is no longer a question of “if” but “when.”
The good news is that compliance doesn’t have to be complex. Clickio Consent supports GPC out of the box with a single toggle – automatically detecting the signal, adjusting consent state, and ensuring your Google ad stack responds correctly.
Clickio Consent is a Consent Management Platform certified by IAB Europe and Google, providing seamless compliance with GDPR, US state privacy laws, and global regulations.
Ready to add GPC support? Contact us to learn more, or sign up for Clickio Consent to get started today.