What is Global Privacy Control (GPC) and Universal Opt-out?

Consumers are taking a more active role in managing how their personal data is used. Many adjust privacy settings, limit third-party cookies, enable multi-factor authentication, or rely on privacy-focused tools to protect their information.

At the same time, privacy laws such as the GDPR and various US state privacy laws emphasize transparency and user choice. Therefore, users often engage with cookie banners, opt-in checkboxes, and privacy or cookie policies to communicate their privacy preferences to individual websites.

Global Privacy Control (GPC) builds on this approach by allowing users to express their opt-out preferences through a single, browser-based signal. For businesses, honoring GPC requires systems that can automatically detect and apply these signals across cookies and tracking technologies.

The Global Privacy Control (GPC) is a browser signal or extension that facilitates the process for users to indicate their privacy preferences while navigating the internet. At its core, GPC allows users to enable privacy preferences in their web browsers. This preference is then transmitted as a signal to every website they visit, indicating their respective choices, including the choice to either opt in or opt out of cookie usage, data sharing, data sale, and targeted advertising.

When a user enables their preferences via GPC and it is recognized by a website, the visitor is automatically opted out of targeted advertising and any activities that involve the sale or sharing of their personal data. This helps reduce the need for users to repeatedly manage the same privacy choices across different websites.

Many web browsers, extensions, and privacy tools now support GPC. A list of supported browsers and extensions includes Firefox, Brave, Privacy Badger, and DuckDuckGo. Browsers like Chrome that do not have built-in GPC functionality can still support the signal through compatible extensions.

Global Privacy Control or GPC was developed in response to the CCPA, which envisioned the concept of a universal opt-out signal. An informal consortium of over dozen organizations including the Electronic Frontier Foundation (EFF), the National Science Foundation, Mozilla, The New York Times, and The Washington Post back the GPC.

Today, GPC is widely recognized as a Universal Opt-Out Mechanism (UOOM) and an opt-out preference signal (OOPS) that allows users to communicate their privacy choices across websites.

Implementing Global Privacy Control requires alignment with your broader privacy compliance strategy. Businesses should consider the following steps:

Determine applicability of privacy laws

Evaluate which privacy laws apply to your business. Depending on jurisdiction, you may be required to support opt-out preference signals such as GPC. This also determines the cookie banner template you should use.

If your business is subject to US state privacy laws such as the CCPA/CPRA, CookieYes provides a US state law template designed for opt-out requirements.

For opt-in consent requirements under the GDPR, you can use the GDPR template from the dropdown to collect explicit consent before placing non-essential cookies.

If your website serves visitors in multiple regions, you can also choose the GDPR and US state law template to support both opt-in and opt-out requirements. With geo-targeting, you can show the GDPR opt-in banner to EU/UK visitors and the US opt-out banner to visitors in applicable US states.

Enable GPC for consent management

GPC signals are commonly used by consumers to restrict cookies, particularly third-party tracking cookies. For businesses, honouring GPC is not just about detecting the signal. It also requires ensuring that non-essential cookies and third-party tracking scripts respond correctly when an opt-out preference is received.

From your CookieYes dashboard, you can enable the Respect “Global Privacy Control” option under the US state law template to begin honoring GPC signals automatically.

How is this useful?

Detecting and honouring GPC signals often involves custom development and ongoing maintenance to ensure consistency across website tags and updates. CookieYes CMP helps simplify this by detecting opt-out preference signals and enforcing them automatically.

Integrate GPC signals across systems

Beyond the consent banner, identify data collection practices that must respond to GPC signals. Ensure these signals are transmitted to backend systems and applied consistently across analytics, advertising, and tracking technologies.

Even where not legally required, honoring GPC signals demonstrates a strong commitment to user privacy and helps build trust.

GPC is increasingly recognized by global privacy laws as a requirement for a valid mechanism for honoring opt-out requests. Let’s take a closer look at how GPC is treated under different regulations:

California Privacy Rights Act (CPRA)

Under the CCPA/CPRA, the California Privacy Protection Agency mandates that businesses treat opt-out preference signals as valid requests to opt out of the sale or sharing of personal information.

The latest CCPA regulations note that when a business detects a valid opt-out preference signal, it must treat it as a request to opt out of the sale or sharing of personal information for that browser, device, and any associated consumer profile.

The CCPA’s implementing regulations also state that:

• Global privacy signals must clearly show a consumer’s intent to opt out of the sale of their personal information.

• In cases where there are conflicting signals between a user’s GPC signals and their preferences made through a cookie banner, businesses should prioritize the GPC signal over any other user-stated preferences.
  
• A business must show that it has honored the consumer’s opt-out of the sale or sharing of personal information.

Is honoring GPC enough for CPRA compliance?

Honoring Global Privacy Control signals is an important requirement under the CPRA. However, it is not the only compliance step. Businesses may still need to:

• Provide clear privacy and cookie policies
• Display opt-out cookie banners with “Do not sell” link
• Ensure opt-out preferences are respected
• Implement security safeguards
• Use privacy-compliant tools

CMPs bring these steps together in one place. From your CookieYes dashboard, you can enable a CPRA-ready opt-out banner, generate multilingual policies, and maintain a consent log to track user choices more confidently.

California’s Opt Me Out Act (AB 566)

On October 8, 2025, Governor Gavin Newsom signed the California Opt Me Out Act (AB 566), making California the first US state to require major browsers to provide a built-in way for users to send opt-out preference signals (OOPS). When enabled, these signals automatically communicate a user’s choice to opt out of the sale or sharing of personal information across websites.

The law takes effect in January 2027 and is expected to make universal opt-out mechanisms easier to access for Californians, reducing the need to manually opt out on every website.

Colorado Privacy Act

From July 1, 2024, onwards, the Colorado Privacy Act (CPA) requires businesses to allow consumers to exercise their rights to opt out of the processing of their personal data for purposes of targeted advertising or sale through a “universal opt-out mechanism.” 

• The CPA requires businesses to honor universal opt-out mechanisms starting July 2024

• The CPA Rules clarify the technical specifications for facilitating an opt-out through universal signals, what disclosures businesses need to make and how businesses must respond to user signals.

• The Colorado Department of Law will publish a list of all Universal Opt-Out Mechanisms that have met the specified technical criteria on or before January 1, 2024.

Connecticut Data Privacy Act

Starting from January 1, 2025, the Connecticut Data Privacy Act (CTDPA) extends the existing opt-out obligations and requires businesses to facilitate consumers to opt out of the processing of their personal data for targeted advertising or sale via an opt-out preference signal. This signal should clearly indicate a consumer’s intention to opt out of any such data processing or sale.

Other US state privacy laws

US state privacy laws such as Virginia’s Consumer Data Protection Act (VCDPA) and Utah Consumer Privacy Act (UCPA) do not require businesses to respond to the GPC signal.

GDPR

The General Data Protection Regulation (GDPR) has an opt-in framework for consent, meaning users must specifically take action to give consent before their data is processed by any business. So, organizations subject to the GDPR are not legally obligated to honor universal opt-out mechanisms like GPC.

However, in recent policy discussions, including the EU Digital Omnibus proposal, regulators have acknowledged practical concerns around the repeated use of consent banners and their effect on user experience. Against this backdrop, the proposal explores universal preference mechanisms that would allow users to express consent choices or opt-outs at the browser or device level.

CookieYes helps websites recognize GPC signals and apply opt-out preferences more consistently. Here’s what that looks like in practice.

Honour GPC signal

Enable the option to respect Global Privacy Control, and our CMP will automatically accept the visitor’s signal preferences. Your site visitors will also be informed of honouring the GPC signal via our opt-out banner. This is an important requirement under the CCPA regulations, effective since January 2026.

Custom opt-out banner

Display a fully customizable opt-out banner to support your compliance with CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), & UCPA (Utah) and other US privacy laws.

For compliance with GDPR (EU & UK), LGPD (Brazil) and other global opt-in laws, you can utilise our cookie consent banner.

Do not sell/share link

Add the Do Not Sell/Share (DNS) link to your website footer. With this link, your site visitors can easily access the opt-out preference centre and mark their privacy preferences.  

Integrate with tech stack

Implement CookieYes on any CMS/HTML website and integrate with existing standards such as Google Consent Mode, Google Tag Manager and IAB TCF version 2.2.