Privacy is becoming increasingly important in the US. With more than two dozen states enforcing privacy laws, companies face a patchwork of regulatory requirements, further complicated by limited case law and formal guidance. However, the leading state – California – has stepped up enforcement of its landmark law, the CCPA, with fines multiplying since 2021.
This increase in regulatory actions gives marketers and legal teams clearer signals about expectations. One of the key areas of focus is Global Privacy Control (GPC), a mechanism that allows users to explicitly opt out of the sale or sharing of their personal data. In this article, we explain what GPC is, how to ensure GPC signals are respected on your website, and the impact of GPC on your operations.
What is GPC?
Global Privacy Control was created in 2020 by a coalition composed primarily of academics, privacy-focused tech companies including Brave and DuckDuckGo, and newspapers such as The New York Times and the Financial Times. The aim was to simplify the online protection of personal data. One of the goals was to create a system that would actually be useful, unlike options like Do Not Track, a browser setting that is mainly ignored by websites and carries no enforcement consequences.
The feature can be accessed through plugins in major browsers, including Chrome and Safari, and through built-in settings in other browsers, especially Mozilla Firefox and Brave. Once activated, the signal can be read by websites via JavaScript.
California quickly recognized GPC as a valid way for users to indicate their consent to the sale or sharing of their data on any website they visit, using terminology defined in the CCPA. Starting in 2022 with the Sephora casewhich carried a $1.2 million fine, regulators imposed multiple fines on companies that failed to respect GPC signals. Given the increased pace of CPPA enforcement actions, more and more companies are seeking to implement tools to properly honor GPC signals. However, it is not always clear how to do this.
How to ensure GPC signals are respected
Option 1: Through your CMP provider
Consent Management Platforms (CMPs) offer several products, the best known of which are cookie banners. Although each provider uses its own system, the starting situation is comparable for all providers. A hyperlink is placed on each page that loads the cookie banner when users first arrive at the website. Marketing or legal teams can configure the banner via an online platform and update it in real time. They also have access to detailed data to support traceability.
Today, most CMP providers offer GPC signaling features, allowing websites to detect when GPC has been automatically activated. Once detected, data collection related to sales or data sharing can be blocked using standard variables, usually through a tag management system (TMS).
This is by far the easiest method. Given current trends in US privacy regulations, if you don’t already have a cookie banner provider, it’s worth considering this option to simplify privacy management in the short term.
Your customers are searching everywhere. Make sure your brand appears.
The SEO toolkit you know, plus the AI visibility data you need.
Start free trial
Option 2: Via a customized system
All websites can read GPC signals, and custom methods are available for organizations that do not use CMP or prefer a different approach.
The best-known custom system was developed by The Washington Post and Wesleyan University and involves the implementation of a JSON file. This system provides greater transparency, but may be more difficult to deploy at scale, especially for websites with thousands of pages, and may provide less traceability.
Whichever method you choose, perform extensive testing to ensure that any sales or data sharing is effectively blocked. You should also work closely with your legal department to determine whether data from these tests should be retained.
Impact of GPC on your business
The marketing effects have so far been very limited. Although GPC proponents claim so 150 million people use GPCwhich would represent about 3% of all Internet users, the share of traffic carrying the signal appears to be much lower. Many users do not activate GPC consistently across devices. For example, they can enable it on a laptop, but not on mobile.
Based on our research, it is virtually impossible to determine the share of traffic where GPC is activated. Precise figures cannot be calculated because GPC limits specific data collection mechanisms. When we enabled these features for customers, we saw no measurable impact.
In other words, GPC traffic is, at least for now, indistinguishable from normal traffic variation. As a result, American marketers typically show less interest in the topic than their European counterparts, who face cookie rejection rates as high as 50%.
However, legal risks are real and immediate. As previously noted, several fines of more than $1 million have already been imposed on companies, including for non-compliance with GPC signals.
As privacy cases increase in California and elsewhere, legal departments must work closely with marketing and IT teams to ensure tracking implementations are compliant. They must also establish processes to maintain compliance over time. This often relies on translators: team members who understand both legal requirements and marketing data collection.
In the future, GPC could become more widespread, especially if major browsers like Chrome and Safari integrate it by default. In that scenario, data volumes could decrease significantly. Marketers must continue to monitor these developments. As adoption accelerates, they must take steps to limit potential data loss.
Limited marketing impact, increasing legal risk
Privacy in the US is here to stay. GPC, driven in part by California’s leadership, is now a meaningful part of the compliance framework that companies across the country must follow. While the impact on data collection remains limited, enforcement actions and fines are increasing.
Organizations must take action now to remain compliant and avoid unexpected fines. They should also continue to monitor privacy trends to ensure both compliance and effective marketing performance.
#GPC #compliance #legal #priority #marketers #MarTech