Back to blog
5 min readprivacycompliancetrackingdata

Global Privacy Control Is Now a Binding Opt-Out Signal in Ten States

GPC is no longer advisory. After the Disney settlement and a three-state enforcement sweep, the Sec-GPC header is legally binding across ten US states — and cookie-free analytics has nothing to honor.

A browser can now tell your server, in a single HTTP header, that the visitor has opted out of having their data sold or shared — and in ten US states you are legally required to obey it. The signal is Global Privacy Control (GPC), and after a year of enforcement actions it has stopped being a courtesy and become an obligation developers have to implement in code.

Most teams have never written a line of GPC handling. That gap is now an enforcement target.

What the signal actually is

GPC is two surfaces describing one preference. On the wire it is an HTTP request header:

Sec-GPC: 1

The W3C specification permits exactly one value — the literal character 1. The header is sent on every request the browser makes while GPC is enabled: page loads, API calls, image and script fetches. There is no Sec-GPC: 0; absence of the header means no signal, not consent.

In JavaScript the same preference is exposed on navigator:

const optedOut = navigator.globalPrivacyControl === true

That property returns true when GPC is active, false when supported but off, and undefined in browsers that do not implement the spec. Server-side header detection and client-side property reads are not interchangeable — the header arrives before any JavaScript runs, so anything that collects data at the edge must read the header.

Why it became binding

Universal opt-out mechanisms moved from optional to mandatory across a wave of state laws. California (CPRA), Colorado, Connecticut, Delaware, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas now require businesses in scope to honor an approved opt-out preference signal, and every one of those regulators has designated GPC as a valid one. As of mid-2025 that is ten states with a live legal duty.

Enforcement followed the rules. In September 2025 the California Privacy Protection Agency, the Colorado Attorney General, and the Connecticut Attorney General announced a joint investigative sweep specifically targeting businesses that ignored opt-out signals — and singled out sites that displayed a compliant-looking confirmation while continuing to process data in the background.

In February 2026 the California Attorney General reached a $2.75 million settlement with The Walt Disney Company over systemic failures to honor opt-out requests, the largest CCPA settlement to date. The earlier $1.2 million Sephora settlement established GPC as a valid signal; Disney established that ignoring it at scale is expensive.

The trajectory is fixed. California's Opt Me Out Act (AB 566), signed in October 2025, requires browsers themselves to ship a built-in opt-out signal control by January 1, 2027. GPC traffic only grows from here.

What honoring it requires

For an analytics or advertising stack that sells or shares data, the implementation is real work. You must detect the header at the edge before any tracking fires, suppress data sharing for that request, and — under the CCPA regulations effective January 1, 2026 — be able to demonstrate the signal was processed rather than merely received.

if request.headers["Sec-GPC"] == "1":
    # do not sell or share; do not load ad/attribution tags
    # log that the signal was honored

The hard part is not the if statement. It is auditing every tag, pixel, and conversion script on the page, confirming each one stops, and producing evidence on demand. A typical site loads opt-out-relevant third parties it cannot fully control, which is exactly the surface the multi-state sweep probed.

Why cookie-free analytics sits outside the question

GPC is an opt-out of the sale or sharing of personal information for targeted advertising. The obligation only attaches if you are doing something the visitor can opt out of.

A privacy-first tracker does not sell or share data, does not build cross-site profiles, and stores no personal identifier to begin with. There is no advertising exchange downstream and no third party to suppress. The daily visitor hash is built specifically so that no stable identifier exists to share:

visitor_hash = SHA-256(IP | UA | SALT_SECRET | YYYY-MM-DD)

The IP and User-Agent are read in memory only, used to compute the hash, then discarded. The date input means the hash rotates every day, so there is no cross-session identity to sell even in principle. The /collect endpoint receives a request, derives an aggregate count, and keeps nothing that resolves back to a person.

That does not exempt you from reading Sec-GPC as a matter of good faith — honoring a signal you technically have no data to act on is cheap and signals intent. But it does mean the expensive part of GPC compliance, the part Disney got wrong, never applies. There is no data sale to halt because the architecture never produced sellable data.

The pattern across both regimes

The EU's consent-before-tracking model and the US opt-out-on-signal model look opposite, and procedurally they are. But they converge on the same technical fact: both regimes regulate the creation and movement of a persistent, person-linked identifier. GDPR asks for consent before you set one; state law lets a browser revoke its sale after the fact.

A system that never mints a cross-session identifier answers both questions the same way. The consent banner has nothing to gate, and the opt-out signal has nothing to enforce — because the regulated object was never built.