--- title: The New Browser Setting That Could Quietly Dismantle Your Marketing Data description: "Right now, Global Privacy Control (GPC) affects a relatively small share of your website traffic. It’s built into privacy-focused browsers like Brave, DuckDuckGo, and Firefox, and available as extensions for Chrome and Edge. Although 12 states already require you to honor this signal, most marketing teams haven’t thought twice about it. In October 2025, California […]" url: https://www.cookiebot.com/en/why-global-privacy-control-matters/ --- # The New Browser Setting That Could Quietly Dismantle Your Marketing Data 65% of global browser traffic runs on Chrome. By January 2027, all major browsers must include a built-in opt-out signal under California’s Opt Me Out Act (AB 566) Right now, Global Privacy Control (GPC) affects a relatively small share of your website traffic. It’s built into privacy-focused browsers like Brave, DuckDuckGo, and Firefox, and available as extensions for Chrome and Edge. Although 12 states already require you to honor this signal, most marketing teams haven’t thought twice about it. In October 2025, California Governor Newsom signed **AB 566, the California Opt-Out Preference Signal Act (Opt Me Out Act** in shorthand), into law. It requires every browser, including Chrome, Safari, and Edge, to include a built-in opt-out preference signal by January 1, 2027. This is when **GPC — the most widely adopted opt-out signal — will go mainstream**. With the addition of a native opt-out toggle that only has to be set once, the volume of users automatically telling your website not to sell or share their data will likely soar. Free Website Cookie Scan ## See every tracker on your site before GPC does. When GPC goes mainstream, every third-party script on your site will be affected for opted-out visitors. Our free cookie scanner shows you exactly what’s running [Scan Your Website Free ](/en/cookie-checker/)![](https://www.cookiebot.com/en/wp-content/uploads/sites/7/2026/04/clock.svg?v=4870a6013d19dd50) Results in 2 minutes ![Team](https://www.cookiebot.com/en/wp-content/uploads/sites/7/2025/12/TeamOutlined.svg?v=ae138961cdb0dbc7) No email required ![](https://www.cookiebot.com/en/wp-content/uploads/sites/7/2025/06/MoneyOffOutlined.svg?v=2be97427361564e4) Free forever ## What is GPC and Why Should Marketers Care? Global Privacy Control is a browser-level signal that automatically tells every website a user visits not to sell or share their personal data. It works differently from the old Do Not Track standard in one critical respect: GPC has legal enforcement behind it. ([W3C GPC Specification](https://w3c.github.io/gpc/)) The CPRA amended the CCPA to require businesses to treat GPC signals as valid opt-out requests. This is an obligation that the California Attorney General has reinforced through enforcement actions. And California is not the only state paying attention. **12 U.S. states now require businesses to honor GPC or equivalent universal opt-out signals**: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. In September 2025, three state attorneys general — California, Colorado, and Connecticut — launched a coordinated enforcement sweep specifically targeting GPC violations. Fines are already landing and getting larger. Disney: USD 2.75M (Feb 2026, largest CCPA fine ever). Healthline: USD 1.55M (Jul 2025). Tractor Supply: USD 1.35M (Sep 2025). Sephora: USD 1.2M (2022). Each was cited for failing to honor opt-out signals. CCPA penalties can reach USD 7,988 per intentional violation, and each visitor whose signal is ignored can count as a separate violation. ([California AG, Feb 2026](https://oag.ca.gov/news/press-releases/california-wont-let-it-go-attorney-general-bonta-announces-275-million)) 65% Global browser share held by Chrome 12 U.S. states now requiring businesses to honor GPC signals $7,988 Maximum CCPA penalty per violation ## What Happens to Your Website When GPC Goes Mainstream When a visitor arrives with GPC enabled, your website is legally required to honor their opt-out automatically and display a notification that it has done so. There is no consent banner prompt, and you can’t display the consent banner to offer or request that they change their preference. The visitor made their choice at the browser level before they ever reached your site. **The data loss cascade:** - **Consent banner bypassed.** The visitor opted out before arriving. Your CMP doesn’t get to ask the question. - **Tracking scripts suppressed.** Google Analytics, Meta Pixel, and third-party scripts cannot fire for that visitor. - **Retargeting pools shrink.** Opted-out visitors cannot be added to ad audiences. Every session with GPC enabled reduces your retargeting reach. - **Attribution degrades.** Conversions still happen but go unreported to ad platforms, making ROAS appear worse than it is and triggering budget cuts on channels that are actually working. Apple’s App Tracking Transparency rollout in 2021 offers a clear precedent. When iOS shifted to opt-in tracking, the majority of users declined; Meta estimated the resulting signal loss would cost it USD 10 billion in annual revenue. ([Singular, 2024](https://www.singular.net/blog/att-opt-in-rates-2024/)) GPC removes even the prompt. Users set their preference once, at the browser level, and every site they visit is required to honor it automatically. Which laws require you to honor GPC? ## Check your U.S. privacy obligations in under 2 minutes. 12 U.S. states already require businesses to honor GPC signals, with more expected to follow. See which state and federal laws apply to your website. [Check My Obligations ](/en/regulations-finder/)![](https://www.cookiebot.com/en/wp-content/uploads/sites/7/2025/06/MoneyOffOutlined.svg?v=2be97427361564e4) Free tool ![Team](https://www.cookiebot.com/en/wp-content/uploads/sites/7/2025/12/TeamOutlined.svg?v=ae138961cdb0dbc7) No account needed ![](https://www.cookiebot.com/en/wp-content/uploads/sites/7/2025/01/CalendarOutlined.svg?v=3996e24400a7e53e) Updated for 2026 ## How to prepare before January 2027 ### 1. Scan your website You need a complete inventory of every cookie, pixel, and script running on your site. These can change frequently, so many businesses don't know what's there, especially when third-party tools load additional trackers dynamically. Start with a [**free cookie/tracker scan**](https://www.cookiebot.com/en/cookie-checker/). ### 2. Set up a CMP that handles GPC Your website needs to detect GPC signals and honor them automatically, including suppressing scripts, displaying the required confirmation, and logging the opt-out. [**Cookiebot CMP**](https://www.cookiebot.com/en/cookie-consent-solution/) handles all of this. One setup, live in minutes. ### 3. Check which US privacy laws apply to you GPC is one requirement among many. 20 U.S. states now have active privacy laws. Cookiebot's [**free regulations finder**](https://www.cookiebot.com/en/regulations-finder/) identifies your obligations in under two minutes. ## What Cookiebot CMP does when GPC fires Cookiebot CMP supports automatic GPC compliance. When a visitor arrives with GPC enabled, it detects the signal, honors the opt-out, and confirms it without the need for extra configuration. **What happens automatically:** - **Detects the GPC signal** on every page request. No configuration needed. - **Suppresses third-party tracking scripts before they fire**. No pixels load, no data is shared. - **Displays “Opt-Out Request Honored” confirmation**. California’s updated CCPA regulations require visible confirmation. Cookiebot does this out of the box. - **Generates compliance documentation**. Every opt-out is logged, creating an audit trail that demonstrates you honored the signal. **Works across your entire website**. One setup covers every page. No per-page configuration required. What makes this different from just having a cookie banner A cookie banner alone doesn't protect you. Disney paid $2.75M despite having opt-out toggles because they just didn't work across all devices and services. Tractor Supply had a "Do Not Sell" link that didn't actually stop data sharing. The mechanism has to function, not just exist. Prepare for the GPC surge ## Automated GPC detection, consent management, and compliance documentation. Set up in 5 minutes. Cookiebot CMP automates GPC compliance requirements. Detect the signal, honor the opt-out, display the confirmation, and log everything for audit. No extra setup required. Get started for free. [Start free trial ](https://admin.cookiebot.com/signup)![](https://www.cookiebot.com/en/wp-content/uploads/sites/7/2025/06/MoneyOffOutlined.svg?v=2be97427361564e4) Free plan available ![](https://www.cookiebot.com/en/wp-content/uploads/sites/7/2025/01/NoCreditCardOutlined.svg?v=f9c08f4b72311b94) No credit card ![](https://www.cookiebot.com/en/wp-content/uploads/sites/7/2026/04/clock.svg?v=4870a6013d19dd50) 5-minute setup ## Frequently asked questions What is Global Privacy Control (GPC)? GPC is a browser-based signal that automatically communicates to every website a user visits that they do not want their personal data sold or shared. Unlike the earlier Do Not Track standard, GPC has legal enforcement backing under multiple U.S. state privacy laws, including the CCPA/CPRA. When will Chrome support GPC? California’s Opt Me Out Act (AB 566), signed into law in October 2025, requires all browsers, including Chrome, to include built-in opt-out signal functionality by January 1, 2027. Because browser companies are unlikely to ship region-specific builds, the feature is expected to be available globally. Which states require GPC compliance? As of 2026, 12 states require businesses to honor GPC or equivalent universal opt-out signals: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. Additional states are expected to follow. What are the penalties for ignoring GPC signals? CCPA penalties can reach USD 7,988 per intentional violation. Each visitor whose GPC signal is ignored can count as a separate violation. Disney was fined USD 2.75M (Feb 2026) for failing to honor opt-out requests, making it the largest CCPA settlement to date. Healthline paid USD 1.55M (Jul 2025), Tractor Supply paid USD 1.35M (Sep 2025), and Sephora paid USD 1.2M (2022), all for opt-out-related failures. Does having a cookie banner protect me from GPC violations? Not on its own. A cookie banner is a consent-collection mechanism, but it does not automatically detect or honor browser-level GPC signals. Courts and regulators have ruled that opt-out mechanisms must actually function. Tractor Supply had a “Do Not Sell” link that didn’t stop data sharing in practice. A CMP needs to detect the GPC signal, block scripts before they fire, and document the opt-out to satisfy compliance requirements. How does Cookiebot handle GPC? Cookiebot CMP automatically detects GPC signals, suppresses third-party tracking, displays the required “Opt-Out Request Honored” notice, and generates compliance documentation. It works across your entire website with a single setup. Will GPC affect my retargeting and ad attribution? Yes. When a visitor’s GPC signal is honored, third-party tracking scripts are suppressed. Those visitors cannot be added to retargeting audiences, and their conversions may go unreported to ad platforms. This can reduce visible ROAS and shrink retargeting pools. The effect will grow as more browsers adopt native GPC support. Is AB 566 already law, or is it still a proposal? AB 566, the California Opt Me Out Act, was signed into law by Governor Newsom on October 8, 2025. It takes effect January 1, 2027. It is not a proposal or pending legislation — it is enacted law. ## Keep Reading [Your Website Could Be Sued for $5,000 Per Visitor. Most Businesses Have No Idea. ](/en/cookie-consent-lawsuit/) [The $7,500-Per-Violation Law That Applies to Almost Every US Website ](/en/what-is-ccpa/) [20 States, 20 Rules, and Your Website Probably Breaks Most of Them ](/en/us-data-privacy-laws/) [The CCPA Checklist Most Businesses Skip Until It's Too Late ](/en/ccpa-compliance/)