Global Privacy Control vs Do Not Track: Why GPC Actually Has Legal Teeth in 2026
Explains the critical difference between the defunct DNT header and legally-binding GPC. Covers the 11+ US states requiring GPC compliance (California, Connecticut, Oregon, etc.), the €1.2M Sephora fine, and browser support status. Makes the case for why privacy-first CMPs should respect both signals.
In 2022, Sephora paid $1.2 million because their website ignored a browser signal. Not a security breach. Not a data leak. They simply didn't honor users' privacy preferences sent via Global Privacy Control (GPC).
That fine was just the beginning. In September 2025, Tractor Supply paid $1.35 million for the same mistake. Now twelve US states legally require GPC compliance, with coordinated enforcement sweeps actively targeting non-compliant businesses.
If you're thinking "this sounds like Do Not Track all over again"—you're right, but with one crucial difference. DNT asked websites to respect privacy. GPC demands it, backed by law.
What You'll Learn
- Why Do Not Track failed (and what we can learn from it)
- How Global Privacy Control works differently
- Which 12 US states now legally require GPC compliance
- How to configure your website to respect both signals
- Why privacy-first CMPs should honor DNT too
Prerequisites
- A website with analytics or marketing tracking
- A cookie consent management solution (CMP)
- Basic understanding of GDPR and US privacy laws
The Rise and Fall of Do Not Track
Do Not Track launched in 2009 with a simple promise: enable a browser setting, and websites would stop tracking you. Users received the DNT: 1 HTTP header, and tracking would cease. Elegant. Non-intrusive. By 2012, every major browser supported it.
But there was one fatal flaw: no legal requirement to honor it.
The W3C Tracking Protection Working Group—100+ stakeholders including browser vendors, advertisers, and privacy advocates—spent eight years trying to agree on what "tracking" even meant. They failed. When compliance is optional and non-compliance is profitable, businesses make the rational economic choice.
Microsoft accelerated DNT's demise in 2012 by enabling it by default in Internet Explorer 10. Advertisers seized on this, arguing it violated the spirit of "active user choice." Google never honored DNT on its own properties despite offering the option in Chrome.
The final irony? DNT became a privacy liability. Only a small minority enabled it, making the setting a browser fingerprinting vector—a unique identifier that helped track the very users trying to avoid tracking.
Firefox removed DNT support entirely in February 2025. Safari had already dropped it. The signal meant to protect privacy became a digital tombstone.
Global Privacy Control: Same Signal, Legal Backing
Global Privacy Control emerged in 2020 from a coalition including the Electronic Frontier Foundation, Mozilla, and DuckDuckGo. Technically, it works identically to DNT: browsers send a signal (Sec-GPC: 1 header, or navigator.globalPrivacyControl = true) indicating users don't want their data sold or shared.
But GPC's creators learned from DNT's failure. Instead of relying on voluntary compliance, they designed GPC to integrate with existing privacy laws that already mandate opt-out mechanisms.
The technical specification explicitly states that GPC communicates legal opt-out requests under regulations like CCPA and state privacy laws. When a California resident enables GPC, they're not expressing a preference—they're exercising a legal right.
That legal backing changes everything.
The 12-State Compliance Map
As of January 1, 2026, businesses must honor GPC signals from users in twelve US states:
| State | Law | Effective Date |
|---|---|---|
| California | CCPA/CPRA | 2020 |
| Colorado | CPA | July 2024 |
| Connecticut | CTDPA | January 2025 |
| Texas | TDPSA | January 2025 |
| Oregon | OCPA | January 2026 |
| Montana | Consumer Data Privacy Act | 2025 |
| Nebraska | Data Privacy Act | 2025 |
| New Hampshire | Privacy Act | 2025 |
| New Jersey | Data Privacy Act | 2025 |
| Minnesota | Consumer Data Privacy Act | 2025 |
| Maryland | Online Data Privacy Act | 2025 |
| Delaware | Personal Data Privacy Act | 2025 |
California, Colorado, and Connecticut have explicitly confirmed that GPC qualifies as a valid universal opt-out mechanism (UOOM). The other states accept GPC as an opt-out preference signal (OOPS).
Active enforcement is happening now. In September 2025, the California Privacy Protection Agency, along with the attorneys general of California, Colorado, and Connecticut, announced a coordinated enforcement sweep targeting businesses that fail to honor opt-out preference signals.
Real Enforcement, Real Fines: The Sephora Precedent
The Sephora case set the standard. California Attorney General Rob Bonta found that when users visited Sephora's website with GPC enabled, nothing happened. Data continued flowing to third-party advertising and analytics providers. Sephora was "selling" user data (as defined by CCPA) without disclosure or honoring opt-out requests.
The settlement required Sephora to:
- Pay $1.2 million in penalties
- Honor Global Privacy Control signals as valid opt-out requests
- Update privacy disclosures to acknowledge data sales
- Provide ongoing compliance reports to the Attorney General
Tractor Supply's $1.35 million fine in September 2025 proved this wasn't a one-time action. Regulators are actively hunting for violations.
New for 2026: The Visible Confirmation Requirement
Starting January 1, 2026, California's updated CCPA regulations add another requirement: visible confirmation.
When a user with GPC enabled visits your website, you must display that their opt-out signal was processed. The regulations suggest language like "Opt-Out Request Honored."
This transforms GPC compliance from a silent backend process to a visible user-facing feature. Users will know immediately whether your site respects their privacy preferences—and whether you're breaking the law.
Browser Support and the 2027 Tipping Point
Unlike DNT, GPC has real browser adoption:
Native Support (on by default):
- Brave
- DuckDuckGo Browser
Native Support (user-enabled):
- Firefox (GPC remains available even after DNT removal)
Via Extensions:
- Chrome (multiple GPC extensions available, including from the Network Advertising Initiative)
- Safari (via extensions)
- Edge (via extensions)
The game-changer comes in 2027. California's Opt Me Out Act (AB 566), signed by Governor Newsom in October 2025, mandates that all browsers must offer built-in GPC functionality by January 1, 2027. This includes Chrome, Safari, and Edge.
Chrome holds approximately 65% of browser market share. When it enables GPC—and makes it easily accessible—the majority of your visitors could be sending automatic opt-out signals. Your retargeting audiences will shrink dramatically unless you have legitimate, explicit consent.
Step 1: Audit Your Current GPC Implementation
Before making changes, understand your baseline:
- Check your CMP settings — Does your consent solution detect GPC signals?
- Test with GPC enabled — Install a GPC browser extension (like Privacy Badger or the NAI extension), visit your site, and verify:
- Does the consent banner acknowledge the signal?
- Are marketing/analytics scripts blocked before explicit consent?
- Are cookies being set despite the opt-out?
- Review your tracking stack — Identify all third-party scripts that constitute "sales" or "sharing" under CCPA
Use browser DevTools (Network tab) to monitor requests. Users with GPC enabled should see zero third-party tracking requests unless they explicitly override their preference.
Step 2: Configure Your CMP to Honor GPC
Modern consent management platforms should handle GPC detection automatically. Essential features to verify:
- Signal detection: Check for
navigator.globalPrivacyControlproperty - Default behavior: Non-essential categories (analytics, marketing, personalization) default to "rejected"
- Visual indicator: Show that privacy mode is active
- Audit logging: Record consent decisions with GPC status for compliance documentation
Cookient handles this automatically. When the script detects a GPC signal:
- A visual indicator appears in the consent banner
- Analytics, marketing, and personalization default to OFF
- The consent log records
privacyMode: true
This happens before user interaction—respecting their pre-existing legal opt-out without requiring additional clicks.
Step 3: Display Visible Confirmation (California 2026)
For California compliance starting January 1, 2026:
- Display "Opt-Out Request Honored" or equivalent text
- Show this on the consent banner or in a visible page element
- Ensure visibility without requiring additional user interaction
- Log confirmation display for audit purposes
The regulation's intent is clear: users should know their privacy signal was received and processed.
Why You Should Still Honor DNT
Here's where we get opinionated: your CMP should still respect Do Not Track, even though it's legally meaningless and browsers are removing it.
Why? Because DNT indicates user intent. Someone who enabled DNT—possibly years ago—was explicitly requesting privacy. Just because the law doesn't require compliance doesn't mean their preference doesn't matter.
Privacy-first businesses don't do the legal minimum. They respect user choices. Honoring DNT signals alongside GPC demonstrates genuine commitment to privacy, not just checkbox compliance.
At Cookient, we detect both navigator.doNotTrack and navigator.globalPrivacyControl. Either signal triggers privacy mode. It costs nothing technically, and it's simply the right thing to do.
Common Mistakes to Avoid
- Ignoring the signal entirely — Now illegal in 12 states. Don't risk a seven-figure fine.
- Silent backend processing — You need visible confirmation, especially for California in 2026.
- Requiring additional verification — The GPC signal alone must trigger the opt-out. No extra clicks required.
- Geofencing GPC compliance — IP-based location detection is imperfect. Consider honoring GPC universally.
- Forgetting service providers — Your vendors must also honor opt-out signals. Review your data processing agreements.
Conclusion
Do Not Track died because it asked nicely. Global Privacy Control succeeds because it demands compliance—backed by million-dollar fines and coordinated enforcement.
With 12 states requiring GPC compliance, proven enforcement precedent, active multi-state sweeps, and mandatory browser support coming in 2027, ignoring GPC isn't just risky—it's reckless.
The good news? Compliance is straightforward with the right tools. A privacy-first CMP that detects GPC signals, defaults to privacy-respecting settings, and displays visible confirmation keeps you compliant and builds genuine user trust.
Don't wait for an enforcement letter. Enable GPC detection today.
Cookient automatically detects and honors both Global Privacy Control and Do Not Track signals, defaulting to privacy-respecting consent choices. Learn more about our privacy-first approach.