US organizations are being advised to make sure they have systems in place to detect and honor Global Privacy Control (GPC) signals, as a result of the launch this week of a multi-state privacy enforcement sweep to target those who do not.
The California Privacy Protection Agency (CPPA), as well as the attorneys general of California, Colorado, and Connecticut, announced plans on Tuesday to contact what they called “businesses that may not be processing consumer requests to opt out of the sale of their personal information submitted via the GPC as required by law” to request that those businesses comply.
According to a release from the CPPA, the sweep “reinforces the three states’ 2025 Data Privacy Day educational efforts on the GPC,” which took place at the end of January. In California, for example, it states that the California Consumer Privacy Act vests consumers with control over the personal information that businesses collect about them, and includes their right to request that businesses stop selling or sharing their personal information.
An advisory released on Wednesday by the law firm of Clark Hill stated, “the GPC enforcement sweep does not arise in isolation. It is one of the first major initiatives to emerge from a newly formed multi-state alliance known as the Consortium of Privacy Regulators, announced via a memorandum of understanding (MOU) in April 2025. The Consortium includes privacy regulators and attorneys general from California, Connecticut, Colorado, Delaware, Indiana, New Jersey, and Oregon.”
Time to take ‘immediate action’
In the advisory, lawyers Myria V. Jaworski, Chirag H. Patel and Ali Bloom wrote that while each state’s privacy law may differ, the MOU emphasizes that there are fundamental similarities, such as data access, data deletion, and opt-out, that should be upheld across jurisdictions.
Defining a GPC as an opt-out preference signal (OOPS) that is built into certain browsers and extensions to allow users to automatically express their opt-out preferences, they said, “the GPC enforcement means businesses should take immediate action to evaluate whether they have systems in place to detect and honor GPCs or OOPs.”
Businesses, the advisory said, should consider several key technical and operational measures to comply that include the following steps:
Implement GPC signal recognition: Businesses need to update their websites and backend systems to “detect the presence of the GPC header or equivalent signals sent by browsers or browser extensions. The GPC signal is transmitted as part of the HTTP header or via JavaScript, and must be detected reliably on every relevant page where personal data is collected or sold.”
Integrate with consent management platforms (CMPs): The advisory recommended that the platforms be configured to recognize GPC signals automatically and override any conflicting consent settings or defaults that would otherwise allow data sales or sharing.
Testing and monitoring: It said that businesses should “routinely test that their systems properly detect GPC signals across browsers and devices, and monitor logs to verify that signals are being received and honored in real time.”
In addition, organizations need to update their privacy policies, the lawyers suggested, adding, “privacy notices and policies should clearly describe how the business responds to GPC signals, including the rights consumers have and the duration of the opt-out.”
Legal action for non-compliance is a distinct possibility. Recent cases involving the enforcement division of the CCPA saw clothing retailer Todd Snyder fined $345,178 for violating the state’s privacy act, and American Honda Motor Co. fined $632,500 for CCPA violations, which the agency described as one of the highest fines imposed in the law’s history.
Quasi-selected targeting seen as prudent move
David Shipley, head of Canadian-based Beauceron Security, likened the move by the CPPA and the three states as the equivalent of a blitz to slow down drivers who go over the speed limit.
The initiative, he said, is “the governance and privacy law equivalent of, ‘let’s put the California privacy Highway Patrol out there and see who’s speeding, who’s not actually going to play by the rules,’ and it’s smart. It’s part of the toolkit that should be out there and done responsibly. It’s done in a way that’s not like ‘we’re auditing everybody.’ That’s terrifying — I don’t think anyone has the resources for it, and it would cause mass chaos.”
But a random, or even a quasi-selected targeted enforcement initiative, he said, will actually help the privacy sector: “What I mean by that is, there are a lot of hard working folks in in the privacy or governance, risk and compliance side, and they’re going to say, ‘hey, there’s this law’. And then sometimes they run into a lull at senior executive or even board levels, where people go, ‘yes, but what’s the chances we will actually get hit with it? That’s a risk we’re willing to accept and what’s this actually going to cost us? What are the chances that this will happen versus all the other business pressures were under?’”
This initiative, said Shipley, “changes the equation in people’s minds, which is not a bad thing.” He added that what is really needed is a national privacy agenda.
“The United States functions the best when it acts as a united state,” he said. “What I mean by that is a national comprehensive privacy law with a single reporting mechanism and single set of standards is more cost effective for businesses that operate in multiple jurisdictions.”
No Responses