Global Privacy Control (GPC): Understanding the New Opt-out Standard in the United States

Since the California Consumer Privacy Act (CCPA) went into effect, consent management in the United States follows a different approach from that of the GDPR: the ability to collect and process certain data as soon as a user arrives, provided that the user is given a clear, effective, and immediately accessible right to opt-out.

Within this opt-out framework, new signals have emerged to help honor user consent preferences. Among them, the Global Privacy Control (GPC) has emerged as the standard. Sent directly by the browser, it allows a user to express—before any interaction with a website—their decision to opt out of the sale or sharing of their personal data.

Since January 28, 2026, businesses are required to recognize this signal in four U.S. states. In this new edition of Product Lab, we take a detailed look at the role of the GPC within the American privacy ecosystem, and at how Axeptio makes it possible to detect and process it with ease.

Privacy in the United States — the CCPA as the Foundation of the American Privacy Model

Enacted in 2020, the CCPA is the first major American regulation governing the collection and use of personal data at the state level. It applies to companies processing the data of California residents, including companies established outside the United States, once they meet certain thresholds of revenue or data volume. As the first of its kind, this law has become the benchmark in the U.S. and has served as a model for other American state laws. To learn more, you can find our dedicated “Compliance Check-up” article here.

While it shares structural similarities with the GDPR, the CCPA nonetheless differs from it through a radically different philosophy when it comes to consent. Where the European framework requires prior consent before deploying any non-essential cookies and tracking technologies, the CCPA allows—under certain conditions—the collection and sharing of data as soon as the user arrives on the site. In return, it requires companies to provide clear mechanisms allowing the user to opt-out.

This right to opt out can be expressed through various means, such as a “Do Not Sell or Share My Personal Information” link, a DSAR form, or a CCPA-compliant consent management banner, like the one offered by Axeptio.

The challenge for companies is to be able to recognize, comply with and log the preferences expressed by the user. At the same time, the growing number of repetitive and non-personalized banners has progressively highlighted a form of consent fatigue. It is in this context that the idea emerged of an upstream signal capable of centralizing the user’s choice: the Global Privacy Control.

Global Privacy Control — a Signal Now Mandatory in Four U.S. States

The Global Privacy Control is a browser-emitted signal. It takes the form of a boolean piece of information transmitted through HTTP headers to all third parties integrated into the website (so-called vendors). In practice, an active signal indicates that the user objects to the sale or sharing of their personal data.

Since January 28, 2026, the GPC has gained legal recognition. The CCPA, as well as three other state laws inspired by it (Colorado, Connecticut, and New Jersey), now consider this signal to be a valid expression of the right to opt out.

This obligation concerns businesses, not American citizens. Users remain free to activate—or not activate—the GPC in their browser. Adoption today is still limited, with around 1% of the U.S. population having an active signal. However, as soon as a signal is emitted, the company must be able to process it properly. Otherwise, it exposes itself to a risk of non-compliance."

Pascal Vautrin Privacy Standards Expert at Axeptio

Integrating GPC Easily Into Your CMP With Axeptio

To meet these new legal requirements, Axeptio now includes detection and processing of the GPC signal through a new feature available for projects using a CCPA banner—a prerequisite for remaining compliant in the United States.

When creating a new CCPA configuration, the handling of the GPC signal is enabled by default in the Axeptio back office. This activation allows the CMP to detect the signal as soon as the page loads, immediately apply the corresponding opt-out behavior, and record the user’s choice in accordance with applicable regulations.

For customers who already have a CCPA configuration published before the introduction of GPC, a (very simple) action is required: enabling the signal in the back office and then republishing the configuration so that GPC handling becomes effective on your website.

It is important to emphasize that the GPC does not replace the CCPA configuration selected for your site’s CMP. If no GPC signal is detected, the behavior defined for the cookie banner remains applicable. Axeptio therefore offers three configuration options within the CCPA framework (no banner display, an informational banner, or a classic consent widget). You can find them in our dedicated Product Lab article here.

Informing the User and Allowing Them to Change Their Choice — Focus on Axeptio’s Toast Notification

In states where processing the GPC signal is mandatory, regulations also require informing the user that their preference has been correctly recognized and applied.

To meet this requirement, Axeptio provides a specific mechanism: the display of a confirmation toast. This interface does not interrupt navigation. It appears briefly on the screen for a few seconds and indicates that the GPC signal has been detected and properly taken into account. But Axeptio’s strength lies in the fact that this module also offers the user immediate access enabling them—if they wish—to modify their consent choice for the site in question.

For businesses, this toast module also makes it possible for consent — and therefore certain data — to be obtained in situations where, without such a simple and visible option, it would simply not have been expressed. At the same time, it allows users, if they wish, to make an exception for a website or brand they feel particularly connected to, and to adjust their preference with complete ease.

Need support in activating GPC signal detection or the toast widget that allows users to update their consent choice? You can find our technical documentation here.