Your website might be breaking privacy law right now, and it has nothing to do with your cookie banner
If your business runs any kind of website, e-commerce, a local service, or a membership platform, there is a privacy law you are most likely not complying with. It has nothing to do with your cookie banner. It is called the universal opt-out mechanism, and 12 states now legally require you to honor it. Clym discusses what businesses need to know about the universal opt-out requirement and how state regulators are already enforcing noncompliance.
What a universal opt-out signal is
When a person uses certain web browsers, they can switch on a setting that sends a quiet, automatic signal to every website they visit. That signal says: do not sell or share my personal data. It is called the Global Privacy Control, or GPC, and it is the most widely adopted version of what privacy laws refer to as a universal opt-out mechanism.
The keyword is automatic. The user does not need to find a cookie banner, click a link, or submit a form. The browser silently sends the signal on their behalf every time they load a page. Under state privacy law, that signal carries the same legal weight as if the consumer had manually clicked ‘Do Not Sell My Personal Information’ on your website.
Browsers that send GPC signals by default include Brave and DuckDuckGo's mobile browser. Firefox and several Chrome extensions also support it. Brave alone has more than 50 million monthly active users. Estimates from 2025 put GPC signals at roughly 5% to 10% of web traffic, a share that is expected to grow as browser adoption expands.
12 states now require you to honor it
The list of states that legally require businesses to recognize and act on GPC signals has grown quickly. As of 2026, those states are California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas, according to legal analysis from Gunster. Connecticut and Oregon joined the group this year.
That covers a significant portion of the U.S. population and includes some of the largest e-commerce markets in the country. A business that sells to customers in any of those states and processes their personal data is expected to detect the GPC signal and stop selling or sharing that customer's data without waiting for them to ask.
Importantly, the obligation does not hinge on company size. There is no small business exemption under most of these laws. If a business meets the applicability threshold for the state law, the universal opt-out requirement applies.
Enforcement is already happening
This is not a theoretical risk. California has already issued significant fines tied directly to GPC noncompliance. In 2022, Sephora paid $1.2 million partly for failing to honor opt-out requests sent through the GPC signal. In 2025, Tractor Supply Company settled for $1.35 million over similar failures. The California Privacy Protection Agency then broke its own record in February 2026, issuing a $2.75 million settlement against a streaming platform for opt-out failures.
California has since tightened its rules further. Businesses must now do more than silently process a GPC signal in the background. Under regulations that took effect Jan. 1, 2026, businesses must display a visible confirmation to users, such as a badge or notification stating that their opt-out request has been honored. A cookie banner alone does not satisfy this.
Why most websites are not ready
The core problem is awareness, and it is most acute among smaller businesses. Cisco's 2025 Data Privacy Benchmark Study found that organizations with 50 to 249 employees were the only company size category to reduce their privacy spending year over year, even as the number of state laws requiring action continued to grow.
Cookie banners became a familiar fixture after the GDPR took effect in Europe. They gave business owners a visible, understandable thing to point to. The GPC signal is invisible by design. It arrives in the HTTP header of a web request, before any user interaction takes place, and most website owners have no idea it is being sent.
The GPC protocol has grown from fewer than 7,000 active domains in 2022 to more than 459,000 by mid-2025, a roughly 67-fold increase. That growth reflects rising browser adoption, not necessarily rising business compliance.
What websites need to do
Complying with the universal opt-out requirement involves three steps. First, a website needs to be able to detect when an incoming request carries a GPC signal. Second, when that signal is detected, the website must stop selling or sharing that user's personal data for the duration of that session and beyond. Third, in California, the website must visibly confirm to the user that their preference has been registered.
For most websites, implementing GPC detection from scratch requires developer resources. Another approach is to use a consent management platform that supports GPC detection out of the box, which automates the signal detection and adjusts data processing accordingly without custom code. The W3C specification for GPC is publicly available and outlines the technical standard that browsers and websites use to communicate the signal.
With more states expected to adopt universal opt-out requirements in the coming years, and browser adoption continuing to grow, the share of web traffic carrying GPC signals is expected to rise.
This story was produced by Clym and reviewed and distributed by Stacker.
(0) comments
Welcome to the discussion.
Log In
Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
PLEASE TURN OFF YOUR CAPS LOCK.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.