Global Privacy Controls (GPC) enforcement sweep: Coordinated effort by states on privacy

On Sept. 9, the California Privacy Protection Agency (CPPA), in collaboration with the Attorneys General of California, Connecticut, and Colorado, announced the launch of a multi-state privacy enforcement sweep targeting businesses that may be failing to honor Global Privacy Control signals (GPCs).

This enforcement sweep aligns with a broader initiative to unify state-level enforcement under a new alliance, the Consortium of Privacy Regulators, formed earlier in 2025.

GPC Enforcement Sweep

In states like California, Connecticut, and Colorado, consumers have the right to control their personal information, including the right to opt out of the sale or sharing of their data.

A GPC is an opt-out preference signal – or OOPS – built into certain browsers and extensions that allows users to automatically express their opt-out preferences across websites. In theory, this eliminates the need for users to click through privacy settings or engage with consent banners on each site individually, or to submit an opt-out request to a business via an online form or link.

Regardless of how the opt-out is received, a business must honor the request by stopping the activities that constitute a sell or share –i.e., in many instances by not deploying third-party advertising cookies onto the individual’s browser, or otherwise sharing their information with ad partners. Businesses that receive an opt-out request, whether through a GPC or otherwise, are prohibited from resuming the sale or sharing of a user’s data for at least 12 months unless the user provides reauthorization.

The recent GPC enforcement sweep targets companies that have either failed to implement technical systems that recognize GPC or have otherwise neglected to honor these opt-out signals. Regulatory agencies have already sent letters to several noncompliant businesses, urging corrective action.

CPPA Executive Director Tom Kemp emphasized the significance of this action, stating, “We are proud to join this effort to ensure that consumers’ opt-out rights are honored, and we will continue working across jurisdictions to protect Californians’ privacy.”

Connecticut Attorney General William Tong described the move as a reaffirmation that respecting consumer privacy is “non-negotiable.” He noted that tools like GPC empower consumers and make it significantly easier to exercise their rights under state law.

California Attorney General Rob Bonta echoed this sentiment, stating that his office is “paying close attention to business compliance with the Global Privacy Control.”

The Consortium: A unified front for privacy enforcement

The GPC enforcement sweep does not arise in isolation. It is one of the first major initiatives to emerge from a newly formed multi-state alliance known as the Consortium of Privacy Regulators, announced via a memorandum of understanding (MOU) in April 2025. The Consortium includes privacy regulators and attorneys general from California, Connecticut, Colorado, Delaware, Indiana, New Jersey, and Oregon.

While each state’s privacy law may differ, the MOU emphasizes that there are fundamental similarities —such as data access, deletion, and opt-out— that should be upheld across jurisdictions.

According to the official press releases, the Consortium expects that it will foster collaboration in several ways:

• Hold regular meetings: The consortium will meet regularly to facilitate discussions on privacy law developments.
• Share expertise and resources: The participating regulators aim to enhance their understanding of complex data practices by sharing expertise and resources.
• Coordinate enforcement efforts: The consortium will facilitate the coordination of investigations into potential violations of state privacy laws. While each state will continue to enforce its own specific legislation, this collaboration increases the likelihood of multistate investigations and enforcement actions across jurisdictions.
• Promote consistent interpretation: Despite variations in the specifics of each state’s privacy law, the CPPA press release identified fundamental principles related to consumer rights, such as the rights to access, delete, and opt-out of the sale of personal information, present in all the state laws, as well as obligations on businesses regarding data handling.

For businesses, the Consortium raises the risk of coordinated multistate enforcement, potentially resulting in larger settlements and increased scrutiny, especially in sensitive areas like health data, location information, and children’s data. The formation also signals a stronger, more proactive state-level commitment to privacy enforcement amid uncertain federal direction.

What should businesses do?

The GPC enforcement sweep means businesses should take immediate action to evaluate whether they have systems in place to detect and honor GPCs or OOPs. Businesses should consider several key technical and operational measures to comply:

1. Technical detection of GPC signals
   • Implement GPC signal recognition: Businesses need to update their websites and backend systems to detect the presence of the GPC header or equivalent signals sent by browsers or browser extensions. The GPC signal is transmitted as part of the HTTP header or via JavaScript, and must be detected reliably on every relevant page where personal data is collected or sold.
   • Integrate with consent management platforms (CMPs): Many companies use CMPs to manage user consent preferences. These platforms must be configured to recognize GPC signals automatically and override any conflicting consent settings or defaults that would otherwise allow data sales or sharing.
   • Testing and monitoring: Businesses should routinely test that their systems properly detect GPC signals across browsers and devices, and monitor logs to verify that signals are being received and honored in real time.

2. Operationalizing GPC preferences
   • Honor the opt-out request immediately: Once a GPC signal is detected, the business must promptly cease the sale or sharing of the consumer’s personal information. Under California law, for example, this opt-out must be respected for at least 12 months unless the consumer explicitly revokes it.
   • Update data processing workflows: The business’s data management systems must reflect the opt-out status, preventing personal information from being sold, shared, or otherwise monetized. This includes coordinating with third-party vendors, advertising networks, and data brokers to ensure compliance downstream.
   • Maintain records for compliance: Companies should document the receipt of GPC signals and the steps taken to honor these requests. This documentation can be crucial in demonstrating compliance during audits or investigations by regulators.

3. Transparency and consumer communication
   • Update privacy policies: Privacy notices and policies should clearly describe how the business responds to GPC signals, including the rights consumers have and the duration of the opt-out.
   • Consumer support: Businesses should be prepared to address consumer inquiries about GPC and provide clear guidance on how users can exercise their rights, including information about compatible browsers and tools that send the GPC signal.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.