CCPA & GPC Compliance Guide
Current requirements for Global Privacy Control (GPC) and Opt-Out signals
New Regulations Effective Jan 1, 2026
The CPPA has approved a new regulatory package. Key changes include mandatory visual confirmation for GPC signals and new Cybersecurity Audit requirements.
Core Compliance Requirements
1. Mandatory GPC Signal Recognition
Businesses must automatically detect the GPC browser signal and treat it as a valid request to opt-out of the sale or sharing of personal information.
2. Visual Confirmation Required
Per 11 CCR § 7025(c)(6), websites must display "explicit visual confirmation" that the opt-out request was honored when a GPC signal is detected.
3. Penalties & Enforcement
Civil penalties can be issued by the CPPA or Attorney General immediately upon discovery of a violation.
Intentional
$7,500
per user / violation
Unintentional
$2,500
per user / violation
Who Must Comply?
The CCPA applies to for-profit businesses doing business in California that meet ONE of the following:
- Gross Revenue > $25 Million
Adjusted periodically for inflation.
- Data Volume Threshold
Buys, sells, or shares personal information of 100,000+ consumers or households.
- 50% Revenue from Data
Derives 50% or more of annual revenues from selling or sharing consumers' personal information.
Why this matters: This catch-all clause ensures that small data brokers and ad-tech companies cannot evade the law simply because their total revenue is under $25M.
Technical Implementation
How to Detect the GPC Signal
Method 1: Client-Side (Navigator API)
if (navigator.globalPrivacyControl === true) {
// 1. Disable Google Analytics / Pixel firing
// 2. Update UI to show "Opt-Out Honored"
// 3. Prevent data sale/sharing
}Method 2: HTTP Headers (Server-Side)
// Request Header Sec-GPC: 1
Useful for disabling server-side tracking or tagging server logs.
Verified Resources
Last updated: December 20, 2025
This guide is for informational purposes only and does not constitute legal advice.