Current requirements for Global Privacy Control (GPC) and Opt-Out signals
The CPPA has approved a new regulatory package. Key changes include mandatory visual confirmation for GPC signals and new Cybersecurity Audit requirements.
Businesses must automatically detect the GPC browser signal and treat it as a valid request to opt-out of the sale or sharing of personal information.
Per 11 CCR § 7025(c)(6), websites must display "explicit visual confirmation" that the opt-out request was honored when a GPC signal is detected.
Civil penalties can be issued by the CPPA or Attorney General immediately upon discovery of a violation.
Intentional
$7,500
per user / violation
Unintentional
$2,500
per user / violation
The CCPA applies to for-profit businesses doing business in California that meet ONE of the following:
Adjusted periodically for inflation.
Buys, sells, or shares personal information of 100,000+ consumers or households.
Derives 50% or more of annual revenues from selling or sharing consumers' personal information.
Method 1: Client-Side (Navigator API)
if (navigator.globalPrivacyControl === true) {
// 1. Disable Google Analytics / Pixel firing
// 2. Update UI to show "Opt-Out Honored"
// 3. Prevent data sale/sharing
}Method 2: HTTP Headers (Server-Side)
// Request Header Sec-GPC: 1
Useful for disabling server-side tracking or tagging server logs.
Last updated: December 20, 2024
This guide is for informational purposes only and does not constitute legal advice.