Breaking down data rules from around the globe

Privacy laws

Global Privacy Control Vs Do Not Track

Global Privacy Control (GPC) vs. Do Not Track (DNT): The 2026 Legal Difference

Global Privacy Control (GPC) is a mechanism that allows internet users to signal their privacy preferences to websites and online services, indicating their desire to opt out of the sale or sharing of their Personal Information. It requires businesses to detect and honor the signal.

The GPC mechanism was launched by the California Consumer Privacy Act (CCPA/CPRA) in October 2020. California has one of the strictest data privacy laws in the US, such as the California Consumer Privacy Act (CCPA/CPRA).

However, the GPC gained wider attention in 2022, when California Attorney General Rob Bonta issued a $1.2 million fine for cosmetic retailer Sephora for violations of the CCPA, including failure to process opt-out requests through user-enabled GPCs. 

Other states recently passed privacy laws that require honor universal opt-out mechanisms like GPC. Connecticut has recently set requirements to honor the GPC signal. Regulators in Connecticut have launched coordinated enforcement efforts to determine whether businesses honor opt-out signals like GPC.

GPC signal enforcement is expected to gain stronger focus in the near future.

On the other hand, in 2026, the "Do Not Track" (DNT) browser setting remains voluntary and largely ineffective, as most websites ignore it because it lacks legal obligation.

Let’s dive deeper into the GPC signal and compare it with the "Do Not Track" signal.

What Is Global Privacy Control (GPC)?

Global privacy control (GPC) is a browser setting that notifies website owners of users' privacy preferences regarding the sale or sharing of their Personal Information. GPC enables website users to inform them about their privacy preferences for all websites at once without manually configuring them for each website.

It is enough for a user to activate the GPC signal just once; user privacy preferences are then transmitted via the GPC signal to every website the user later visits. Thus, it should be much easier for users to exercise their opt-out rights across websites. No settings to hunt for every site or app. No repeated opt-outs on every site.

The main purpose of GPC is to opt out of using personal information for targeted advertising and to signal: “Do not sell or share my personal data”.  

GPC works by sending a standardized signal whenever a user visits a website. That signal represents a persistent privacy preference, not a one-time choice. The GPC is usually encoded into the HTTP header or JavaScript property.

GPC doesn’t replace cookie banners or consent notices.

GPC was created for internet users to easily signal their preference to opt-out of the sale or sharing of their personal data. Users don’t want to be asked to opt out over and over again, site by site. It's designed to provide a universal, automated way for consumers to exercise their privacy rights across different websites, without manually managing cookie settings on each site.

In short, GPC provides a universal mechanism for internet users to opt out of the sale or sharing of their personal data through global user preference.

To honor the GPC signal and avoid penalties for non-compliance, select a Consent Management Platform (CMP) that supports the GPC signal.

CookieScript CMP is one of the best CMPs. In 2024, users ranked CookieScript CMP on G2, a peer-reviewed website, as the best CMP for small and medium-sized companies. CookieScript CMP supports the GPC signal. If a user has GPC enabled, your website can automatically honor the opt-out preference signal and adjust data sharing and ad/analytics behavior accordingly.

Register for free Show pricing plans

Is Global Privacy Control Legally Enforceable in 2026?

Yes. By 2026, Global Privacy Control (GPC) is no longer a “nice-to-have” feature. From 2026, GPC has moved from a voluntary option to a legal requirement in a growing number of jurisdictions. Under these laws, businesses are required to treat a GPC signal from a user's browser as a legally binding request to opt out of the sale or sharing of their data.

The technology itself for universal opt-out mechanisms hasn’t changed. What changed is how regulators interpret it. Honoring the opt-out mechanisms is now a legal requirement. If a site receives the signal and continues selling or sharing personal data anyway, it may result in investigation and penalties for non-compliance.

The following states have state laws that explicitly mandate honoring universal opt-out mechanisms like GPC:

  • California (CCPA / CPRA, mandatory since July 1, 2024).
  • Connecticut (CTDPA, mandatory since January 1, 2025).
  • Oregon (OCPA, mandatory since January 1, 2026).
  • Montana (MTCDPA, mandatory since October 1, 2024).
  • Texas (TDPSA, mandatory since July 1, 2024).
  • Delaware (DPDPA, mandatory since January 1, 2025).
  • New Jersey (NJPA, mandatory since July 1, 2025).
  • New Hampshire (NHPA, mandatory since January 1, 2025).
  • Maryland (MODPA, mandatory since October 1, 2025).
  • Minnesota (MCDPA, mandatory since July 1, 2025).
  • Nebraska (NDPA, mandatory since January 1, 2025).

International Status of the GPC signal: GDPR and Beyond

While the term Global Privacy Control was developed and initially recognized by US states’ privacy laws, its technical implementation aligns with international regulations:

  • EU/UK (GDPR)
    Regulators, such as the French CNIL and the UK ICO increasingly view GPC as a valid way for users to exercise their Right to Object (Article 21) or Withdraw Consent (Article 7). While not explicitly mentioned in the GDPR regulation, the principles of "Privacy by Design" and "Ease of Withdrawal" make GPC signal a requirement to honor user opt-out choices. Failure to honor the GPC signal would lead to non-compliance with the EU’s GDPR or the UK’s Data Protection Act 2018.
  • Global convergence
    Other jurisdictions, such as Brazil’s LGPD, have also expressed support for automated opt-out signals as a valid way for consumers to express their privacy preferences at scale.

Why Do Not Track No Longer Meets Privacy Law Standards

Do Not Track (DNT) had good intentions. The signal gave users a simple way to say to websites: “Don’t track me.”

However, since the DNT signal was voluntary, the websites simply did not listen. Websites weren’t legally required to honor the signal: there were no consequences for ignoring it, and no enforcement mechanism.

Nowadays, user tracking is regulated by privacy laws. Modern privacy laws have well-defined obligations for websites, such as explicit user rights, transparency, data minimization principles, and others. These regulations have enforcement authorities; non-compliance may result in substantial fines.

Thus, the DNT signal quietly faded out and was replaced by data privacy laws.

DNT had good intentions, but it did not work. Not because privacy stopped being important. DNT faded out because it was voluntary and without any enforcement mechanism.

Do Websites Still Need to Support Do Not Track?

No. No current privacy law requires websites to detect or respect Do Not Track signals. Supporting DNT doesn’t help comply with privacy laws, reduce non-compliance risk, or have any legally important action in 2026.

In fact, relying on DNT can even do more harm than good. It creates a false sense of compliance while offering no actual legal protection. Users may think they expressed their consent choices regarding the collection and management of personal information, but in reality, they will continue to be silently tracked by websites without their knowledge.

Some organizations still honor DNT, but it is just an old habit, not a compliance strategy.

GPC vs. Do Not Track: The 2026 Legal Difference

GPC and DNT may look similar. Both are browser-level signals that communicate user preferences regarding their privacy online. Both GPC and DNT aim to stop tracking.

Legally, though, GPC and DNT are very different:

  • Do Not Track is a voluntary request. No privacy law requires honor it; thus, websites generally do not detect or honor it. There are no consequences for websites that do not implement Do Not Track mechanisms. DNT signal doesn’t have enforceable obligations, as there are no authorities behind it.
  • Global Privacy Control is a recognized opt-out mechanism. Most privacy laws in 2026 explicitly mandate honoring universal opt-out mechanisms like GPC. It’s an enforceable obligation. Non-compliance with the GPC requirements is enforced by regulatory authorities with significant penalties.

In 2026, the difference between GPC and DNT is not the different technologies to implement them. The difference is legal validity. GPC has legal obligations and is enforced by regulatory authorities, whereas DNT is a voluntary signal with no legally enforceable obligations.

How GPC Fits Into GDPR, CPRA, and Other Privacy Laws

Global Privacy Control is not a legal privacy framework in the same way as regulations like the CCPA or GDPR. GPC is not a stand-alone privacy regulation; it plugs into existing privacy laws.

However, GPC aligns with the principles of user rights and privacy, as set out in most modern data protection regulations. Therefore, businesses that are already subject to privacy laws and regulations might choose to implement GPC compliance as part of their broader privacy initiatives.

GPC helps users to exercise their rights to opt out of selling or sharing their personal information automatically. Instead of clicking “Do Not Sell” on every site, a user activates the signal once, and the GPC signal informs about user preferences all websites the user visits. It fits well into the CCPA requirements.

The interaction between the GPC and the GDPR is a bit different. GPC doesn’t override consent requirements or lawful basis requirements. GPC indicates user choice over management of personal data, especially when businesses rely on legitimate interest.

In conclusion, GPC doesn’t replace existing privacy laws and doesn’t conflict with regulations. It reinforces them, providing an additional mechanism for users to express their preferences around the management of personal information.

What Is Global Privacy Control Compliance?

GPC is a mechanism that allows internet users to signal their privacy preferences to websites and online services. Users inform websites that they do not want websites to sell or share their personal information.

Compliance with GPC refers to honoring these user preferences.

The key aspects of GPC compliance include:

  1. Recognition of GPC signals
    Websites and online services must recognize the GPC signals sent by users’ web browsers or browser extensions.
  2. Respect user preferences
    Website users indicate that they want to opt out of the sale or share their personal information. Thus, websites and online services should respect this user preference and do not sell or share the user’s personal information with third parties.
  3. Opt-out mechanism implementation
    Websites and online services should provide clear and accessible GPC mechanisms. For example, the CCPA requires to include the “Do Not Sell My Personal Information” link, that should be prominent and functional.
  4. Transparency
    Websites and online services should include the information regarding GPC into their privacy policies and privacy notices to inform users about their support for the GPC mechanism. Users should know how to exercise their privacy rights via the GPC framework.
  5. Technical integration
    Websites and online services should implement technical measures capable of recognizing and honoring the GPC signals. The simplest way to implement GPC signals is by using Consent Management Platforms (CMPs) like CookieScript.

How Consent Management Platforms Handle GPC Signals

In 2026, Consent Management Platforms (CMPs) link a user’s browser-level privacy settings and your website’s data-gathering scripts.

All modern CMPs must be able to detect GPC signals automatically and communicate them to websites or online services not to sell or share users’ personal information.

When a CMP detects GPC, it should align site behavior instantly with user preference. There is no room for any other interpretation.

One of the most common mistakes in 2026 is partial GPC support— detecting the GPC signal but failing to honor it. If a CMP detects a signal, it must connect it to downstream systems like Google Ads, analytics, or data-sharing tools.

  1. CookieScript CMP supports the GPC signal, that is important for CCPA compliance.
  2. CookieScript CMP also supports IAB TCF 2.2.
    It is officially certified by the Interactive Advertising Bureau (IAB) Europe and includes full integration with the IAB Europe Transparency & Consent Framework (TCF) 2.2. IAB TCF 2.2 allows businesses to run targeted ads while remaining GDPR-compliant.
  3. Geo-targeting
    The geo-targeting feature of CookieScript determines your website user location and automatically presents the correct Cookie Banner. Depending on the user's jurisdiction, CookieScript CMP displays a fully customizable opt-out banner to support compliance with the relevant privacy law.

See the guides for more details:

In 2024, users ranked CookieScript CMP on G2, a peer-reviewed website, as the best CMP for small and medium-sized companies.

 

Register for free Show pricing plans

Frequently Asked Questions

Is Global Privacy Control (GPC) legally enforceable in 2026?

Yes. From 2026, GPC has moved from a voluntary option to a legal requirement in a growing number of jurisdictions. Under many privacy laws, businesses are required to treat a GPC signal from a user's browser as a legally binding request to opt out of the sale or sharing of their data. The simplest way to implement GPC signals is to use a Consent Management Platform like CookieScript.

Is Do Not Track legally enforceable in 2026?

No. The Do Not Track signal was voluntary; websites didn’t honor it, and there were no consequences for ignoring it. Thus, the DNT signal quietly faded out and was replaced by data privacy laws.

What is the difference between Global Privacy Control (GPC) and Do Not Track (DNT)?

The main difference is legal enforceability. Global Privacy Control is recognized in modern privacy frameworks as a valid opt-out signal, while Do Not Track was always voluntary and never legally binding. In 2026, GPC carries compliance obligations, while DNT does not. The simplest way to implement GPC signals is by using a CMP like CookieScript.

Do Websites Still Need to Support Do Not Track?

No. No current privacy law requires websites to detect or respect Do Not Track signals. Supporting DNT doesn’t help comply with privacy laws, reduce non-compliance risk, or have any legally important action in 2026.

Does Global Privacy Control replace Cookie Consent banners?

No, GPC does not replace consent banners. GPC typically applies to opt-out rights, such as the sale or sharing of personal data. Websites still need to request consent for cookies or processing activities that require user consent. Use a Consent Management Platform like CookieScript to implement GPC signals and consent banners.

What happens if a website ignores a GPC signal?

Ignoring GPC can be treated as ignoring users’ opt-out requests. This leads to non-compliance with effective data privacy laws and may expose the organization to regulatory scrutiny, enforcement actions, or complaints. Use a Consent Management Platform like CookieScript to implement GPC signals and avoid penalties for non-compliance.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.