CCPA / CPRA

Global Privacy Control

Honor browser opt-out signals automatically.

In short

ConsentX reads the Global Privacy Control (GPC) signal and browser opt-out preferences, then applies them automatically. California CPRA and a growing list of US states treat GPC as a valid Do Not Sell or Share request, so honoring it is now a legal requirement, not a nicety.

A growing list of US state laws now treat the browser Global Privacy Control signal as a binding opt-out of sale or sharing. Ignoring it makes you non-compliant by default, even with a polished banner. ConsentX detects GPC and applies the opt-out automatically, then logs it as evidence.

auto

GPC applied

US states

logged

as evidence

A GPC signal is detected on arrival and the opt-out is applied and logged before anything sells or shares.

The problem

US state laws now treat a browser GPC signal as a binding opt-out. Ignore it and you are non-compliant by default, even if your banner looks fine.

With ConsentX

ConsentX detects GPC and applies the opt-out before anything sells or shares data, and logs it as evidence. You meet the requirement without the visitor doing a thing.

How it works

Detect the signal

ConsentX checks the GPC header and JS signal on every visit.

Apply opt-out

Matching categories are set to opted-out without the visitor lifting a finger.

Record it

The opt-out is logged as evidence, the same as any other choice.

A closer look

Detect, apply, and prove

ConsentX checks both the GPC request header and the navigator.globalPrivacyControl signal on every visit. When present, it pre-applies the opt-out to the relevant categories before any tag that would sell or share data can run.

Honoring the signal silently is not enough; you have to be able to show you did. ConsentX records each GPC-driven opt-out as a tamper-evident event, so you can demonstrate compliance in an audit or a regulator inquiry.

Ready for the expanding map of state laws

California treats GPC as a valid Do Not Sell or Share request, and Colorado, Connecticut, Texas and others recognize universal opt-out mechanisms. Because GPC handling is built into the engine, you are covered as more states adopt the requirement without new work.

GPC works alongside the banner: you can still present choices, but a visitor who arrives with the signal set has their preference respected immediately, no clicks required.

Capabilities

Sources read

GPC request header + navigator signal

Action

Auto opt-out of sale/sharing categories

Timing

Applied before any sell/share tag runs

Evidence

Logged as a tamper-evident opt-out event

Scope

California CPRA + universal-opt-out states

Banner

Coexists with the consent banner

What you get

Reads GPC header and navigator signal
Automatic Do Not Sell or Share handling
Logged as tamper-evident evidence
Ready for new US state laws

Where teams use it

A US business that must honor Do Not Sell or Share
A site expanding into multiple US state law regimes
A privacy team that wants opt-outs logged for audits

Helps you meet

CCPA VCDPA CPA

Built for enterprise

Satisfies CPRA and universal opt-out signal requirements

No visitor action needed — reduces opt-out handling cost

Opt-outs exportable as audit evidence

Future-proof as more US states adopt GPC

Try Global Privacy Control free

Install in minutes. Free plan, no credit card.

Get started free Book a demo

Frequently asked questions

Is honoring GPC mandatory?+

Under California CPRA and several US state laws, a GPC signal must be treated as a valid opt-out of sale or sharing.

Does the visitor see anything?+

You can still show the banner, but ConsentX pre-applies the opt-out so their signal is respected immediately.

Which states require this?+

California treats GPC as a valid opt-out, and Colorado, Connecticut, Texas and others recognize universal opt-out signals.

More from the platform

Consent banner & CMP Prior-script blocking Google Consent Mode v2 Region Rule Engine DSAR & grievance intake Consent receipts & evidence xScan-AI privacy scanner