CCPA Opt-Out Verification: Is Your Global Privacy Control Signal Actually Working?

What the Global Privacy Control Signal Is

Global Privacy Control (GPC) is a browser-level signal that communicates a user’s opt-out preference. When enabled, the browser sends an HTTP header (Sec-GPC: 1) and sets a JavaScript property (navigator.globalPrivacyControl === true) on every page load. Firefox, Brave, and DuckDuckGo enable GPC by default. Safari and Chrome support it through extensions.

Approximately 50 million US users broadcast GPC on every page load. That number has grown 40% year-over-year since 2023. These users are telling your site: “Do not sell or share my personal information.”

CCPA Requirements for GPC

The California Consumer Privacy Act (CCPA), as amended by the CPRA and interpreted by the California Attorney General’s regulations (effective 2023), requires businesses to treat GPC as a valid opt-out request. Specifically:

• You must detect the GPC signal
• You must treat it as a request to opt out of the “sale” or “sharing” of personal information
• You must stop processing that qualifies as “sharing” (which includes most advertising-related data collection) for that user
• You must not require the user to take any additional action beyond sending the signal

In practical terms: when a user visits your site with GPC enabled, your analytics and advertising tags must either not fire or fire in a mode that does not share data with third parties for advertising purposes.

The Sephora Enforcement Action

In August 2022, the California Attorney General fined Sephora $1.2 million for CCPA violations. One of the central findings: Sephora failed to honour the GPC signal. The AG’s investigation found that Sephora’s website continued to share personal information with third parties (via analytics and advertising tags) even when the user’s browser broadcast GPC.

The fine established a clear precedent: ignoring GPC is a CCPA violation. The AG’s office sent non-compliance notices to over 100 businesses before the Sephora enforcement action. Sephora was the first public example, but it will not be the last.

Why Most Sites Fail GPC Verification

GPC verification fails for four common reasons:

1. No GPC Detection Logic

Most websites do not check for GPC at all. The navigator.globalPrivacyControl property exists in the browser, but no code on the page reads it. Tags fire with full tracking capabilities regardless of the signal. This is the most common failure — not a bug, just an omission.

2. CMP Does Not Map GPC to Consent Denial

Some CMPs support GPC detection but require explicit configuration to map the GPC signal to a consent denial for advertising/sharing categories. If the mapping is not configured, the CMP detects GPC but does not act on it. Tags that depend on the CMP for consent gating fire normally.

The configuration looks different per CMP, but the logic is the same: if navigator.globalPrivacyControl === true, set the “Sale/Sharing” consent category to denied before any tags fire.

3. Tags Bypass the CMP

Even when the CMP correctly denies consent based on GPC, some tags fire outside CMP control. Hardcoded scripts in the page source, tags loaded before the CMP initialises, or tags with no consent trigger exception in GTM — all of these bypass the CMP and fire regardless of GPC state.

4. GPC Is Detected But Response Is Delayed

The GPC signal is available immediately on page load (navigator.globalPrivacyControl is synchronous). But some implementations check for GPC asynchronously, after tags have already fired. The check happens, consent is updated to denied, but the initial tags already executed with full tracking. The first page view is non-compliant.

How to Verify GPC Compliance

Manual verification:

1. Install Firefox or Brave (both enable GPC by default)
2. Open your website
3. Open DevTools → Console and run: navigator.globalPrivacyControl (should return true)
4. Open DevTools → Network tab
5. Check for requests to advertising domains: facebook.com/tr, google.com/pagead, analytics.tiktok.com
6. If these requests are present, your site is not honouring GPC

This manual check takes 5 minutes per page. For a 50-page site, that is 250 minutes (over 4 hours). And it needs to be repeated after every site change, CMP update, or GTM publish.

Continuous GPC Verification

Automated tag monitoring can verify GPC compliance on every session. The monitor detects the GPC signal, observes which tags fire, and flags any tag that fires in a mode incompatible with the opt-out request. This catches the four failure modes listed above — continuously, across all pages, without manual testing.

Key verification checks:

• When GPC is present, are advertising/sharing tags blocked or operating in restricted mode?
• When GPC is present, is the CMP correctly setting consent to denied for sale/sharing categories?
• Are there any tags firing before GPC is checked?
• Is the GPC response consistent across all pages and subdomains?

The cost of non-compliance is documented: $1.2 million for Sephora. The cost of continuous verification is a fraction of that. The question is not whether to verify — it is whether you prefer to verify proactively or wait for the Attorney General to verify for you.