Partner
Almost half of the States in the U.S. have enacted some version of an online personal or consumer data privacy statute. The statutes all use a similar framework that requires data collectors and processors to provide notices, obtain consent, and comply with mandates and prohibitions. For example, all of the online data privacy statutes require companies to provide privacy notices that tell consumers what data is collected, why the data is being collected, with whom the data is shared, sold, etc.
All of the statutes also require that data collectors allow consumers to opt out of various things, such as the collection, sharing, or processing of certain data for certain online users (like children) or for certain types of data (like personally sensitive data).
One current and ongoing political fight concerns whether companies should be required to allow and honor consumers’ data choices and preferences via global privacy controls (“GPC”). GPCs are often called “universal opt-out mechanisms” and “opt-out preference signals.” GPCs can be defined as signals sent automatically by browser, computer, or device settings that identify the consumer’s global privacy preferences for a website, app, or online service.
Consumer privacy advocates have recognized that identifying privacy preferences can be a cumbersome and inconvenient process for consumers, particularly if the preferences must be given for each website one at a time. Privacy advocates understand that the more difficult and inconvenient a process is, the less likely a consumer is to take the time to identify their privacy preferences.
Consumers may take the time to identify their privacy preferences for websites that they visit often. However, most consumers browse the internet by making one-time visits and staying for only a few minutes. For these kinds of “short hop” visits, for most consumers, it is too time-consuming to track down the link, go to the privacy page, and identify privacy preferences. However, even a short visit to a website might result in unwanted data collection, storage, sharing, and sale, resulting in, for example, a deluge of targeted advertising.
One solution to this problem is GPCs. Consumers can take the time to review and signal their preferences once for their browser, extensions, add-ons, device, or computer. Thereafter, even for “short hop” visits, their preferences will be sent to the website.
Currently, about twelve online personal data privacy statutes require that data collectors recognize and obey GPCs. California has now added its “voice” to the discussion by enacting what is called Assembly Bill 3048. The California Governor is expected to sign the legislation. AB 3048 amends earlier data privacy legislation and goes a bit further than simply requiring websites and online services are required to accept and honor such GPCs. That is already the law in California.
AB 3048 is not aimed at data collectors and processors but rather at browser developers and companies that make and operate mobile devices. Starting on January 1, 2026, such companies will be required to allow consumers to send privacy preference signals, in effect creating GPCs. AB 3048 does not require any sort of factory or default setting for those preference signals, and AB 3048 does not require that the GPCs be automatically “on.” It is a good guess that the next political “fights” will include those two questions.
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
A global privacy control is a machine-readable signal — transmitted by a browser, operating system, browser extension, or mobile device — that communicates a user’s privacy preferences to every website or app the user visits, without requiring the user to manually configure settings on each site. The most developed current implementation is the Global Privacy Control (GPC) specification maintained by the GPC community group, which defines a standard HTTP header and JavaScript API that browsers and extensions can use to signal opt-out preferences.
The GPC specification is not a product of any government or standards body — it is an industry and advocacy group initiative. Firefox, Brave, and the DuckDuckGo browser have native GPC support. Privacy Badger (Electronic Frontier Foundation) and other browser extensions add GPC functionality to Chrome and other browsers. The specification is publicly available and any browser developer can implement it. California’s AB 3048, which requires browser developers to build in the technical capability for GPC signals, is essentially requiring that the major commercial browsers implement what Firefox and Brave have already done voluntarily.
As of 2024, approximately twelve state consumer data privacy statutes require businesses to honor opt-out preference signals sent through GPCs. California’s CPRA regulations — specifically the regulations adopted by the California Privacy Protection Agency (CPPA) — require businesses that sell or share personal data to honor GPC signals as valid opt-out requests. The CPPA has issued enforcement guidance making clear that a website which ignores a GPC signal from a user visiting from California is in violation of the CCPA/CPRA opt-out requirements, and that the Agency considers this a priority enforcement area.
Colorado’s privacy statute and its implementing regulations issued by the Colorado Attorney General similarly require businesses to recognize and honor universal opt-out mechanisms, including GPC signals. Connecticut, Montana, Oregon, and Texas have enacted statutes that include similar requirements. The variation between states is in the detail: some statutes require businesses to honor any technically recognizable GPC signal; others allow businesses to verify that the GPC signal comes from a human consumer rather than an automated crawl; and some allow a 15-day period to implement technical opt-out before full compliance is required after a consumer signals their preference.
California’s AB 3048 is notable because it is directed not at data collectors — as most consumer privacy legislation is — but at the developers of browsers and mobile operating systems. Starting January 1, 2026, browser developers and mobile OS developers that distribute products to California consumers must provide a mechanism through which consumers can send GPC signals. The requirement is capability, not default setting: AB 3048 does not require that GPC be turned on by default, only that the technical capability to send a GPC signal be built into the browser or device.
This matters because the default setting question is the next legislative battle. A GPC capability that is buried in an obscure settings menu will be used by a small fraction of consumers — those who are both privacy-aware and technically sophisticated enough to find and enable it. A GPC that is on by default sends opt-out signals for every user automatically, dramatically reducing the volume of personal data that businesses can lawfully collect, process, and sell. Business interests are strongly opposed to any default-on requirement; privacy advocates consider it the only approach that provides meaningful protection for ordinary consumers who will never search through privacy settings.
The California Privacy Protection Agency, created by CPRA, became the primary CCPA enforcement authority on July 1, 2023. Since then, the CPPA has issued enforcement advisories focused on dark patterns in consent flows, opt-out mechanism accessibility, and GPC compliance. The Agency has formal enforcement authority to assess administrative fines of up to $2,500 per violation and up to $7,500 per intentional violation of the CCPA/CPRA. Given that a single GPC non-compliance event may affect thousands or millions of California consumers simultaneously — each consumer’s ignored signal constituting a separate violation — aggregate fines can be very large.
The CPPA has also indicated in published guidance that it considers the opt-out signal requirements — including GPC — to be among its highest enforcement priorities. Businesses that operate advertising-supported websites, collect and sell data, or use behavioral advertising networks should treat GPC compliance as a near-term obligation, not a future concern. The CPPA has resources and statutory authority to pursue enforcement actions, and several major publishers and data brokers should expect to receive investigative inquiries.
GPC compliance is technically achievable and the legal obligation to honor opt-out signals is clear in California and a growing number of other states. Businesses that have not implemented GPC detection and response are taking on enforcement risk that increases as the CPPA matures its enforcement program. Contact the consumer data privacy and compliance attorneys at Revision Legal through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?