For years, many website owners in the United States believed that cookie banners and consent tools were only necessary for visitors from Europe. This is no longer the case. Recent changes in state rules and legal risks have clarified the need for such tools, making them a must for any site that collects data (personal or otherwise) from U.S visitors.
GPC: An Existing Requirement but Now Enforced
Global Privacy Control (GPC) is a browser setting that lets people signal that they do not want their personal details shared or sold. It is an example of the more general terms – Opt-Out Preferences Signals (OOPS) and Universal Opt-Out Mechanisms (UOOM). California has made it clear in FAQ published by the Cal. Attorney General, in 2021, that GPC signals must be honored. Other privacy state laws such as Colorado, and Connecticut (currently 12 in total), require website owners to put in place UOOM and respect the opt out signals.
This requirement is not new – from statements made by the California AG to specific inclusion in the 2022 version of the CCPA Regulations, CA-regulated entities have been expected to comply.
In September 2025, privacy officials from California, Colorado, and Connecticut have jointly announced a GPC compliance campaign. This move came after a large settlement with a major health website that failed to respect GPC signals. The message is clear: ignoring these signals can lead to costly consequences.
Additionally, starting January 1, 2026, California will require websites to show users that their GPC request has been accepted. This could be a message or a toggle that is already set to “on” when a GPC signal is received. This step is meant to give users clear proof that their opt-out wishes are being followed.
CIPA: Legal Risks Still Remain
The California Invasion of Privacy Act (CIPA) has led to a wave of lawsuits against website owners that use third-party tracking tools, such as cookies, pixels, or session replay scripts. These lawsuits claim that such tools “intercept” user activity without permission. California lawmakers are working on bill (SB 690) to limit these lawsuits, but it will not take effect before 2026. Until then, sites continue to face the risk of expensive legal action and paying settlements.
What Should You Do?
- Add a cookie management tool that can detect and respond to GPC signals, and ensure proper implementation – that is, enable the GPC signals function within the cookie management tool.
- Set up your tool to show users when their GPC request is accepted.
- Check your website for any tracking scripts and make sure they are covered by your consent management tool.
- Include a statement in your privacy policy explaining how you respond to GPC signals and a proper disclosure on the website’s use of cookies and tracking technologies.
- Keep up with new rules and enforcement actions.
Popular tools that can help with these tasks include CookieYes, Cookiebot, and CookiePro. Each offers guides for setting up GPC support:
* We do not endorse or recommend any specific cookie management tool.
Take Action Now
The rules for online privacy in the U.S. are changing fast. Adding a cookie management tool becomes a fairly easy (but not necessarily the only) way for a website to avoid risks associated with U.S. privacy laws. Failing to address these risks may result in fines and lawsuits.
Act now to protect your site and your visitors.
Special thanks:
We would like to thank @Eran Gandman and @Shira Rivnai Bahir for their valuable input and insights, which greatly contributed to this article.
Disclaimer:
Our team at Or-Hof and ClearPath is here to support your compliance efforts, help you navigate the evolving requirements of UK Data Protection Law, and align your privacy compliance framework with these new changes.
👉 For guidance and support in aligning your organization with the new requirements, the teams at ClearPath and Or-Hof Law are here to help – feel free to contact us at [email protected].
The Or-Hof Law Team
