Browser Opt-Out Tool Shoots for Simplicity, Brings Uncertainty

A web-browser tool that offers surfers a one-click way to implement their privacy choices is creating challenges for website operators facing pressure from state regulators and aggrieved consumers over the selling and sharing of consumer data.

The Global Privacy Control allows surfers to signal their privacy preferences through a simple browser setting communicated to each website they visit. California, Colorado, and at least three other states now require websites to honor GPC signals, and many more are expected to adopt the requirement in coming years.

The GPC appears simple for consumers, but it arrives in an online environment dominated by a separate consent-management platform—the cookie banner. Its implementation promises new compliance headaches for online businesses, especially those that operate on more than one platform or channel, according to Alan Butler, chief executive officer of the Electronic Privacy Information Center.

“GPC is just going to be layered in on top of the existing consent-management platform,” Butler said. If a user sends a GPC opt-out request to a website through a browser but then engages with the provider on a different platform or on a system with a different configuration, “it can get legitimately confusing.”

Growth of GPC

The GPC protocol is the latest attempt by privacy advocates to create effective and easy-to-use tools to help consumers gain control over their data, according to Sebastian Zimmeck, a professor of computer science at Wesleyan University and co-founder of the GPC initiative.

An earlier iteration, the Do Not Track protocol, was created in response to 2013 amendments to the California Online Privacy Protection Act, but it failed in part because the bill relied on websites to voluntary comply, Zimmeck said.

The 2018 passage of California Consumer Privacy Act, which included a provision requiring businesses to honor consumers’ requests to opt out of data sharing, set the stage for the GPC, he said.

California regulators have now fully embraced GPC. The attorney general has initiated at least four seven-figure settlements of enforcement actions alleging failure to honor GPC signals, including a $2.75 million settlement with Disney in February.

California, along with Colorado and Connecticut, also announced a GPC compliance enforcement sweep in September 2025.

The number of users of the protocol remains hard to determine precisely, Zimmeck said. Taking advantage of GPC requires using a browser—such as Brave, Firefox, or Duck Duck Go—that allows the protocol to be enabled in the settings or, for users of Microsoft’s Edge or Google’s Chrome browsers, installing an add-on or extension.

“It’s a very technologically and privacy savvy consumer who’s using this right now, so GPC hasn’t been very accessible,” said Paul Rothermel, managing attorney at Gardner Law, who focuses on privacy and data security. “That’s one of the challenges with the technology so far.”

Around 40 million users in 2021 had browsers with GPC enabled by default or through an extension, and that number has grown beyond 100 million by now, said Zimmeck.

Uptake could also be spurred by a California law requiring all browsers available to residents beginning in 2027 to have a setting allowing opt-outs to be enabled by default, he said.

GPC and Cookie Banners

The goal of the GPC protocol is to give consumers a centralized way to assert their privacy rights, Butler said. “These mechanisms are really important, it’s not enough to make people go through the process over and over at each site they visit; it has to be easier,” he said.

But that site-by-site method already exists in the form of cookie banners, and it isn’t likely to disappear, Rothermel said. That raises the possibility of conflicting signals from the two protocols.

Businesses attempting to implement consumer preferences are asking which takes precedence, he said.

“If you go to a website and expressly consent to ad-tech tracking and the use of your data for marketing, that may override a passive signal from your browser,” he said. “But it’s not clear, and we don’t have cases that have dug into this.”

California regulators haven’t yet spoken directly on this issue, but Myriah Jaworski, a member at Clark Hill who focuses on data privacy and cybersecurity, said they might very well hold that GPC signals trump the choices from the cookie banner.

She said a state regulator recently told her that cookie banners shouldn’t appear at all when a consumer’s browser sends a GPC signal.

The banner constitutes a repeat request for opt-in permission, which could violate CalOPPA’s provision requiring websites to wait at least 12 months after receiving an opt-out request before asking for opt-in permission again, the regulator said.

“Our consent-management platform isn’t currently configured to deal with these issues,” she said.

Technical Capacity

Jaworski expressed frustration that by viewing GPCs and cookie banners as being in conflict, the regulators are running ahead of the technology. “I sometimes think there isn’t enough awareness and technical capacity in these regulatory offices to appreciate the nuances and difficulty of what they’re asking.”

Butler said in an ideal world the GPC tools and cookie banners would talk to each other, but “it’s hard to get there because of overlapping and interlocking rules and standards.”

The challenges faced by businesses in implementing GPC point to a deeper issue concerning online data privacy, he said.

“We need to get beyond the retail, site-by-site level to a more wholesale solution,” Butler said. “We need these systems to be designed with privacy in mind so people don’t need to be taking a bunch of additional steps to limit collection and tracking of data that’s not necessary for what they’re actually trying to do.”