Global Privacy Control (GPC)

As of April 2026, eleven US states — Connecticut, Oregon, California, Colorado, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire, and Texas — legally treat the Global Privacy Control (GPC) header as a binding opt-out. WordPress CMP plugins like Complianz, CookieYes, and Real Cookie Banner detect the signal and suppress browser pixels, but server-side feeds to Meta CAPI, Google Ads, TikTok Events API, and Klaviyo fire from the WordPress backend with no awareness of the GPC header. US state privacy fines hit an estimated $1.4 billion in 2025, and California’s CPPA settled a $2.75 million opt-out case in February 2026.

California’s revised CCPA regulations took effect January 1, 2026 with no delayed enforcement window. The headline change: a business must provide visible confirmation that an opt-out request — including a Global Privacy Control signal — has been processed. Silent honouring in the back-end is no longer compliance. Complianz, CookieYes, Real Cookie Banner, and WPConsent in … Read more

The EU Digital Omnibus proposes Article 88b, requiring websites to accept machine-readable consent signals from browsers by 2027. Combined with California’s Opt Me Out Act mandating browser-built GPC by January 2027, cookie banners will disappear for an estimated 60% of websites. Consent rates for tracking may drop to 10-30% when browsers deploy default-reject settings. WordPress consent plugins will need major rebuilding. Server-side tracking architecture processes events regardless of which consent model the browser uses.

The EU Digital Omnibus proposes shifting some cookie categories from opt-in to opt-out using legitimate interest, a change that would force every WordPress consent plugin to fundamentally redesign its blocking logic. Currently, 40-70% of EU visitors reject cookies when given a proper Reject All button (Ignite Video consent studies, 2026), destroying tracking data. The EU Commission estimates cookie simplification will save businesses €800 million annually. Three consent models are on the table: partial opt-out for analytics, browser-signal-based consent, or enhanced opt-in under unified GDPR enforcement. WordPress sites running Complianz (1M+ installs), CookieYes (1.5M+ sites), or WPConsent face configuration uncertainty. Server-side tracking architectures that process data on first-party infrastructure remain compliant regardless of which consent model wins.

By January 1, 2026, twelve US states will legally require your website to honor a browser signal most WordPress store owners have never heard of. It’s called Global Privacy Control (GPC), and California already fined Tractor Supply $1.35 million in September 2025 for ignoring it. GPC is a browser-level signal that automatically opts users out … Read more

California fined Tractor Supply $1.35 million in September 2025—the largest CPPA fine in history—for failing to honor GPC signals and other opt-out violations. That same year, Healthline paid $1.55 million, Honda paid $632,500, and Todd Snyder paid $345,178. All for the same basic failure: their opt-out mechanisms didn’t actually work. These aren’t theoretical risks. They’re … Read more

California just told Chrome, Safari, and Edge: build privacy controls into your browsers by January 2027, or face consequences. Governor Newsom signed AB 566—the California Opt Me Out Act—on October 8, 2025. For the first time in US history, a government is requiring browser vendors to include opt-out preference signals as a built-in feature. Currently, … Read more