As of April 2026, eleven US states legally treat the Global Privacy Control header as a binding opt-out of the sale or sharing of personal data — and your WooCommerce store’s server-side CAPI feed has no idea the header was ever sent. Connecticut, Oregon, California, Colorado, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire, and Texas are now on the list.

The CMP plugin you installed to handle browser pixels does its job. The server-side pipeline you stood up to escape ad blockers and ITP doesn’t. That’s the legal gap regulators are now hunting for.

What Just Changed#

Twenty US states have enacted comprehensive consumer privacy laws as of April 2026, covering more than half of the American population. Eleven of those states have made one specific thing binding: when a visitor’s browser sends the Sec-GPC: 1 header, the business has to treat it as a legal opt-out request — same standing as the user clicking “Do Not Sell My Information” on your site.

Global Privacy Control (GPC) is a technical standard sent as an HTTP header or DOM property by privacy-focused browsers and extensions, indicating the user opts out of the sale or sharing of personal information. It belongs to a category state laws now call universal opt-out mechanisms (OOPS) — twelve state laws include OOPS requirements, and eleven of those name GPC as the recognized signal.

Enforcement isn’t theoretical. Reported fines and penalties against US-based companies under state privacy laws reached an estimated $1.4 billion in 2025. In February 2026, California’s CPPA broke its own settlement record with a $2.75 million action against a streaming company for opt-out failures, surpassing the previous $1.35 million ceiling. Texas runs its own enforcement track — and the Texas Data Privacy and Security Act has effectively no minimum business-size threshold, so small WooCommerce stores aren’t exempt the way they are under some other state laws.

What Your CMP Plugin Actually Does When GPC Fires#

Three WordPress CMP plugins dominate the GPC-aware market: Complianz, CookieYes, and Real Cookie Banner. All three detect the GPC signal in the visitor’s browser and suppress the browser-layer scripts that would have fired the Meta Pixel, the Google Ads tag, the TikTok Pixel, and so on.

That’s where their reach ends. The CMP plugin is a browser-layer enforcement mechanism. It cannot reach into a server-side pipeline running independently from the WordPress backend.

You may be interested in: Global Privacy Control 2026: The Signal That Kills Your Retargeting

What Your Server-Side Feed Is Doing At the Same Moment#

While the CMP is suppressing the browser pixel, the rest of your stack is firing normally. Your WordPress backend is hooking into WooCommerce action events — purchase, add-to-cart, checkout — and pushing them into:

• Meta Conversions API: server-side event with hashed email, phone, IP, user agent
• Google Ads Enhanced Conversions: server-side conversion with hashed user data
• TikTok Events API: server-side e-commerce events
• Klaviyo Track API: server-side profile and event updates

None of those calls inspect the original Sec-GPC: 1 header. The header was a browser-to-WordPress signal, and the server-side feed runs WordPress-to-platform. Two different conversations. The opt-out signal travels through the first one and dies there.

Sourcepoint’s COO Brian Kane summarized the structural problem to Digiday: a consent signal has to travel cleanly through every partner in the advertiser’s tech stack, and that transmission is where ad tech has struggled for years. Each handoff is a potential compliance risk.

Translation: the WordPress-to-platform handoff is where the GPC signal currently doesn’t travel. That’s the failure mode the eleven state attorneys general are now positioned to find.

The State-by-State Exposure Picture#

Not every state in the eleven has the same teeth. A WooCommerce store with US-wide reach is exposed in different ways across each one.

• California (CPPA): Active enforcement agency. $2.75M settlement record set February 2026. Highest probability of an audit if you advertise to California consumers.
• Texas: No minimum business-size threshold. Active AG enforcement track. Applies to small stores other state laws would exempt.
• Connecticut, Colorado, Oregon, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire: AG-led enforcement, varying cure periods, all with private right of action or AG action available for opt-out failures.

The compliance argument that you “didn’t know” doesn’t survive contact with the eleven-state list. The signal is documented at globalprivacycontrol.org, it’s a public web standard, and your CMP plugin already proves your stack can read it.

Where the Opt-Out Has to Actually Be Enforced#

The architectural answer is the same one ad-tech vendors have been writing about for two years: the consent signal has to follow the data. If the data leaves WordPress and lands on Meta, Google, TikTok, and Klaviyo via server-side calls, the consent state has to ride those same calls.

In practice, that means three things in sequence.

1. The CMP records GPC at the browser layer. Complianz, CookieYes, or Real Cookie Banner detects Sec-GPC: 1 and writes the state to a server-readable surface — usually a session cookie or a WordPress user meta field — alongside its existing pixel suppression.

2. The WordPress backend stamps every outbound event with the GPC flag. When the WooCommerce hook fires (purchase, add-to-cart, etc.), the event payload includes the GPC state and the visitor’s state-of-residence inference (IP-derived or shipping-address-derived).

3. The server-side pipeline enforces. Before any event is routed to Meta CAPI, Google Ads, TikTok, or Klaviyo, the pipeline checks: GPC flag set? Visitor resident of one of the eleven states? If yes, drop the event. If no, route normally. The decision is per-event, per-visitor.

You may be interested in: GTM Consent Mode V2 on WordPress: Why Most Implementations Are Silently Broken

How Seresa Does This#

Transmute Engine™ is a first-party Node.js server that runs on your subdomain (e.g., data.yourstore.com). The inPIPE WordPress plugin forwards each WooCommerce event with the CMP-set GPC flag and a state-of-residence inference, and Transmute Engine inspects both before routing. The same event from the same store gets sent to Meta CAPI and Google Ads for a non-GPC visitor in Florida, and dropped at the pipeline for a GPC visitor in Texas — without changing any of your destination configs.

Key Takeaways#

• Eleven US states — Connecticut, Oregon, California, Colorado, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire, and Texas — legally treat GPC as a binding opt-out as of April 2026.
• CMP plugins like Complianz, CookieYes, and Real Cookie Banner handle browser-layer suppression only. They cannot reach a server-side CAPI pipeline.
• US state privacy fines reached an estimated $1.4 billion in 2025, and California’s CPPA settled a $2.75 million opt-out case in February 2026.
• Texas has no SMB exemption. A small WooCommerce store selling into Texas is in scope.
• The fix is pipeline-layer enforcement: the GPC flag has to travel from the browser into the server-side event payload, and the pipeline has to drop the event before it reaches any destination for visitors in the affected states.

FAQ#

Run a GPC audit on your stack this week. If your CMP detects the signal but your server-side pipeline never sees it, seresa.io is where you close the gap.