California Privacy Protection Agency Announces Joint Investigative Privacy Sweep

In an effort to bolster digital privacy enforcement, three states are looking into businesses that may be ignoring browser-based signals meant to allow consumers to exercise their privacy rights—with potential implications for any U.S. company doing business online.

On Sept. 9, 2025, the attorneys general of California, Colorado and Connecticut, and the California Privacy Protection Agency (collectively, the “Coalition”) announced a coordinated “investigative sweep involving potential noncompliance with the Global Privacy Control, or GPC, an easy-to-use browser setting or extension that automatically signals to businesses a consumer’s request to stop selling or sharing their personal information to third parties.” The Coalition will contact businesses that fail to process consumer requests to opt out of the sale and sharing of their personal information submitted through the GPC as required by law.

What is the GPC?

The GPC is a browser-based signal designed to help users automatically communicate their privacy preferences to all websites such user visits, particularly regarding the sale or sharing of personal information. The GCP is a “universal opt out mechanism,” which is another way the GPC is described under applicable privacy laws.

How does the GPC work?  

The GPC signal is found in hypertext transport protocol (“HTTP”) messaging that is used to communicate between an individual’s browser and the company’s server. The HTTP messaging sent and received by a browser can be monitored. Under the GPC specification, the company’s server is obligated to return a response to the GPC signal sent from the individual’s browser. If no such response is received at the browser, it is obvious that the company does not support GPC. Furthermore, even if a response is received, the company operating the website must stop the sharing or selling of the individual’s personal information. Under certain state laws, the mere placement of a targeting cookie on an individual’s browser constitutes selling or sharing personal information.

Which companies must comply?

Compliance with the GPC is required under the privacy laws of the Coalition states and either is required or will soon be required in Delaware, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon and Texas. If a company has a website, it may be sharing data with a third party and thus would be required to comply with the GPC.

Unlike other privacy law violations that are difficult to detect, compliance with the GPC is easily determined through use of the developer tools within a browser. If a website stores targeted advertising cookies on visitors’ browsers and the business meets the threshold for compliance with a privacy law that requires compliance with the GPC, the Coalition (and any individual) can easily find evidence of non-compliance. Also, the process for detecting how a website handles a GPC signal, including determining whether targeting cookies have been removed after reception of the GPC signal, can be automated through the application of software that “crawls” the internet looking for noncompliant websites.

What happens next?

The Coalition has begun identifying businesses “refusing to honor consumers’ requests to stop selling their personal data and have asked them to immediately come into compliance with the law.”

Furthermore, once the applicable state attorney general has identified non-compliance with GPC, there are additional areas of risk that could be easily identified: the use of dark patterns, lack of opt-out manual options and a non-compliant (or non-existent) privacy policy.

If your business meets the threshold for compliance under any applicable state privacy law, GPC capability should be added to your website and privacy program.

This document is intended to provide you with general information regarding state efforts in data privacy enforcement. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions. The information in this article is accurate as of the publication date. Because the law in this area is changing rapidly, and insights are not automatically updated, continued accuracy cannot be guaranteed.