Analysis/Privacy

Twelve States Now Mandate GPC — And Enforcement Is Getting Real

With twelve US states requiring businesses to honor Global Privacy Control signals and seven-figure fines becoming routine, the privacy enforcement era has arrived. Here's what the 2026 enforcement wave means for ad measurement teams.

By Sarah Chen··8 min read

The US privacy landscape crossed a threshold on January 1, 2026. Three new comprehensive state privacy laws — in Indiana, Kentucky, and Rhode Island — took effect, bringing the total number of states with comprehensive privacy statutes to roughly 18. California simultaneously activated new requirements for automated decision-making technology audits and risk assessments. And the enforcement climate has shifted from warnings to penalties.

The GPC Mandate Expands

The most consequential development for advertising measurement is the expansion of Global Privacy Control requirements. As of January 2026, twelve US states now legally require businesses to honor GPC signals: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.

GPC is a browser-level signal that automatically communicates a user's choice to opt out of the sale or sharing of personal data — including the data sharing that powers targeted advertising and cross-site measurement. When a user enables GPC in their browser, every website they visit receives that opt-out signal automatically. No consent banner interaction required. No cookie preference center. The signal fires on page load.

For measurement teams, this is significant because GPC adoption is growing and enforcement is real. Brave, DuckDuckGo, and Firefox already support GPC natively. And under California's Opt Me Out Act (AB 566), all major browsers — including Chrome, Safari, and Edge — will be required to offer built-in GPC functionality by January 2027.

Enforcement Has Teeth

The era of friendly reminders is over. As AudienceX's analysis noted, "We are no longer in the era of policy introduction; we are in the era of active enforcement." Recent penalties tell the story:

  • Healthline Media was fined $1.55 million in July 2025 — the largest CCPA settlement to date — for failing to honor GPC signals.
  • Tractor Supply Company paid $1.35 million in August 2025 for failing to process GPC signals.
  • Honda was fined $632,500 for implementing excessive verification requirements that effectively blocked opt-outs.
  • Sling TV paid $530,000 for confusing opt-out mechanisms and inadequate child privacy protections.

    • State Attorneys General are also coordinating enforcement sweeps. In late 2025, California, Colorado, and Connecticut conducted a joint investigation targeting businesses that claimed to honor GPC signals while continuing to fire retargeting pixels — a practice that regulators now treat as deceptive.

    What the New State Laws Require

    The three new January 2026 laws follow the Virginia model. Indiana and Kentucky apply to businesses controlling data on 100,000 or more consumers, or 25,000 consumers if more than 50% of revenue comes from data sales. Rhode Island sets a lower threshold at 35,000 consumers.

    All three states grant consumers the right to opt out of targeted advertising, data sales, and profiling. All three require data protection impact assessments. And all three include 30-day cure periods — though enforcement precedent from California suggests that regulators are increasingly skeptical of cure period claims from large organizations that should have known better.

    Meanwhile, existing laws in Connecticut, Colorado, and California are expanding throughout 2026. Connecticut is lowering compliance thresholds and tightening data sale controls. Oregon now bans the sale of precise geolocation data. California's new automated decision-making technology rules require businesses to provide opt-outs when algorithmic systems substantially replace human decision-making — a provision that could apply to programmatic ad buying and algorithmic audience targeting.

    The Measurement Impact

    For ad measurement professionals, the enforcement wave creates concrete operational challenges:

    Shrinking addressable audiences. As GPC adoption grows and more states mandate opt-out recognition, the pool of users available for cross-site tracking, retargeting, and deterministic attribution continues to shrink. This compounds the signal loss already caused by Safari's Intelligent Tracking Prevention and Apple's ATT framework.

    Pixel compliance risk. Client-side tracking pixels that fire before consent is established — or that continue to fire after a GPC signal is received — are now enforcement targets. The FTC has adopted what regulators describe as a zero-tolerance policy regarding the sharing of sensitive data via tracking technologies.

    Attribution model degradation. Multi-touch attribution models that depend on user-level cross-site tracking are losing coverage with every new privacy mandate. The deterministic link between ad exposure and conversion is becoming legally and technically impossible for a growing share of the population.

    What Measurement Teams Should Do

    The direction is clear, and the window for gradual adaptation is closing:

  • Audit your pixel and tag infrastructure for GPC compliance. If your tags fire before consent or ignore opt-out signals, you're exposed to seven-figure penalties.
  • Accelerate the shift to aggregated measurement. Media mix modeling and geo-based incrementality testing don't depend on user-level tracking and are regulation-proof by design.
  • Invest in first-party data strategies. Consented, logged-in user data collected directly by your brand remains the most defensible data asset in this environment.
  • Prepare for the 2027 browser mandate. When Chrome and Safari add built-in GPC support, opt-out rates will increase dramatically. Build your measurement infrastructure to function in a world where a substantial share of your audience is opted out.

    • The patchwork of state laws creates compliance complexity, but the underlying direction is uniform: persistent user-level tracking across the open web is becoming untenable. Measurement teams that still depend on it need to move.

    Sources & References

    1. [1]
    2. [2]
    3. [3]
    4. [4]
    TagsPrivacyGPCCCPAAttributionCookiesEnforcement

    We use cookies to analyze site traffic and improve your experience. By accepting, you consent to the use of analytics cookies by Google Analytics and Meta Pixel.