Online Tracking: What Organizations Need to Know and Do About GPC Compliance

Introduction TO GPC COMPLIANCE

The digital privacy landscape is shifting fast and regulators are stepping up enforcement. In a coordinated move, the California Privacy Protection Agency (CPPA), along with regulators in Colorado and Connecticut, launched a multi-state investigation targeting businesses that fail to honor Global Privacy Control (GPC) signals and opt-out requests related to the sale or sharing of personal data. [1]

Why GPC Matters to Your Business

Global Privacy Control (GPC) is a browser-based signal that communicates a user’s preference to opt out of the sale or sharing of their personal information. Unlike traditional opt-out links, GPC is universal and automatic—making it a powerful tool for consumers and a critical compliance requirement for businesses. A peer-reviewed study of over 11,000 websites found that more than half failed to properly honor GPC signals. Many misconfigured their systems or ignored the signals entirely. This non-compliance is now drawing regulatory scrutiny, and enforcement actions are already underway. [2]

Recent Enforcement Case Studies: What Businesses Must Learn

1.Healthline Media – $1.55 Million Fine:

In July 2025, Healthline Media faced the largest fine to date from the California Privacy Protection Agency (CPPA) for multiple violations of the California Consumer Privacy Act (CCPA). Key issues included:

• Failure to honor GPC signals for opt-out requests.
• Sharing sensitive health-related content (e.g., article titles suggesting medical conditions) with third-party advertisers.
• Misleading cookie consent banners that did not actually disable tracking.
• Non-compliant contracts with third-party vendors.

This case highlights the importance of accurate technical implementation, contractual diligence, and transparent user interfaces. [3]

2.Todd Snyder – $345,178 Fine:

The clothing retailer was fined for failing to properly process GPC signals and violating opt-out rights under the CCPA. The CPPA emphasized that businesses must detect and respond to GPC signals reliably across all web pages. [4]

3.American Honda Motor Co. – $632,500 Fine:

Honda was penalized for ignoring GPC signals and failing to provide compliant opt-out mechanisms. This case demonstrates that even large, well-resourced companies are not immune to enforcement. [5]

4.Sephora – $1.2 Million Settlement:

Although earlier, this case remains a landmark example. Sephora failed to honor GPC signals and did not disclose its data-sharing practices adequately. The settlement included mandatory changes to its privacy practices and public disclosure obligations. [4]

Understanding the Regulatory Risk

Failure to honor GPC signals can expose your organization to:

• Regulatory investigations,
• Fines and penalties,
• Reputational damage, and
• Loss of consumer trust.

By the end of 2025, at least nine U.S. states will require businesses to honor GPC or similar universal opt-out mechanisms. The CPPA and other regulators are actively enforcing these requirements. [3]

What Your Organization Should Do Now

Audit Your Data Practices:

• Identify what personal data you collect, how it’s used, and where it’s shared.
• Map data flows across your systems and third-party vendors.

Honor GPC Signals:

• Implement and test mechanisms to detect and respond to GPC signals.
• Ensure your systems treat GPC as a valid opt-out request.

Review Cookie Banners and Opt-Out Mechanisms:

• Ensure they are clear, accessible, and legally compliant.
• Avoid dark patterns that could mislead users.

Monitor Regulatory Developments:

• Stay informed about evolving privacy laws across jurisdictions.
• Adapt your compliance programs accordingly.

Invest in Automation and Training:

• Automate compliance processes where possible.
• Train internal teams on privacy best practices and legal obligations.

The Business Case for Compliance

Compliance isn’t just about avoiding fines—it’s about maintaining trust. Studies show [6]:

• 94% of organizations report that customers would not buy from them if they failed to protect data.
• 71% of consumers would stop doing business with a company that mishandled their data.
• Companies with comprehensive compliance programs report 89% fewer violations.

How Myna Partners Can Help

At Myna Partners, we support organizations at every stage of their privacy compliance journey:

• Privacy Audits – Identify compliance gaps and risks.
• GPC Implementation Support – Configure systems to detect and respond to GPC signals.
• Policy & UX Reviews – Evaluate cookie banners, privacy notices, and opt-out flows.
• Regulatory Monitoring – Stay ahead of regulatory changes.
• Training & Enablement – Equip your teams with the knowledge to stay compliant.

Conclusion

The era of ‘set it and forget it’ privacy is over. Regulators are watching, and consumers are paying close attention. Organizations that fail to adapt risk more than fines—they risk their reputation and customer loyalty.

Now is the time to act. Contact Myna Partners to schedule a privacy readiness consultation.

References

[1] https://cppa.ca.gov/announcements/2025/20250909.html

[2] https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-consumer-privacy-survey-2022.pdf

[3] https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-largest-ccpa-settlement-date-secures-155 

[4 -1] https://cppa.ca.gov/announcements/2025/20250506.html

[4 -2] https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement

[5] https://cppa.ca.gov/announcements/2025/20250312.html

[6] https://www.usenix.org/system/files/usenixsecurity25-hausladen.pdf