Privacy Sweep Alert: Global Privacy Control Enforcement Goes Multi-State

Three states just sent a clear message to businesses: honor consumer privacy rights or expect an investigation. On September 9, California, Colorado, and Connecticut announced a coordinated privacy sweep targeting companies that are ignoring requests to stop selling or sharing personal data. Their focus is on Global Privacy Control, known as GPC, a simple browser setting or extension that automatically tells every website a consumer visits that they do not want their information sold or shared.

This is a big deal because it shows that privacy enforcement is no longer a single-state issue. Regulators are working together to check whether businesses are complying, and ignoring GPC could now draw attention from multiple states at once.

GPC works like a universal “Do Not Sell My Data” switch. When enabled on a browser or through a privacy plug-in, the GPC automatically sends a signal to websites not to sell or share user data, relieving consumers of the burden of having to click on the ''do not sell'' button on every individual website they visit.

If your business is covered by California Consumer Privacy Act (CCPA), or the similar laws in Colorado and Connecticut, you must detect this signal and process it as an opt-out request. Failure to do so can be considered a violation.

Consumers still have another option. They can go to a business website and look for the “Do Not Sell or Share My Personal Information” link, which the law requires to be clear and easy to find. They do not need to create an account, and businesses can only request enough information to confirm that they are processing the request for the correct person.

Several other states already require businesses to honor similar opt-out rights, including New Hampshire, Montana, Nebraska, New Jersey, Minnesota, and Texas. More states are joining soon, with Maryland’s law taking effect October 1 and Delaware and Oregon going live January 1, 2026.

For businesses, this joint announcement is a warning and an opportunity. Now is the time to make sure your privacy policy accurately explains how consumers can opt out, confirm that your website is set up to honor GPC signals, and test your opt-out process to make sure it works. Doing this now helps reduce the risk of an enforcement letter later.