CPRA regulations (11 CCR § 7026) require businesses that honor opt-out preference signals to disclose which signals they recognize in their privacy policy. If your middleware.ts silently honors the GPC Sec-GPC: 1 header but the privacy policy makes no mention of it, the disclosure requirement is violated even though the technical implementation is correct. California consumers have a right to know which browser-based signals they can use — they cannot benefit from GPC protection they don't know your site respects. This is a documentation gap, not a technical one, but it is independently enforceable.
Info because the violation is a disclosure omission in the privacy policy rather than a functional failure — consumers' opt-out preference may still be honored in code even when this check fails.
Add an Opt-Out Preference Signals section to your privacy policy listing every universal opt-out mechanism you honor. This section is required by CPRA regulations even if GPC is the only signal you support.
## Opt-Out Preference Signals (add to privacy policy)
We recognize and honor the following universal opt-out preference signals:
**Global Privacy Control (GPC):** If your browser sends a Sec-GPC: 1 header,
we automatically treat this as an opt-out of the sale or sharing of your
personal information. No additional action is required.
GPC is available in Brave (built-in), Firefox (via privacy settings),
and the Privacy Badger browser extension.
To opt out manually: /do-not-sell
Update the privacy policy's effective date after adding this section. If you later add support for IAB's Global Privacy Platform or other signals, add them here promptly — the disclosure obligation tracks the signals you honor.
ID: ccpa-readiness.opt-out.universal-opt-out-documentation
Severity: info
What to look for: CPRA's regulations require businesses to disclose in their privacy policy which universal opt-out preference signals they recognize (e.g., GPC). Check the privacy policy for a section that names the specific browser-based or device-based opt-out signals the business honors. This is a disclosure requirement separate from actually honoring the signals — even if GPC is being honored in code, the privacy policy must explicitly state that it is. Also check whether any other universal opt-out mechanisms are referenced (e.g., opt-out preference signals from Brave browser, Firefox with privacy.resistFingerprinting, or the IAB's Global Privacy Platform). Count all instances found and enumerate each.
Pass criteria: The privacy policy explicitly states which universal opt-out mechanisms (browser signals) the application recognizes, with GPC listed if it is honored. At least 1 implementation must be confirmed.
Fail criteria: GPC is honored in code but not disclosed in the privacy policy. Privacy policy makes no mention of browser-based opt-out signals.
Skip (N/A) when: Application does not honor any universal opt-out signals and does not sell or share PI.
Detail on fail: Example: "GPC signal handled in middleware.ts but privacy policy does not mention Global Privacy Control or any browser-based opt-out signals.".
Remediation: Add a Universal Opt-Out Signals section to your privacy policy:
## Opt-Out Preference Signals (add to privacy policy)
We recognize and honor the following universal opt-out preference signals:
- **Global Privacy Control (GPC):** If your browser or browser extension sends a
GPC signal (Sec-GPC: 1), we automatically treat this as a request to opt out
of the sale or sharing of your personal information. No additional action is
required on your part.
To enable GPC in your browser, you may use extensions such as Privacy Badger
(EFF) or browsers with built-in GPC support such as Brave or Firefox with the
appropriate privacy settings enabled.
If you prefer to submit an opt-out request manually, visit our
[Do Not Sell or Share My Personal Information](/do-not-sell) page.