Identify which state privacy laws apply to your user base; note that the Connecticut Data Privacy Act (CTDPA) became effective July 1, 2023 — do not treat October 1, 2023 as the base effective date (that date applies only to the consumer-health data amendments).
Detect the Global Privacy Control (GPC) signal by reading the Sec-GPC: 1 HTTP request header or navigator.globalPrivacyControl in the browser.
Map the GPC signal to the applicable opt-out right under each state law (opt-out of sale/sharing in California CPRA; opt-out of sale in CTDPA, Virginia VCDPA, Colorado CPA, etc.).
Suppress data sale, targeted advertising, and profiling processing for users whose signal is detected, and record the opt-out preference for downstream enforcement.
Maintain state-specific compliance records and revisit effective dates and scope whenever state legislatures pass amendments.
Known gotchas
The CTDPA's general effective date is July 1, 2023; the October 1, 2023 date is specific to consumer-health data amendments — conflating them causes compliance gaps.
GPC is a legally recognized opt-out signal under California CPRA and Colorado CPA; other states are evolving — verify current guidance for each jurisdiction.
Opt-out obligations differ in scope by state (sale only vs. sale + sharing + profiling); a single suppression flag is unlikely to satisfy all states without mapping.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp