Google activates privacy controls in Delaware and Oregon via GPC signals

Google announced on November 17, 2025, that it will begin processing Global Privacy Control signals for users in Delaware and Oregon, according to documentation in the Google AdSense Help Center. The implementation triggers Restricted Data Processing mode for ad requests originating from these states, expanding automated privacy controls to two additional jurisdictions.

The technical architecture processes GPC signals directly at the ad request level. When users in Delaware or Oregon activate Global Privacy Control through compatible browsers or extensions, Google's advertising systems automatically implement data handling restrictions without requiring publisher intervention. This automated approach marks the continuation of a pattern established across nine other states that implemented similar mechanisms in June 2025.

Delaware and Oregon join Colorado, Connecticut, Montana, Nebraska, New Hampshire, Texas, Minnesota, New Jersey, and Maryland in requiring platform recognition of universal opt-out mechanisms. These state privacy laws mandate that businesses honor browser-based signals indicating user preferences to opt out of data sales, sharing, or targeted advertising. The Global Privacy Control specification provides the technical standard enabling this communication between users and websites.

Both states enacted comprehensive privacy legislation with provisions requiring recognition of universal opt-out mechanisms. Delaware's Personal Data Privacy Act took effect January 1, 2025, while Oregon's consumer privacy law contains similar requirements for automated signal processing. The November 17 implementation date aligns with enforcement timelines established in state regulations.

The GPC specification enables web users to communicate tracking preferences through browser settings or dedicated extensions. When activated, browsers send standardized signals to websites indicating user preferences regarding data collection and sharing. Major browsers including Brave and DuckDuckGo support GPC natively, while Firefox offers the capability through settings configuration. Browser extensions from Privacy Badger, Disconnect, and other developers provide GPC functionality across additional platforms.

Google's Restricted Data Processing mode implements several technical limitations affecting how the advertising platform handles user information. The system restricts use of persistent identifiers for audience targeting and limits data sharing with demand-side platforms and third-party advertising partners. Cookie-based tracking becomes significantly constrained under RDP mode, with the platform relying instead on contextual signals and first-party data for ad serving decisions.

Publishers using Google AdSense will experience automatic compliance with user privacy preferences without requiring code modifications or manual intervention. The platform processes GPC signals transparently, activating RDP mode for affected ad requests while maintaining basic functionality including fraud detection and measurement capabilities. However, the shift to non-personalized advertising may affect publisher revenue, as contextual ads typically command lower prices in programmatic auctions compared to personalized advertisements.

Revenue implications extend beyond simple rate differences. When RDP mode activates, audience segmentation capabilities become substantially reduced. Advanced targeting features relying on demographic profiling, interest categorization, and behavioral analysis become unavailable for affected ad requests. This limitation directly impacts campaign effectiveness for advertisers while potentially decreasing monetization for content creators and publishers.

The advertising technology ecosystem has adapted to these privacy requirements through standardized frameworks. Adform announced Global Privacy Control support in July 2024, demonstrating industry-wide movement toward GPC compliance. The Interactive Advertising Bureau developed the Global Privacy Platform to address compliance requirements across multiple state privacy laws, providing technical infrastructure for managing jurisdictional requirements simultaneously.

Google AdSense also supports the IAB Tech Lab's Global Privacy Protocol National v2 strings, maintaining compatibility with both v1 and v2 formats. The protocol enables publishers using consent management platforms to transmit user privacy preferences through standardized string specifications. This dual-framework approach accommodates different technical implementations while ensuring consistent privacy protection.

The technical implementation distinguishes between GPC signals and GPP strings. GPC operates as a browser-level signal transmitted with each page request, while GPP strings encode detailed consent information managed through consent management platforms. Both mechanisms can trigger RDP mode, but operate through different technical pathways within Google's advertising systems.

Publishers maintaining account-level RDP settings saw those configurations automatically applied to traffic from Iowa, Delaware, New Jersey, Nebraska, and New Hampshire starting November 15, 2024. The November 17, 2025, update specifically addresses GPC signal processing for Delaware and Oregon, complementing existing account-level settings with browser-based signal recognition.

The expansion reflects accelerating privacy regulation across the United States. Fourteen state privacy laws were enforceable at the start of 2025, with additional legislation expected throughout the year. Each state law contains distinct requirements for consent collection, data sale opt-outs, and targeted advertising restrictions, creating complexity for publishers and advertising technology vendors operating across state boundaries.

Publishers should verify that privacy policies accurately disclose data processing practices under the expanded GPC framework. The automatic implementation eliminates technical burden but requires transparent communication regarding how user preferences affect advertising experiences. Publishers relying heavily on display advertising revenue may need to monitor performance metrics to understand how GPC adoption rates within their audiences affect overall monetization.

Content creators should consider revenue diversification strategies to reduce dependence on personalized advertising that may be affected by privacy control implementations. Alternative monetization approaches become increasingly important as privacy regulations expand across additional states and user adoption of privacy-protective technologies continues growing.

The Global Privacy Control specification was developed through collaboration between technologists, publishers, technology companies, browser vendors, academics, and civil rights organizations. The specification was initially spearheaded by Ashkan Soltani and Sebastian Zimmeck in partnership with major publishers including The New York Times, The Washington Post, and Financial Times, alongside technology companies like DuckDuckGo, Brave, Mozilla, and consumer advocacy organizations.

The specification moved through the World Wide Web Consortium's standardization process, with the Privacy Community Group initially introducing GPC in April 2020. The W3C Privacy Working Group adopted GPC as an official work item in November 2024, placing the specification in active standardization. This progression toward formal standard status increases pressure on websites and advertising platforms to honor GPC signals.

California's attorney general publicly endorsed the GPC specification, stating that the California Department of Justice was "encouraged to see the technology community developing a global privacy control in furtherance of the CCPA and consumer privacy rights." This regulatory support strengthens the specification's legitimacy as states implement universal opt-out mechanism requirements within privacy legislation.

The GPC signal communicates a "Do Not Sell or Share" request under California's Consumer Privacy Act and similar state privacy laws allowing users to opt out of data sales or cross-context targeted advertising. Under Europe's General Data Protection Regulation, the GPC signal conveys a request that data controllers limit sale or sharing of user personal data to other data controllers. This international scope extends GPC applicability beyond United States state laws.

Publishers must ensure their consent management platforms accurately interpret and process GPC signals according to jurisdictional requirements. Different legal frameworks impose distinct obligations regarding how platforms should respond to opt-out signals. California law treats GPC as a legally binding opt-out request, while GDPR implementations may interpret the signal differently based on specific processing activities and legal bases.

The November 17 implementation affects publishers with audiences in Delaware and Oregon immediately. Publishers should review their analytics to assess what percentage of their user base originates from these states and monitor how GPC signal prevalence affects advertising performance. Early data from states with existing GPC requirements can inform revenue forecasting and strategic planning.

Google's implementation approach prioritizes automation over manual publisher configuration. This design reduces compliance burden but limits publisher control over how privacy preferences affect advertising delivery. Publishers cannot selectively apply RDP mode or create exceptions for specific users, ensuring consistent privacy protection but potentially constraining revenue optimization strategies.

The advertising industry faces continued adaptation as privacy regulations proliferate. Beyond state-level legislation, federal privacy discussions continue in Congress, potentially creating nationwide standards that would supersede or complement state laws. Industry participants must balance compliance obligations with business viability, requiring ongoing investment in privacy-protective technologies and operational processes.

Timeline

• April 2020: Global Privacy Control specification introduced at W3C Privacy Community Group
• January 1, 2025: Delaware Personal Data Privacy Act takes effect
• June 30, 2025: Google expands privacy controls to eight US states including Connecticut, Montana, Nebraska, New Hampshire, Texas, Minnesota, New Jersey, and Maryland
• July 2024: Adform announces Global Privacy Control support
• August 2024: IAB Tech Lab adds six states to Global Privacy Platform including Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and Tennessee
• October 2024: Google announces updates for five states with privacy laws effective January 2025
• October 6, 2025: Google AdSense adds support for Global Privacy Protocol National v2
• November 17, 2025: Google implements GPC signal processing for Delaware and Oregon
• November 2024: W3C Privacy Working Group adopts GPC as official work item

Summary

Who: Google AdSense platform implementing automated privacy controls affecting publishers with audiences in Delaware and Oregon, along with users in these states who activate Global Privacy Control through compatible browsers or extensions.

What: Implementation of Global Privacy Control signal processing that automatically triggers Restricted Data Processing mode for ad requests from Delaware and Oregon users, limiting personalized advertising, audience targeting capabilities, and data sharing with third-party partners.

When: November 17, 2025, marking the effective date when Google began processing GPC signals from these two states.

Where: Delaware and Oregon, expanding Google's GPC compliance beyond the nine states where universal opt-out mechanism provisions were implemented in June 2025.

Why: State privacy laws in Delaware and Oregon contain universal opt-out mechanism provisions requiring advertising platforms to honor browser-based signals indicating user preferences to opt out of data sales, sharing, or targeted advertising, with both states' comprehensive privacy legislation mandating automated signal recognition.