API-Layer GPC Decisions

If a regulator asked what happened to a GPC signal last Tuesday, could your team show it?

GPCGuard validates requests sent to your API endpoint, records structured decision evidence for processed GPC requests, and fails closed when validation cannot complete.

CategoryNot a CMP replacement. The evidence layer for GPC signal handling.

See a decision recordStart freeDecision model →

Source-tracked

Jurisdiction status table

Per-signal

Structured decision records

Fail-closed

Default endpoint posture

Decision Records

Structured evidence for each GPC request GPCGuard processes.

Each request processed by the GPCGuard endpoint can create a tenant-scoped decision record for the endpoint decision path. Drill into these synthetic rows to inspect the signal source, decision outcome, policy flags, and configured compliance label in a dashboard-like format.

GPCGuard provides the decision record. To complete enforcement, customers must wire HONORED decisions to tag managers, CMPs, CDPs, server-side events, and ad partners.

HONOREDSignal validated — policy applied, decision recorded for the processed request. Wire to your data stack to suppress downstream flows.
DENIEDValidation failed — fail-closed. Decision still recorded. Investigate configuration.
NO SIGNALRequest processed, but no GPC opt-out was observed. This is not an opt-out-honored event.
signal_idsignal_sourcedecision_outcomegpc_enabledpolicycompliance_standard
See synthetic sample evidence →

↓ Click any row to inspect the full decision record — field-by-field. Sample data, clearly labeled.

Signal IDSignal
Example records

↑ Synthetic examples · representative decision-record structure

Live demo records · verify-contract.com · 2026-04-11

LIVE
Signal IDDecisionReasonSourceTimestamp
ce7a0a67
ACKNOWLEDGEDgpc_opt_out_honoredSec-GPC header2026-04-11T08:14:22Z
8c98f1df
ACKNOWLEDGEDno_gpc_signal_detectedheader absent2026-04-11T08:14:23Z
7356c7f4
DENIEDrejectedSec-GPC header2026-04-11T08:14:24Z
d6ab6b53
DENIEDmissing_api_keyno origin2026-04-11T08:14:25Z
89333831
DENIEDinvalid_api_keyno origin2026-04-11T08:14:26Z

Real decision records from GPCGuard's own demo tenant. Not synthetic.

Same structure as your live dashboard.

Architecture

Four steps. One clear decision path.

Requests processed by your GPCGuard endpoint pass through a deterministic guard chain, producing structured decision outcomes with explicit HONORED / DENIED states.

01 / 04

Detect

The generated embed or SDK sends a request to your GPCGuard endpoint, where the incoming signal is evaluated for that site.

02 / 04

Validate

Fail-closed guards verify site configuration, origin, active status, DPA acceptance, and circuit state before the request can continue.

03 / 04

Decide

The endpoint returns a structured policy decision — HONORED when the signal is valid and policy is applied, DENIED when a compliance-critical guard fails. Wire the HONORED outcome to your tag manager, CDP, and ad partners to suppress downstream data flows.

04 / 04

Record

Processed signal requests create structured decision records that operators can review in logs and dashboard evidence views.

Comparison

The enforcement layer below your CMP.

Many CMPs can detect or honor GPC, and some publish audit or reporting features. GPCGuard is designed for teams that need request-level API guard-chain records and downstream handoff evidence below or alongside their CMP.

How this fits with your CMP

CMP

Handles banners, preference collection, and opt-in flows at the UI layer.

GPCGuard

Validates GPC signals and records structured evidence at the API layer.

Together

Use both when you need proof of what happened to each GPC request.

Typical CMP implementation

Banner-layer · preference collection · GPC banner suppression

  • May detect or honor GPC and may suppress banners or update preference state for GPC users.
  • May not expose request-level guard-chain evidence.
  • May require separate engineering work for server-side, CDP, and ad-partner suppression.
  • Often stores preference records at the banner/preference layer rather than the API decision path.

GPCGuard

API-layer · request-level guard chain · decision records

  • Validates requests sent to the GPCGuard endpoint against domain, origin, DPA acceptance, and circuit posture before recording policy decisions.
  • Issues HONORED or DENIED outcomes with structured request-level records designed to support audit and investigation workflows.
  • Sits below your CMP — not a replacement. Wire HONORED decisions to your tag manager, CDP, and ad partners to suppress downstream data flows.
  • Fails closed for compliance-critical validation failures such as unknown origins, inactive sites, missing DPA acceptance, or circuit-open states.
gpcguard · embed
<!-- GPCGuard embed — generated per site after DPA acceptance -->
<script
  src="https://<project-ref>.supabase.co/storage/v1/object/public/public/gpc-sdk.js"
  data-endpoint="https://<project-ref>.supabase.co/functions/v1/gpc-signal"
  data-domain="<your-domain>"
  data-show-notification="true"
  async>
</script>
Paste after the opening <body> tag on your target domain

Integration

Generated snippet first. Full enforcement depends on your stack.

GPCGuard onboarding mirrors the actual product surface: create a site, accept the DPA, retrieve the generated snippet, then verify endpoint decisions in the analytics and evidence views. Many teams can install the snippet quickly. Complete rollout includes verifying how HONORED decisions flow into your CMP, tag manager, CDP, server-side events, and ad partners.

01

Create a site, accept the DPA

The embed snippet is generated by the dashboard only after the Data Processing Agreement is accepted for the site.

02

Install the generated snippet

Copy the snippet from the site detail page and place it on your domain so supported browsers can call your configured GPCGuard endpoint. Your endpoint is tenant-isolated — signal data from your sites is never readable across tenants.

03

Verify signals inside the product

After installation, inspect decision records and analytics from the same operator flow that generated the snippet.

Compliance Coverage

Jurisdiction coverage, stated plainly.

GPCGuard tracks public universal opt-out and GPC sources separately from product-support status. Supported and beta entries describe the API-layer evidence workflow; they do not mean every customer, data flow, or downstream partner is automatically covered.

This table describes GPCGuard product-support status and public source tracking. It is not legal advice. Applicability depends on the customer's role, processing activities, consumer location, data flows, and legal counsel's interpretation.

CA

California

CCPA / CPRA

Supported
Signal terminology
Global Privacy Control / user-enabled global privacy control
Effective date tracked
Current CCPA/CPRA regulations; 2026 CCPA updates reviewed separately
Public-source summary
California DOJ states that covered businesses that sell or share personal information must honor GPC as a valid opt-out request.
Product note
Supported means GPCGuard can produce API-layer sale/share decision records for configured sites. Customers still confirm applicability, notices, and downstream suppression with counsel.
California DOJ GPC pageReviewed 2026-05-04

CO

Colorado

Colorado Privacy Act

Beta
Signal terminology
Universal Opt-Out Mechanism (UOOM); GPC recognized
Effective date tracked
2024-07-01 for UOOM acceptance by covered controllers
Public-source summary
Colorado recognizes GPC as a UOOM for sale and targeted-advertising opt-outs under the CPA framework.
Product note
Beta because GPCGuard records API-layer sale and targeted-advertising policy outcomes, but state-specific notice, residency, and downstream enforcement validation remain customer work.
Colorado Attorney General UOOM listReviewed 2026-05-04

CT

Connecticut

Connecticut Data Privacy Act

Beta
Signal terminology
Opt-Out Preference Signal (OOPS)
Effective date tracked
2025-01-01 for OOPS recognition
Public-source summary
Connecticut AG guidance states covered controllers must honor qualifying opt-out preference signals for sale and targeted advertising.
Product note
Beta because GPCGuard can record the endpoint decision and targeted-advertising flag, while Connecticut-specific consumer-location and downstream handoff review remains customer/legal work.
Connecticut AG CTDPA guidanceReviewed 2026-05-04

NJ

New Jersey

New Jersey Data Privacy Act

Beta
Signal terminology
User-selected universal opt-out mechanism
Effective date tracked
2025-07-15 for universal opt-out mechanism support
Public-source summary
New Jersey law requires covered controllers that process for sale or targeted advertising to allow opt-out through a qualifying universal opt-out mechanism.
Product note
Beta because product evidence fields align with sale and targeted-advertising outcomes, but New Jersey residency and any Division of Consumer Affairs technical-rule updates need customer/legal review.
New Jersey P.L. 2023, c.266Reviewed 2026-05-04

OR

Oregon

Oregon Consumer Privacy Act

Planned
Signal terminology
Universal Opt-Out / opt-out preference signal
Effective date tracked
2026-01-01 for universal opt-out signals
Public-source summary
Oregon DOJ states covered businesses and nonprofits must honor opt-out signals that meet technical requirements.
Product note
Planned because Oregon adds nonprofit and precise-location considerations outside the current self-serve evidence workflow.
Oregon DOJ Consumer Privacy pageReviewed 2026-05-04

DE

Delaware

Delaware Personal Data Privacy Act

Planned
Signal terminology
Universal opt-out mechanism
Effective date tracked
2026-01-01 for universal opt-out mechanism recognition
Public-source summary
Delaware DOJ FAQ says universal opt-out mechanisms must be recognized by covered controllers as valid consumer requests.
Product note
Planned because GPCGuard has not published Delaware-specific validation, notice, or workflow guidance for self-serve customers.
Delaware DOJ DPDPA FAQReviewed 2026-05-04

MN

Minnesota

Minnesota Consumer Data Privacy Act

Legal review pending
Signal terminology
Opt-out preference signal / universal opt-out mechanism
Effective date tracked
2025-07-31 for most covered controllers
Public-source summary
Minnesota statute requires controllers to allow opt-out through an opt-out preference signal for targeted advertising or sale.
Product note
Legal review pending because the statute includes consumer-residence determination language and recognition of other state-approved signals; GPCGuard does not yet publish Minnesota-specific product guidance.
Minnesota Revisor Stat. 325M.14Reviewed 2026-05-04

TX

Texas

Texas Data Privacy and Security Act

Legal review pending
Signal terminology
Authorized-agent opt-out technology / browser setting
Effective date tracked
2025-01-01 for authorized-agent technology provisions
Public-source summary
Texas law allows consumers to designate an authorized agent using technology such as a browser setting or extension for sale and targeted-advertising opt-outs.
Product note
Legal review pending because Texas includes authorized-agent, residency verification, and ability-to-process conditions that GPCGuard does not currently evaluate on behalf of customers.
Texas Business & Commerce Code Chapter 541Reviewed 2026-05-04

Sample evidence pack

Synthetic JSON, CSV, and packet examples show the kind of records GPCGuard is designed to produce.

View samples

Decision model

Public docs explain the ordered guard chain, API-layer boundary diagram, and common response contracts.

Read docs

Security overview

The product publishes its current security posture without claiming certifications the infrastructure does not hold.

Review posture

Architecture commitments

Non-negotiable boundaries — guard-order preservation and JWT + RLS tenant isolation — are documented publicly.

See commitments
Product status: supported / beta / planned / legal review pending — see decision model for API-layer boundaries

Get Started

Your team should be able to show what happened to processed GPC requests.

Connect a site, install the embed, and see your first structured decision record — HONORED or DENIED, with guard-chain context. Free to start.

See a decision recordStart free →Talk to us →

No credit card required · Free tier includes 3 sites and 10,000 processed requests/month · Enterprise terms available