Global Privacy Control (GPC) is a browser-level setting that automatically tells websites not to sell or share a user’s personal data. It acts as a single, universal signal to exercise privacy rights across the web without clicking individual "Do Not Sell" links on every site. For marketers and SEOs, GPC represents a legally enforceable preference that directly impacts data collection and targeted advertising.
What is Global Privacy Control?
GPC is a technical specification that allows users to notify businesses of their privacy preferences via their browser or a browser extension. Unlike previous attempts at privacy signaling, GPC is designed to have legal force under specific regional privacy regulations.
The protocol conveys a user's intent to opt out of data sales or the use of their data for cross-context targeted advertising. While initially developed by privacy researchers and organizations like the Electronic Frontier Foundation (EFF) and DuckDuckGo, it is now an official work item of the W3C Privacy Working Group for global standardization.
Why Global Privacy Control matters
- Legal Compliance: In jurisdictions like California, Connecticut, and Colorado, ignoring GPC signals can lead to significant legal penalties.
- Enforcement Risk: State authorities have already issued fines to companies that fail to process GPC-based opt-out requests.
- User Reach: Over [150 million users] (Global Privacy Control) currently use browsers or extensions that support the GPC signal.
- Publisher Adoption: Major publishers, including the New York Times and Washington Post, already recognize and respect the signal on their platforms.
- Widespread Integration: The signal is active on over [66,000 websites] (Global Privacy Control) where users exercise their privacy rights.
How Global Privacy Control works
GPC functions through two primary technical mechanisms that communicate with a website's server and its client-side scripts.
1. The HTTP Header
When a user visits a site, their browser sends an HTTP header named Sec-GPC. This header carries a value of 1, which indicates the user is exercising their opt-out rights. This value is fixed and cannot be extended.
2. The JavaScript Property
Websites can also detect the signal using JavaScript by checking the navigator.globalPrivacyControl property. If this property is set to true, the site must treat the session as an opt-out request.
3. Server-Side Verification
Websites can indicate their compliance by hosting a JSON file at a well-known URI: .well-known/gpc.json. This file contains a boolean gpc member (true/false) to signal whether the server complies with GPC requests and a lastUpdate field.
Global Privacy Control vs. Do Not Track
| Feature | Do Not Track (DNT) | Global Privacy Control (GPC) |
|---|---|---|
| Status | Deprecated / Discontinued | Active / Proposed W3C Standard |
| Legal Force | Lacked regulatory backing | Legally required in multiple US states |
| Adoption | Widely ignored by third parties | Backed by CA Attorney General and state laws |
| Enforcement | No recorded legal penalties | Basis for million-dollar settlements |
Best practices
Check your browser support. Many browsers like Brave and DuckDuckGo have GPC on by default. Firefox users can enable it through the "Website Privacy Preferences" section in settings.
Implement the GPC Support Resource.
Host a gpc.json file in your .well-known directory. This tells automated systems and regulators that your site recognizes and intends to comply with the signal.
Sync GPC with your Consent Management Platform (CMP). Ensure your CMP or tag manager is configured to stop data-sharing scripts (like tracking pixels) as soon as the GPC signal is detected.
Monitor state-level updates. States such as New Jersey began requiring businesses to respect universal opt-out mechanisms like GPC as of [July 15, 2025] (Wikipedia).
Common mistakes
Mistake: Treating GPC as "just another" Do Not Track signal. Fix: Recognize that GPC carries legal weight under the CCPA and CPA, unlike the older DNT header.
Mistake: Requiring users to click a "Do Not Sell" link after they have already enabled GPC. Fix: Configure your site to automatically process the opt-out for any user with the signal active.
Mistake: Assuming only California businesses need to care. Fix: Multiple states, including Colorado, Connecticut, and New Jersey, now mandate GPC support.
Mistake: Using Chrome and thinking the signal is broken. Fix: Google Chrome does not natively support GPC yet; use an extension like Privacy Badger or a supported browser like Firefox or Brave to test implementation.
Examples
Example scenario: Retail Compliance A major retailer receives a GPC signal from a visitor's browser. Instead of showing the user a cookie banner or asking them to find an opt-out link, the retailer’s site automatically disables all third-party marketing pixels for that session.
Example scenario: Legal Enforcement Failure to respect these signals has led to high-profile actions. For instance, [Sephora paid a $1.2 million settlement] (Wikipedia) for allegedly failing to process opt-out requests via GPC. More recently, the California Attorney General secured a [$1.55 million settlement from Healthline.com] (Wikipedia) for failing to allow consumers to opt out of targeted advertising and sharing data without CCPA-mandated protections.
FAQ
Is GPC legally required in the EU under GDPR?
The GPC signal is intended to convey a general request to limit data sharing under GDPR Articles 7 and 21. It acts as a way for users to notify data controllers that they wish to limit the sale or sharing of their personal information to other controllers.
Which browsers support GPC natively?
Brave and DuckDuckGo support GPC by default. Mozilla Firefox added the feature starting in version 120, though users must enable it in their privacy settings. Chrome and Microsoft Edge do not support it natively at this time.
How do I test if my website sees the GPC signal?
You can use a supported browser and check the developer console for the navigator.globalPrivacyControl property or inspect the network request headers for Sec-GPC: 1.
Can I use GPC through an extension?
Yes. Extensions like Privacy Badger (by EFF), Disconnect, and DuckDuckGo Privacy Essentials can enable the GPC signal for browsers that do not support it natively, such as Google Chrome.
Is the GPC signal the same as a cookie consent banner?
No. While a cookie banner usually asks for permission to set cookies, GPC is a proactive signal from the user saying "do not sell or share my data." Regulations increasingly require sites to respect this signal as a valid opt-out without further user interaction.
