Global Privacy Control (GPC) is a browser-level signal that tells websites a user does not want their personal information sold or shared. Multiple US state laws now legally require honoring it, and the EU is watching closely. If you're not detecting and respecting GPC, you may already be violating the law.
What Is Global Privacy Control?
GPC is a technical specification (developed by the GPC consortium) that adds a single signal to web requests. When enabled, the browser sends Sec-GPC: 1 in HTTP headers and sets navigator.globalPrivacyControl = true in JavaScript.
It's the successor to the failed "Do Not Track" (DNT) header. Unlike DNT, GPC has legal backing — multiple US state laws explicitly require businesses to treat it as a valid opt-out request.
Which Laws Require Honoring GPC?
| Jurisdiction | Law | GPC Requirement | Effective |
|---|---|---|---|
| California | CCPA/CPRA | Must honor as opt-out of sale/sharing | Jan 2023 |
| Colorado | CPA | Must honor as universal opt-out | Jul 2024 |
| Connecticut | CTDPA | Must honor as opt-out signal | Jan 2025 |
| Texas | TDPSA | Must honor universal opt-out mechanisms | Jul 2024 |
| Montana | MCDPA | Must honor opt-out preference signals | Oct 2024 |
| Oregon | OCPA | Must honor opt-out preference signals | Jul 2024 |
| Delaware | DPDPA | Must honor universal opt-out | Jan 2025 |
| New Jersey | NJDPA | Must honor opt-out signals | Jan 2025 |
| EU/EEA | GDPR/ePrivacy | Not required yet, but being evaluated | TBD |
Who Needs to Implement GPC?
Any business that falls under the above state laws and engages in:
- Selling personal information (including ad-supported business models)
- Sharing personal information for cross-context behavioral advertising
- Targeted advertising based on user behavior across sites
- Profiling consumers for decisions with legal or significant effects
If you run Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any advertising tracker, you likely need to honor GPC.
How to Detect the GPC Signal
GPC is transmitted via two channels:
JavaScript Detection
Check the GPC signal in the browser:
navigator.globalPrivacyControl— returnstrueif GPC is enabled,falseorundefinedotherwise
Example implementation pattern:
- Check
navigator.globalPrivacyControl === truebefore loading any tracking scripts - If GPC is enabled, suppress advertising and cross-site tracking cookies
- Still allow essential cookies and first-party analytics if not sharing data
HTTP Header Detection
The browser sends the header Sec-GPC: 1 with every request. Your server can check this header to suppress tracking before any JavaScript executes.
- Check for the
Sec-GPCheader in your middleware or server-side code - If present and set to
1, treat as an opt-out of sale/sharing - This is the most reliable method — works even if JavaScript is blocked
What to Do When GPC Is Detected
- Do not load advertising trackers (Meta Pixel, Google Ads, LinkedIn Insight Tag)
- Do not share data with third parties for behavioral advertising
- Do not set cross-site tracking cookies
- Do allow essential cookies (session, cart, security)
- Do allow first-party analytics (if not sharing data with third parties)
- Do suppress the "sale/sharing" category in your CMP
- Do log the GPC signal for compliance records
Which Browsers Support GPC?
| Browser | GPC Support | Default Setting |
|---|---|---|
| Firefox | Yes (built-in) | Off (user enables in settings) |
| Brave | Yes (built-in) | On by default |
| DuckDuckGo | Yes (built-in) | On by default |
| Chrome | Via extensions | Not built-in |
| Safari | No native support | N/A |
| Edge | Via extensions | Not built-in |
Brave sends GPC with every request by default, meaning a significant portion of privacy-conscious users are already transmitting the signal. As more states mandate GPC, browser adoption will increase.
GPC vs. "Do Not Track" (DNT)
| Feature | Do Not Track (DNT) | Global Privacy Control (GPC) |
|---|---|---|
| Legal backing | None (voluntary) | Required by 8+ US state laws |
| Industry adoption | Widely ignored | Growing rapidly |
| Specificity | Vague ("do not track me") | Specific ("do not sell/share") |
| Enforcement | None | FTC + state AGs actively enforcing |
| Status | Deprecated by W3C | Active specification |
Common Mistakes
- Ignoring it: Some businesses assume GPC isn't enforced. Sephora was fined $1.2 million by the California AG partly for not honoring GPC.
- Overriding with cookie banner: If a user accepts cookies via your banner but has GPC enabled, GPC takes precedence for sale/sharing in California.
- Treating it as "opt-out of everything": GPC specifically relates to sale/sharing, not all processing. First-party analytics may continue.
- Not logging it: Record when GPC is detected and how you responded for compliance documentation.
Next Steps
Check whether your website detects and respects GPC. PrivacyChecker tests your site's response to the GPC signal and identifies third-party scripts that may be sharing data in violation of user preferences. Run a free scan to see your current status.