What Is Global Privacy Control?

Global Privacy Control (GPC) is an open web standard that allows users to communicate their privacy preferences — specifically, the desire to opt out of the sale or sharing of their personal data — to websites through a browser-level signal. It was developed as a practical, machine-readable alternative to the largely ignored Do Not Track (DNT) header.

Unlike DNT, GPC has legal weight. Under the California Consumer Privacy Act (CCPA) as amended by the CPRA, businesses are required to treat a GPC signal as a valid opt-out of sale and sharing of personal information. Several other U.S. state privacy laws and some interpretations of GDPR are moving in a similar direction.

How GPC Works Technically

GPC sends a signal through two mechanisms:

1. The HTTP Request Header

When a user has GPC enabled (via a browser setting or extension), every HTTP request includes:

Sec-GPC: 1

This header is sent to every site the user visits. A value of 1 means the user has asserted a GPC preference. The absence of the header means no preference has been expressed — not that the user consents to data sale.

2. The JavaScript API

Websites can also check for a GPC signal client-side using:

navigator.globalPrivacyControl

This returns true if GPC is active, false if it is explicitly not set, or undefined in browsers that don't support the API. Note: the absence of the property does not mean the user consents — it means the browser hasn't implemented the API yet.

3. The GPC Support Disclosure (/.well-known/gpc.json)

Websites that honor GPC should publish a disclosure file at /.well-known/gpc.json. This is a machine-readable declaration of support. A minimal example:

{
  "gpc": true,
  "lastUpdate": "2024-06-01"
}

The gpc field set to true indicates the site respects the GPC signal. This file allows automated tools, regulators, and researchers to verify compliance programmatically.

Legal Context: CCPA/CPRA and Beyond

The California Privacy Rights Act (CPRA) explicitly recognized GPC as a valid opt-out mechanism. This means:

  • Businesses subject to CCPA/CPRA must process a GPC signal as equivalent to a user clicking "Do Not Sell or Share My Personal Information."
  • The signal must be honored without requiring additional steps from the user (e.g., you cannot require them to also click a button on your cookie banner).
  • Violations can result in enforcement action from the California Privacy Protection Agency (CPPA).

Colorado, Connecticut, and other states with privacy laws are increasingly referencing universal opt-out mechanisms in ways that encompass GPC. Global scope is expanding.

What Developers Need to Implement

  1. Detect the signal server-side: Check for the Sec-GPC: 1 header on incoming requests. This is the most reliable detection method.
  2. Detect client-side where needed: Use navigator.globalPrivacyControl for client-rendered applications or tag management scenarios.
  3. Suppress data sharing: When GPC is detected, do not pass user identifiers or behavioral data to third-party ad networks, data brokers, or analytics platforms that constitute "sale or sharing" under applicable law.
  4. Adjust consent management: Integrate GPC detection into your Consent Management Platform (CMP) logic. GPC should pre-populate opt-out status.
  5. Publish /.well-known/gpc.json: Declare your support publicly and keep the lastUpdate date current.
  6. Document your handling: Update your privacy policy to describe how you honor GPC.

GPC vs. Do Not Track: Why GPC Is Different

AspectDo Not Track (DNT)Global Privacy Control (GPC)
Legal basisNone — voluntary onlyLegally recognized under CCPA/CPRA
AdoptionLargely ignored by industryGrowing compliance requirement
MechanismHTTP header onlyHTTP header + JS API + well-known file
SpecificityVague "do not track" requestSpecific: opt-out of sale/sharing

GPC represents a maturation of the privacy signal concept — binding it to legal frameworks, giving it technical specificity, and providing verifiable disclosure mechanisms. For any site processing personal data of California residents, honoring GPC is not optional.