What Is Global Privacy Control?
Global Privacy Control (GPC) is a technical specification that allows users to communicate a universal opt-out from the sale or sharing of their personal data to every website they visit — automatically, without clicking through cookie banners on each site individually.
GPC works as an HTTP header (Sec-GPC: 1) sent by the browser, and as a JavaScript property (navigator.globalPrivacyControl === true) readable by web pages. When a user enables GPC in their browser or privacy extension, this signal is broadcast to every site they visit.
The Legal Foundation
GPC isn't just a courtesy signal — in several jurisdictions, it carries legal weight:
- California (CCPA/CPRA): The California Privacy Protection Agency (CPPA) has confirmed that GPC constitutes a valid "opt-out of sale" signal under the CCPA. Businesses subject to CCPA must honor it.
- Colorado Privacy Act (CPA): Colorado's law explicitly requires businesses to honor universal opt-out mechanisms, and GPC qualifies.
- Connecticut, Montana, Texas: Several other U.S. state privacy laws also require honoring opt-out preference signals.
- GDPR (EU): While GDPR doesn't explicitly mandate GPC, regulators have encouraged treating it as a valid withdrawal of consent signal. Enforcement guidance varies by member state.
How GPC Works Technically
The HTTP Header
When GPC is enabled, browsers include the following header in every HTTP request:
Sec-GPC: 1Your server can read this header and adjust data processing accordingly — skipping third-party analytics, disabling ad tracking pixels, or flagging the session as opted-out in your data systems.
The JavaScript API
Client-side code can check the signal like this:
if (navigator.globalPrivacyControl) {
// User has opted out — don't load tracking scripts
}The .well-known/gpc.json File
Websites can publish their GPC support status at /.well-known/gpc.json. This JSON file signals to browsers and compliance tools whether the site respects the GPC signal:
{
"gpc": true,
"lastUpdate": "2024-01-01"
}Publishing this file is considered a best practice and demonstrates good-faith compliance.
Which Browsers and Tools Support GPC?
| Browser / Tool | GPC Support | How to Enable |
|---|---|---|
| Brave Browser | Built-in | Enabled by default |
| Firefox | Via extension | Privacy Badger, DuckDuckGo extension |
| Chrome / Edge | Via extension | DuckDuckGo Privacy Essentials |
| DuckDuckGo Browser | Built-in | Enabled by default |
What Website Operators Must Do
If your website sells or shares personal data and you serve users in CCPA/CPA jurisdictions, here's a practical compliance checklist:
- Detect the signal — Check for the
Sec-GPC: 1header server-side ornavigator.globalPrivacyControlclient-side. - Suppress data sharing — Don't fire third-party ad pixels, analytics trackers, or data broker scripts for GPC users.
- Update your privacy policy — Document that you honor GPC and describe what it affects.
- Publish gpc.json — Add
/.well-known/gpc.jsonto declare your compliance. - Test your implementation — Use browser dev tools or privacy-focused browsers to verify the signal is being honored.
GPC vs. Do Not Track (DNT)
Many developers remember the older Do Not Track (DNT) initiative, which also sent a browser signal asking sites not to track users. DNT failed largely because it was purely voluntary with no legal backing, and most advertisers simply ignored it. GPC was designed differently from the start — with active collaboration from regulators and direct legal enforceability in multiple U.S. states.
DNT is effectively defunct. GPC is the successor with real teeth.