What Global Privacy Control Actually Does
Global Privacy Control (GPC) is a browser-level signal that tells websites a visitor does not want their personal data sold or shared. The browser sends a Sec-GPC: 1 HTTP header with every request, and websites that detect it are expected to treat the visitor as having opted out of data sale or sharing.
GPC grew out of the failed Do Not Track (DNT) standard, but with one critical difference: GPC now has legal backing. Under the California Consumer Privacy Act (CCPA/CPRA), businesses must treat a GPC signal as a valid opt-out request. California, Colorado, Connecticut, Montana, Texas, Oregon, and several other US states have written GPC recognition into their privacy laws.
The signal is simple. It communicates one thing: "do not sell or share my data."
That narrow scope is exactly why GPC cannot replace a cookie consent banner. A cookie banner does far more than handle opt-outs from data sales. It manages consent for analytics tracking, advertising cookies, personalisation, and every other category of non-essential cookie your site sets. These are distinct legal obligations under different regulatory frameworks.
Why GDPR Consent Banners Remain Mandatory
The GDPR and the ePrivacy Directive require prior, informed, specific consent before placing non-essential cookies on a visitor's device. Article 5(3) of the ePrivacy Directive is explicit: storing or accessing information on a user's terminal equipment requires the user's consent, unless the cookie is strictly necessary for the service requested.
GPC does not satisfy this requirement. The GDPR operates on an opt-in model, not an opt-out model. A visitor must actively agree to each category of non-essential cookie before it fires. GPC, by contrast, is a blanket opt-out signal - it says "no" but never says "yes" to specific processing activities.
The European Data Protection Board (EDPB) has made clear that consent must be freely given, specific, informed, and unambiguous. A browser-level signal that applies identically to every website visited cannot meet the "specific" requirement for GDPR consent. Each website processes data differently, sets different cookies, and uses different third-party services.
GPC Under US State Privacy Laws
The legal picture is different in the United States. US state privacy laws predominantly follow an opt-out model for data sales and targeted advertising. GPC fits neatly into this framework.
As of early 2026, the following states legally require businesses to honour GPC signals:
| State | Law | GPC Mandatory Since |
|---|---|---|
| California | CCPA/CPRA | January 2023 |
| Colorado | CPA | July 2024 |
| Connecticut | CTDPA | January 2025 |
| Montana | MCDPA | October 2024 |
| Texas | TDPSA | July 2024 |
| Oregon | OCPA | January 2026 |
| Maryland | MODPA | October 2025 |
In these states, if your website sells personal data or uses it for targeted advertising, you must detect the Sec-GPC: 1 header and suppress those activities. Failing to do so is a violation. In July 2025, Healthline Media agreed to a $1.55 million settlement - the largest CCPA settlement to date - partly for failing to honour opt-out requests including GPC signals.
California's Opt Me Out Act (AB 566), signed in October 2025, goes further. By January 2027, all browsers operating in California must include built-in GPC functionality. This will dramatically increase the percentage of visitors sending the signal.
How GPC and Cookie Banners Work Together
GPC and cookie consent banners are not rivals. They address different legal requirements and operate at different layers of your compliance stack.
A cookie banner handles opt-in consent under the GDPR and ePrivacy Directive. It presents cookie categories, collects granular choices, stores consent records, and controls which scripts fire. GPC handles opt-out signals under US state privacy laws. It tells your site that a visitor does not want data sold or shared for cross-context behavioural advertising.
Your consent management platform should detect the GPC signal and automatically suppress data sale and sharing activities for that visitor, without requiring them to interact with the banner's opt-out controls. The banner still appears, still collects consent for analytics and functional cookies, and still provides the granular choices required by European law.
Practical Scenario: A European Visitor
A visitor from Germany arrives with GPC enabled in Firefox. Your site must still show the GDPR-compliant cookie banner and wait for opt-in consent before setting any non-essential cookies. The GPC signal is irrelevant to this interaction because German law follows the GDPR opt-in model.
Practical Scenario: A California Visitor
A visitor from Los Angeles arrives with GPC enabled. Your site detects the Sec-GPC: 1 header and automatically suppresses data sale and sharing. If your site also serves European visitors and uses a consent banner with a "Do Not Sell or Share" toggle, the banner should reflect that GPC has already handled this preference. The visitor may still need to see the banner if you operate under a consent model for all visitors, but the data-sale opt-out is already processed.
The EU's Future Plans for Browser-Level Signals
The European Commission's proposed Omnibus Directive includes a provision (Article 88b) that would require websites to accept machine-readable consent signals from browsers. If adopted, this could allow browsers to communicate opt-in preferences - not just opt-outs - reducing the need for cookie banners on sites where the browser has already transmitted the visitor's choices.
This proposal is still under negotiation and would not take effect before 2027 at the earliest. Until then, GDPR cookie banners remain the only compliant method for collecting opt-in consent from European visitors.
Technical Detection of the GPC Signal
Detecting GPC is straightforward. The browser sends two signals:
An HTTP header: Sec-GPC: 1
A JavaScript property: navigator.globalPrivacyControl === true
Your server-side code or CMP should check for either signal. If detected, suppress any processing that qualifies as selling or sharing personal data under the applicable state law. This includes firing marketing pixels like _fbp from the Meta Pixel, passing data to advertising partners, and setting cookies used for cross-context behavioural advertising.
Kukie.io detects GPC signals automatically and adjusts consent defaults based on the visitor's jurisdiction, so the appropriate opt-out is honoured without manual configuration.
Common Misconceptions About GPC
Several misunderstandings circulate about what GPC does and does not do.
"GPC replaces cookie banners." It does not. GPC handles one specific right - the right to opt out of data sale and sharing. Cookie banners manage consent across multiple categories and multiple legal frameworks. Removing your banner because you support GPC leaves you non-compliant with the GDPR, the ePrivacy Directive, and the UK GDPR.
"GPC only matters in California." At least seven US states now mandate GPC recognition, with more expected. A coordinated enforcement sweep announced in September 2025 by California, Colorado, and Connecticut signals that regulators are actively pursuing non-compliant businesses.
"Most visitors use GPC, so analytics data will disappear." GPC adoption remains modest. Firefox and Brave support it natively, but Chrome and Safari do not yet include built-in toggles. Extensions exist, but mainstream adoption will not spike until the 2027 browser mandate takes effect. Even then, GPC only restricts data sale and sharing - it does not block analytics cookies where a visitor has given separate consent.
Frequently Asked Questions
Does GPC replace a GDPR cookie consent banner?
No. GPC is an opt-out signal for data sale and sharing under US state laws. The GDPR requires opt-in consent before setting non-essential cookies, which GPC cannot provide. Your cookie banner remains mandatory for European visitors.
Is my website legally required to honour the GPC signal?
If your website is subject to the CCPA/CPRA, Colorado CPA, Connecticut CTDPA, or other US state laws that mandate universal opt-out mechanisms, then yes. European law does not currently require GPC recognition, though regulators view it favourably.
What happens if I ignore GPC signals from California visitors?
You risk enforcement action. The California Attorney General and the California Privacy Protection Agency actively investigate GPC non-compliance. Healthline Media paid $1.55 million in 2025 for failing to honour opt-out requests including GPC.
Which browsers send the GPC signal by default?
Brave and DuckDuckGo's mobile browsers enable GPC by default. Firefox includes a GPC toggle in its privacy settings. Chrome and Safari do not yet support GPC natively but will be required to by January 2027 under California's Opt Me Out Act.
Can I use GPC to auto-reject all cookies for a visitor?
GPC specifically signals an opt-out from data sale and sharing. It does not communicate preferences about analytics, functional, or strictly necessary cookies. Using it to reject all cookies goes beyond its defined scope.
Will cookie banners disappear once browsers support consent signals?
Possibly for some sites, but not soon. The EU Omnibus Directive proposes browser-level consent signals that could reduce banner reliance, but this legislation is still under negotiation and would not apply before 2027 at the earliest.
Take Control of Your Cookie Compliance
If you are not sure whether your site correctly handles GPC signals alongside cookie consent, start with a free scan. Kukie.io detects cookies, categorises them, and supports GPC signal detection and geo-based consent rules - so your visitors get the right experience regardless of where they browse from.
