What the GPC Signal Is and Why It Matters in 2026
Global Privacy Control (GPC) is a browser-level signal that tells websites a visitor does not want their personal data sold or shared for cross-context behavioural advertising. The signal travels in two forms: an HTTP header (Sec-GPC: 1) and a JavaScript property (navigator.globalPrivacyControl).
Unlike the older Do Not Track header, GPC carries legal weight. California's CCPA/CPRA, the Colorado Privacy Act, and the Connecticut Data Privacy Act all require businesses to treat it as a valid opt-out request. In September 2025, regulators from all three states launched a joint investigative sweep targeting websites that fail to honour the signal. Ignoring GPC is no longer a theoretical risk.
Enforcement has already produced real fines. The California Attorney General secured a $1.2 million settlement with Sephora in 2022 for failing to process GPC opt-out requests. In October 2025, the California Privacy Protection Agency fined Tractor Supply Co. $1.3 million, partly for not honouring GPC signals on its website.
Browser Support: Who Sends the Signal Today
Brave and DuckDuckGo enable GPC by default. Firefox supports GPC through a setting in its privacy preferences. Chrome and Safari do not yet include a native GPC toggle, but extensions such as Privacy Badger and DuckDuckGo Privacy Essentials add the header to outgoing requests.
That gap will close. California's Opt Me Out Act (AB 566), signed in October 2025, requires every major browser to offer built-in GPC functionality by 1 January 2027. Once Chrome and Safari ship native support, the proportion of visitors sending Sec-GPC: 1 will rise sharply. Building detection now means your site is ready before that wave hits.
| Browser | Native GPC | Default State | Extension Option |
|---|---|---|---|
| Brave | Yes | On by default | N/A |
| DuckDuckGo | Yes | On by default | N/A |
| Firefox | Yes | Off (user must enable) | N/A |
| Chrome | No (until 2027) | N/A | Privacy Badger, DuckDuckGo |
| Safari | No (until 2027) | N/A | Limited extension support |
| Edge | No | N/A | Privacy Badger, DuckDuckGo |
Detecting GPC Server-Side: The Sec-GPC Header
The most reliable detection method checks the Sec-GPC HTTP request header on the server before any page content is rendered. When a browser has GPC enabled, it sends Sec-GPC: 1 with every request.
In Node.js with Express:
const gpcEnabled = req.headers['sec-gpc'] === '1';
In PHP:
$gpcEnabled = ($_SERVER['HTTP_SEC_GPC'] ?? '') === '1';
In Python (Django):
gpc_enabled = request.META.get('HTTP_SEC_GPC') == '1'
Server-side detection is valuable because it lets you suppress non-essential cookies and third-party scripts before they ever reach the browser. If Sec-GPC is present and set to 1, your server can skip injecting marketing tags into the HTML response entirely.
Detecting GPC Client-Side: The JavaScript API
For client-side detection, check the navigator.globalPrivacyControl property. This boolean mirrors the header value: true when the user has enabled GPC, false otherwise.
if (navigator.globalPrivacyControl === true) { /* suppress tracking */ }
This property is available in both window and worker contexts. Use it to gate the firing of analytics and advertising tags loaded via JavaScript. If your site uses Google Tag Manager, you can push the GPC state into the dataLayer and build a GTM trigger that blocks marketing tags when gpcEnabled is true.
A practical pattern:
window.dataLayer = window.dataLayer || [];window.dataLayer.push({ 'gpcSignal': navigator.globalPrivacyControl === true });
Then, in GTM, create a custom variable reading gpcSignal from the dataLayer and use it as a blocking trigger on your marketing cookie tags.
Publishing a GPC Support Resource
The GPC specification allows websites to declare their support by hosting a JSON file at /.well-known/gpc.json. This file tells browsers and privacy tools that your site intends to respect the signal.
The file contents are minimal:
{"gpc": true, "lastUpdate": "2026-03-17"}
Set gpc to true to indicate compliance. The lastUpdate field records when you last reviewed your GPC handling. Serve the file with a Content-Type: application/json header from your domain root.
Integrating GPC With Your Consent Management Platform
GPC does not replace a cookie banner. Under the GDPR and ePrivacy Directive, you still need prior opt-in consent for non-essential cookies from visitors in the EU and UK. GPC is relevant primarily for US state laws that follow an opt-out model.
Your CMP should detect the GPC signal and treat it as an opt-out of sale and sharing for visitors from applicable US states. If GPC is present and the visitor is located in California, Colorado, Connecticut, Texas, Montana, Oregon, or another state with a universal opt-out mechanism requirement, the CMP should automatically set the consent state to "opted out" for sale and targeted advertising categories.
What this means in practice:
- Marketing and advertising cookies should not fire
- The "Do Not Sell or Share" link in your footer should reflect the opted-out state
- Analytics cookies may still require separate handling depending on the specific state law
- Strictly necessary cookies (session identifiers, shopping cart tokens) are unaffected
Starting 1 January 2026, California requires businesses to display a visible confirmation when they detect and process a GPC signal. A simple on-page message such as "Opt-Out Preference Signal Honoured" satisfies this requirement.
Testing Your GPC Implementation
Testing requires sending the Sec-GPC: 1 header from your browser. Several approaches work.
Using Brave or Firefox
Enable GPC in Brave (it is on by default) or Firefox (Settings > Privacy & Security > tell websites not to sell or share my data). Visit your site, open DevTools, and confirm that no marketing cookies are set.
Using Browser Extensions
Install Privacy Badger or DuckDuckGo Privacy Essentials in Chrome. Both inject the Sec-GPC: 1 header. Then use the Network tab in DevTools to verify the header is present in outgoing requests.
Using cURL
For server-side testing, send a request with the header manually:
curl -H "Sec-GPC: 1" https://yoursite.com
Inspect the response to confirm that tracking scripts are absent from the HTML.
Checking the JavaScript Property
Open the browser console on a GPC-enabled browser and run:
console.log(navigator.globalPrivacyControl);
The output should be true. Then verify that your cookie banner reflects the correct consent state and that blocked tags are not firing.
GPC and Consent Mode
If your site uses Google Consent Mode v2, GPC detection should feed into the consent state. When GPC is active for a US visitor, set ad_storage and ad_user_data to 'denied' in the Consent Mode default configuration. This ensures Google tags respect the opt-out signal and fall back to cookieless pings.
The relationship between GPC and Consent Mode is straightforward: GPC expresses the visitor's preference, and Consent Mode translates that preference into a format Google's tags understand.
Frequently Asked Questions
Is honouring GPC legally required?
Yes, in several US states. California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Montana, Oregon, and Texas all require businesses to treat GPC as a valid opt-out of the sale or sharing of personal data. More states are adding similar requirements each year.
Does GPC replace the need for a cookie banner?
No. GPC handles the US opt-out model for sale and sharing of data. If your site has visitors from the EU or UK, you still need prior opt-in consent for non-essential cookies under the GDPR and ePrivacy Directive.
How do I test if my site detects the GPC signal?
Enable GPC in Brave or Firefox, visit your site, and check that marketing cookies are not set. You can also use cURL with the header Sec-GPC: 1 to test server-side detection, or check navigator.globalPrivacyControl in the browser console.
What is the .well-known/gpc.json file?
It is a JSON file hosted at your domain root that declares your site honours GPC signals. The GPC specification defines this as an optional way to communicate your compliance stance to browsers and privacy tools.
Do I need to show a confirmation when I honour a GPC signal?
California regulations effective 1 January 2026 require businesses to display a visible acknowledgement, such as "Opt-Out Preference Signal Honoured", when they detect and process a GPC signal from a California resident.
Will Chrome support GPC natively?
California's Opt Me Out Act (AB 566), signed in October 2025, requires all major browsers to include built-in GPC functionality by 1 January 2027. Chrome will need to comply with this mandate.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether your current setup respects GPC signals, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
