Global Privacy Control: A Machine-Readable Opt-Out
Global Privacy Control (GPC) is a technical specification that sends an HTTP header and JavaScript property from a visitor's browser to every website they visit. The signal carries a single instruction: do not sell or share this person's personal data.
Unlike its predecessor Do Not Track (DNT), GPC has legal teeth. The California Attorney General confirmed in July 2021 that businesses subject to the CCPA must treat a GPC signal as a valid consumer opt-out request. A $1.2 million fine against Sephora in 2022 for ignoring GPC signals cemented the standard as an enforceable mechanism, not a polite suggestion.
The specification itself is straightforward. When enabled, the browser attaches a Sec-GPC: 1 header to every HTTP request and sets navigator.globalPrivacyControl to true in JavaScript. Websites can detect either signal and adjust their data processing behaviour accordingly.
How GPC Differs from Do Not Track
Do Not Track launched in 2009 with a similar ambition but no regulatory backing. Websites were free to ignore it, and most did. The W3C eventually abandoned the DNT specification in 2019.
GPC takes a different approach. Rather than relying on voluntary compliance, it ties the signal to existing privacy legislation. Under the CPRA, a GPC signal constitutes a legally binding request to opt out of the sale and sharing of personal information. Colorado, Connecticut, and a growing number of states have followed suit.
The technical implementation also differs. DNT used the header DNT: 1, which remains available in some browsers but carries no legal weight. GPC uses Sec-GPC: 1, a prefixed header that browsers cannot spoof through ordinary JavaScript, adding a layer of integrity to the signal.
Which Browsers Support GPC Natively
Browser support for GPC varies significantly. Some browsers ship with it enabled by default, while others require extensions or have no support at all.
| Browser | GPC Support | Default State |
|---|---|---|
| Brave | Built-in | On by default |
| DuckDuckGo | Built-in | On by default |
| Firefox | Built-in (v120+) | Off by default, user-enabled in settings |
| Google Chrome | Extension only | Not built-in |
| Microsoft Edge | Extension only | Not built-in |
| Safari | Extension only | Not built-in |
Privacy-focused browsers lead adoption. Brave and DuckDuckGo send GPC signals to every site by default, meaning visitors using these browsers are automatically opting out of data sales. Firefox introduced native GPC support in version 120, though users must enable it manually through privacy settings.
Chrome, Edge, and Safari still lack built-in GPC toggles. Users on these browsers can install extensions from the Global Privacy Control project or the Network Advertising Initiative (NAI) to send the signal.
California's 2027 Browser Mandate
This gap in browser support may soon close. In October 2025, California Governor Gavin Newsom signed AB 566, the Opt Me Out Act, making California the first state to require all browsers to include built-in GPC functionality. The deadline is 1 January 2027.
If enforced as written, Chrome and Safari will need to ship native GPC settings to users in California. Given the impracticality of geo-restricting browser features, most observers expect these browsers to roll out GPC support globally rather than limit it to a single state.
The practical impact could be enormous. Chrome alone holds roughly 65% of the global browser market. Once GPC becomes a default or easily accessible setting in Chrome, the volume of opt-out signals hitting websites will increase dramatically.
US States That Require GPC Compliance
GPC's legal standing has expanded rapidly. As of January 2026, twelve US states require businesses to honour universal opt-out mechanisms, and most explicitly recognise GPC as a qualifying signal.
| State | Law | GPC Required Since |
|---|---|---|
| California | CCPA/CPRA | January 2020 |
| Colorado | CPA | July 2024 |
| Connecticut | CTDPA | January 2025 |
| Texas | TDPSA | January 2025 |
| Montana | MCDPA | January 2025 |
| Oregon | OCPA | January 2025 |
| Delaware | DPDPA | January 2026 |
| Nebraska | NDPA | January 2026 |
| New Hampshire | NHPA | January 2026 |
| New Jersey | NJDPL | July 2025 |
| Minnesota | MCDPA | July 2025 |
| Maryland | MODPA | October 2025 |
California, Colorado, and Connecticut have been the most active enforcers. In September 2025, the attorneys general of all three states announced a coordinated investigative sweep targeting businesses that fail to honour GPC signals. The growing patchwork of US state privacy laws makes GPC compliance a practical necessity for any business with US visitors.
GPC and Cookie Consent Banners
A common misconception is that supporting GPC eliminates the need for a cookie consent banner. It does not.
GPC is an opt-out mechanism designed for US state privacy laws. It signals that a visitor does not want their data sold or shared. The GDPR and ePrivacy Directive, by contrast, require opt-in consent before setting non-essential cookies. A European visitor who sends a GPC signal still needs to be presented with a consent banner that requests affirmative permission before any analytics or marketing cookies fire.
The two mechanisms are complementary. A well-configured consent management platform can detect the Sec-GPC header and automatically apply the opt-out for US jurisdictions while still presenting the full opt-in flow for visitors covered by the GDPR or ePrivacy Directive.
Detecting and Responding to GPC on Your Website
There are two ways to detect a GPC signal. On the server side, check for the Sec-GPC: 1 HTTP request header. On the client side, read navigator.globalPrivacyControl in JavaScript.
When a GPC signal is detected, your site should suppress any processing that constitutes a sale or sharing of personal data under the applicable law. This typically means blocking third-party tracking pixels such as _fbp from Meta, _gcl_au from Google Ads, and any real-time bidding scripts.
Strictly necessary cookies like PHPSESSID or cart session identifiers remain unaffected. GPC targets data sale and sharing, not all cookie use. For a deeper technical walkthrough, see the guide to honouring GPC signals.
What Happens If You Ignore GPC Signals
Ignoring GPC signals carries real financial risk. The Sephora enforcement action in 2022 resulted in a $1.2 million settlement with the California Attorney General. The company had failed to honour opt-out requests, including those sent via GPC, and had not disclosed that it was selling consumer data.
With twelve states now mandating GPC compliance and three state attorneys general conducting joint enforcement sweeps, the risk of investigation has increased significantly. CCPA penalties can reach $7,500 per intentional violation, and each individual whose GPC signal was ignored could represent a separate violation.
Beyond fines, failing to honour GPC undermines brand trust. Privacy-conscious visitors who deliberately enable GPC will notice if their preferences are disregarded, particularly if they later see targeted advertising that should have been suppressed.
Frequently Asked Questions
Does GPC replace cookie consent banners?
No. GPC is a US opt-out mechanism for data sales and sharing. GDPR and ePrivacy still require opt-in consent before setting non-essential cookies. You need both a cookie banner for European visitors and GPC support for US visitors.
Is GPC legally binding in all US states?
Not yet. As of early 2026, twelve US states require businesses to honour GPC or similar universal opt-out signals. Other states may adopt similar requirements as new privacy laws take effect.
How do I test whether my website detects GPC signals?
Install the GPC browser extension or use Firefox with GPC enabled, then check your server logs for the Sec-GPC: 1 header. You can also run navigator.globalPrivacyControl in your browser console to confirm the signal is being sent.
Does GPC apply to first-party analytics cookies?
GPC targets the sale and sharing of personal data, not all cookie use. First-party analytics that do not involve sharing data with third parties are generally unaffected, though you should review whether your analytics setup shares data with vendors.
Will Chrome add built-in GPC support?
California's Opt Me Out Act (AB 566) requires all browsers to include GPC functionality by 1 January 2027. Chrome will likely need to comply, and most industry observers expect a global rollout rather than a California-only feature.
Can I ask users to override their GPC setting on my website?
Under the CCPA/CPRA, you must honour the GPC signal as an opt-out request. You cannot require visitors to disable GPC or override it through a site-specific prompt. You may offer the option to opt back in, but the default must respect the signal.
Take Control of Your Cookie Compliance
If you are not sure whether your site correctly responds to GPC signals, start with a free scan. Kukie.io detects cookies and tracking scripts on your site, helps you categorise them, and supports geo-targeted consent flows that respect both GPC opt-outs and GDPR opt-in requirements.
