What is Global Privacy Control (GPC)? A Guide for Website Owners

If you’ve been keeping up with privacy laws (or trying to, at least), you’ve probably heard of things like GDPR and CPRA. Maybe you’ve added a cookie banner to your website. You might even have a privacy policy that mentions user rights.

But here’s something that a lot of website owners don’t know about: Global Privacy Control, or GPC for short.

GPC is a browser setting that lets people automatically opt out of having their data sold or shared—across every website they visit. And if your site is covered by California’s privacy law (CPRA) or similar state laws, you’re legally required to honor it.

The catch? Most website owners have never heard of it, and even fewer know how to implement it.

Let’s fix that.

What is Global Privacy Control (GPC)?

Global Privacy Control is a signal that browsers can send to websites to communicate that the user doesn’t want their personal information sold or shared.

Think of it like “Do Not Track” on steroids—except this one actually has legal teeth behind it.

When someone enables GPC in their browser, it automatically tells every website they visit: “Hey, I’m opting out of data sharing. Don’t sell or share my personal information.”

The website is then supposed to respect that signal and stop collecting or sharing data with third parties—even if the person never sees or clicks on your cookie banner.

Where Did GPC Come From?

GPC was created by a group of privacy advocates, tech companies, and policy experts who wanted to give people a simpler way to protect their privacy online.

Instead of having to click through cookie banners on every single website, users can just flip one switch in their browser settings, and that choice applies everywhere.

The idea is pretty straightforward: if someone has clearly indicated they don’t want their data sold or shared, websites should respect that preference automatically.

How Does GPC Work?

Here’s the technical bit (but don’t worry, we’ll keep it simple):

When someone has GPC enabled in their browser, the browser sends a special signal in the HTTP header of every web request. That signal is called Sec-GPC: 1.

Your website receives that signal and is supposed to recognize it as a valid opt-out request.

In practical terms, that means:

• You shouldn’t place marketing or tracking cookies for that visitor
• You shouldn’t share their data with third parties
• You need to treat them the same way you’d treat someone who clicked “Do Not Sell My Personal Information” on your site

The key thing to understand: GPC happens automatically in the background. The user doesn’t have to do anything on your site. Your site just needs to be set up to recognize and honor the signal.

Which Browsers Support GPC?

GPC isn’t available in every browser yet, but support is growing. Here are some browsers that currently support it:

• Brave (enabled by default)
• Firefox (can be enabled in privacy settings)
• DuckDuckGo (enabled by default in their mobile browser and extensions)
• Chrome (via extensions like OptMeowt, Privacy Badger, or DuckDuckGo Privacy Essentials)
• Edge (via extensions)
• Safari (not natively supported yet, but possible via extensions)

The number of people using GPC is growing. As of 2025, over 150 million users worldwide use browsers or extensions that support GPC.

Looking ahead: California’s AB 566 “Opt Me Out” Act will require major browsers (Chrome, Safari, Edge) to offer built-in GPC capabilities starting January 1, 2027. This will make GPC much more accessible and is expected to significantly increase adoption.

Why Should Website Owners Care About GPC?

Here’s the big reason: if your website is covered by CPRA (California’s privacy law) or similar state laws, you’re legally required to honor GPC signals.

California’s law explicitly says that websites must treat GPC as a valid consumer request to opt out of the sale or sharing of personal information.

Other states with similar privacy laws—like Colorado, Connecticut, and Virginia—have similar requirements.

Important update for 2026: Starting January 1, 2026, new California regulations require that businesses must visibly confirm when they’ve honored a GPC signal. This means displaying something like “Opt-Out Request Honored” or using a toggle to show the user’s opt-out status. Silent processing is no longer enough—users need to see evidence their opt-out was honored.

So if you have visitors from California (and let’s be honest, you probably do), and your site doesn’t honor GPC, you’re not compliant with CPRA. That’s a legal risk.

Beyond the legal requirement, there’s also a practical reason to care: respecting GPC is just good practice. If someone has taken the time to set a privacy preference in their browser, honoring that shows you respect their choices.

What is Global Privacy Control Required For?

Not every website needs to worry about GPC. Here’s who it applies to:

You need to honor GPC if:

• Your website is covered by CPRA (California’s privacy law)
• You collect personal information from California residents
• You sell or share that personal information with third parties

CPRA applies to businesses that meet certain thresholds—like having over $25 million in annual revenue, or buying/selling personal information of 100,000+ California residents.

But honestly? Even if you’re not technically required to honor GPC, it’s still a good idea to do it. Privacy laws are spreading, and more states are adopting similar requirements. Getting ahead of it now saves you headaches later.

How Do You Know If Someone Has GPC Enabled?

This is where it gets a little technical, but stick with me.

When someone visits your website with GPC enabled, their browser sends a signal in the HTTP header. It looks like this:

Sec-GPC: 1

Your website (or more specifically, your web server or consent management tool) needs to check for that header and respond accordingly.

If you’re not a developer, don’t panic—most modern cookie consent tools can detect GPC signals for you. But you do need to make sure your tool is configured to actually do something when it detects GPC.

What Should Your Website Do When It Detects GPC?

When your site detects the GPC signal, here’s what should happen:

1. Treat it as an opt-out
The user has opted out of having their data sold or shared. Don’t place marketing cookies or tracking pixels for that visitor.

2. Don’t show a cookie banner asking for consent
Since they’ve already communicated their preference via GPC, you shouldn’t ask them again. Their browser signal is their answer.

3. Provide visible confirmation (required as of January 1, 2026)
Under new California regulations, you must display visible confirmation that the opt-out was honored. This could be:

• A message like “Opt-Out Request Honored”
• A toggle or indicator in privacy settings showing opt-out status
• A badge or icon indicating the signal was received and processed

4. Document that you received and honored the signal
For compliance purposes, you should keep records that you detected and respected GPC signals.

5. Apply it site-wide
The GPC signal applies to all data collection on your site, not just certain pages or sections.

How to Implement GPC on Your Website

Here’s the practical part: how do you actually make your website honor GPC?

Option 1: Use a cookie consent tool that supports GPC

Many modern cookie consent platforms now offer GPC detection capabilities. When evaluating cookie consent tools, check their documentation to see if they support GPC and whether it’s included in your plan level or pricing tier.

Look for features like:

• Automatic GPC signal detection
• Automatic opt-out when GPC is detected
• Configuration options to enable/disable GPC support
• Testing tools to verify GPC is working

Popular consent management platforms (CMPs) often include GPC support, but availability and implementation details vary by provider and plan. Always verify current support directly with your provider before assuming GPC functionality is included.

Option 2: Custom implementation

If you’re building something custom (or your developer is), they need to:

1. Check for the Sec-GPC: 1 header in incoming requests
2. Set a flag or cookie indicating the user has opted out
3. Block all non-essential tracking scripts and cookies for that visitor
4. Make sure your tag manager or analytics setup respects that flag

This isn’t something most website owners will do themselves—you’ll want a developer for this.

Option 3: Check with your hosting/CMS provider

Some website platforms and hosting providers are starting to build GPC support directly into their systems. It’s worth asking if your platform has built-in GPC handling.

Common Mistakes with GPC Implementation

Here are some issues we see a lot:

1. GPC detection is turned on, but nothing actually happens
Your cookie tool might detect the GPC signal, but if you haven’t properly configured which scripts to block, they might still fire. Always test your implementation.

2. Showing a cookie banner to GPC users
If someone has GPC enabled, you shouldn’t show them a banner asking for consent. They’ve already told you their answer.

3. Only blocking some tracking, not all
GPC should block all non-essential tracking and data sharing. Don’t just turn off Google Analytics but leave Facebook Pixel running.

4. Not documenting it
For compliance purposes, you should be able to demonstrate that your site detects and honors GPC. Keep records.

How to Test If Your Site Honors GPC

Want to know if your website is actually respecting GPC? Here’s a simple test:

1. Enable GPC in a browser

• In Brave: It’s on by default
• In Firefox: Go to Settings → Privacy & Security → Turn on “Tell websites not to sell or share my data”
• In Chrome: Install the OptMeowt or Privacy Badger extension

2. Visit your website
Open your site in that browser with GPC enabled.

3. Check what’s loading
Open your browser’s developer tools (usually F12), go to the Network or Application tab, and see what cookies and scripts are loading.

4. Look for tracking cookies
If you see Google Analytics, Facebook Pixel, or other marketing/analytics cookies loading even with GPC enabled, your implementation isn’t working.

What If You’re Not Honoring GPC Yet?

If you just realized your site isn’t set up to honor GPC, don’t panic.

This is a relatively new requirement, and a lot of websites aren’t compliant yet. But it’s something you should fix sooner rather than later—especially if you have California visitors.

Here’s what to do:

1. Check if your cookie consent tool supports GPC
2. Turn on GPC detection in your tool’s settings
3. Test it to make sure it actually works
4. Update your privacy policy to mention that you honor GPC signals

If your current tool doesn’t support GPC, it might be time to switch to one that does.

Do You Need to Mention GPC in Your Privacy Policy?

Yes, it’s a good idea to mention GPC in your privacy policy.

California law requires that you explain how consumers can opt out of data sales. Since GPC is one of those methods, your privacy policy should say something like:

“We honor Global Privacy Control (GPC) signals. If you have GPC enabled in your browser, we will treat that as a valid request to opt out of the sale or sharing of your personal information.”

This lets visitors know you’re respecting their browser-level privacy choices.

The Bottom Line on Global Privacy Control

Here’s what you need to remember about what is Global Privacy Control:

• GPC is a browser signal that lets users opt out of data sales automatically
• It’s legally required under CPRA and similar state privacy laws
• Most websites aren’t honoring it yet—but they should be
• Modern cookie consent tools can handle it if you turn on the right settings
• You need to test your implementation to make sure it’s actually working
• Starting January 2026, you must provide visible confirmation when you honor GPC signals

Privacy laws are only getting stricter, and GPC is becoming more widely adopted. Getting this right now protects you from legal risk and shows your visitors that you respect their privacy choices.

Need Help with GPC Implementation?

We get it—this stuff is complicated. Between cookie consent, GPC signals, opt-in vs opt-out requirements, and everything else, it’s a lot to keep track of.

If you’re not sure whether your site is honoring GPC, or if you need help getting everything set up correctly, we can help.

We offer Privacy & Cookie Compliance Reviews where we audit your entire setup, check for issues like missing GPC support, and help you fix everything. We handle the technical details so you can focus on running your business.

Want to learn more? Request a quote and we’ll walk you through what we check, how long it takes, and what it costs.

Questions about Global Privacy Control or website privacy compliance? Reach out—we’re here to help you figure this out.

Mary Marnell

Managing Partner · LinkedIn

Mary Marnell is Managing Partner at Hey Reliable, a front-end and WordPress development agency known for delivering clean, reliable code for agencies, marketing teams, and growing businesses. She joined the company in 2017, became partner in ... read more