What Is Global Privacy Control (GPC)? A Guide for Website Owners

Global Privacy Control (GPC) is a browser setting that sends a signal to every website you visit, telling them: "Do not sell or share my personal information." It's the digital equivalent of a "Do Not Call" list — but for your browsing data.

For website owners, GPC is no longer optional. Multiple US states now legally require you to honor it.

How GPC Works

When a visitor has GPC enabled in their browser:

1. Their browser sends a Sec-GPC: 1 header with every HTTP request

2. The navigator.globalPrivacyControl JavaScript property returns true

3. Your website is legally required to treat this as a valid opt-out of:

• Sale of personal data
• Sharing data for targeted advertising
• In some states, certain types of profiling

GPC is currently supported in:

• Firefox (built-in setting)
• Brave (enabled by default)
• DuckDuckGo Browser (enabled by default)
• Safari (via extensions)
• Chrome (via extensions like Privacy Badger or OptMeowt)

Estimates suggest 10-15% of web traffic now carries a GPC signal, and that number is growing.

Which States Require GPC?

As of 2026, these states legally require businesses to honor GPC signals:

• California (CCPA/CPRA) — explicitly recognizes GPC as a valid opt-out mechanism
• Colorado (CPA) — requires honoring universal opt-out mechanisms including GPC
• Connecticut (CTDPA) — requires honoring universal opt-out signals
• Texas (TDPSA) — requires honoring GPC signals
• Montana (MCDPA) — requires honoring universal opt-out mechanisms
• Oregon (OCPA) — requires honoring universal opt-out signals
• New Jersey (NJDPA) — requires honoring universal opt-out mechanisms

Several more states are expected to add GPC requirements as their laws are amended or new laws take effect.

What You Need to Do

1. Detect the GPC Signal

Your website needs to check for GPC on page load. There are two ways to detect it:

• HTTP header: Check for Sec-GPC: 1 on the server side
• JavaScript: Check navigator.globalPrivacyControl === true on the client side

2. Stop Non-Essential Tracking

When GPC is detected, you must prevent tracking scripts from loading that would sell or share data. This typically means blocking:

• Facebook/Meta Pixel
• Google Ads conversion tracking
• TikTok Pixel
• Pinterest Tag
• Any other advertising or cross-site tracking scripts

You can still load essential cookies (session, cart, authentication) and first-party analytics that don't share data with third parties.

3. Use a Cookie Consent Banner That Handles GPC

The easiest way to comply is to use a cookie consent banner that:

• Automatically detects GPC signals
• Pre-sets the visitor's consent preferences to "reject" advertising cookies when GPC is detected
• Blocks advertising scripts from loading for GPC visitors
• Still allows the visitor to manually change their preferences

ClearConsent's cookie banner does this automatically — it detects GPC, honors it, and documents the interaction.

4. Don't Require Additional Steps

The law is clear: a GPC signal alone is sufficient. You cannot:

• Ask the visitor to confirm their GPC preference via a pop-up
• Require them to click through a consent banner
• Ignore GPC and rely on your own opt-out page instead
• Treat GPC as a "preference" that you can override

What Happens If You Ignore GPC?

In California, ignoring a valid GPC signal is a violation of the CCPA — $2,500 to $7,500 per violation. The California AG has already taken enforcement actions against companies that failed to honor GPC.

In other states with GPC requirements, similar penalties apply under each state's enforcement framework.

How to Check If Your Site Honors GPC

ClearConsent scans your website and detects whether it supports Global Privacy Control. If your site loads advertising trackers without checking for GPC signals, it'll show up in your scan results as a compliance gap.

Scan your site free — see if your site honors GPC in under 60 seconds.