Global Privacy Control

Implementation

GPC has three implementations, two of which allow browsers to communicate preferences to web servers and web content, and the third allowing website operators to signal information about GPC compliance to the rest of the Internet.

The first is an HTTP header with the form

Sec-GPC: 1

The character '1' is the only allowed value for the header.^[5] There is deliberately no mechanism for extensibility; the creators of the standard have stated that they will create new headers if extension becomes necessary.^[6]

The GPC preference may also be signalled by the browser setting the gpcAtNavigation property of the top-level browsing context of loaded pages to the value true.^[7]

Websites can optionally host a JSON-formatted file known as the GPC support resource at the well-known URI .well-known/gpc.json to indicate how they respond to the GPC signal. This file it has up to two relevant members (all other members should be ignored): a gpc boolean member where true means that the server intends on complying with GPC requests, and false means it does not, and a lastUpdate member.^[8] By default, a websites support is unknown.

Remove ads

Adoption

Summarize

Perspective

GPC has been implemented by Mozilla Firefox,^[9] Brave,^[10] and DuckDuckGo Private Browser.^[11]^[10] GPC is not yet supported by Google Chrome^[12] or Microsoft Edge,^[10] despite Chrome still allowing users to enable the Do Not Track header.^[13] However, there are third-party extensions available for Chrome that enable sending the GPC header during HTTP requests, including the EFF's Privacy Badger extension^[14] and the DuckDuckGo Privacy Essentials add-on^[15] amongst others. Many websites including the New York Times and Washington Post have started to recognize and respect GPC signals^[11].

Currently California, Colorado, Connecticut, and New Jersey are the only states that officially legally recognize and require businesses to honor GPC. In Colorado, the Colorado Privacy Act (CPA) mentions that GPC was the first Universal Opt Out Mechanism (UOOM) to be recognized as meeting the standards of the CPA^[16]. Similarly Connecticut started recognizing GPC signals on January 1st 2025 after the Connecticut Data Privacy Act (CDPA) took effect^[17]. New Jersey started requiring businesses to respect universal opt-out mechanisms such as Global Privacy Control (GPC), under the New Jersey Data Privacy Law (NJDPL) which went into effect on July 15, 2025.^[18].GPC has additionally been endorsed by the California Attorney General.^[19] under the California Consumer Privacy Act (CCPA).

Remove ads

Legal status

Unlike the Do Not Track header, GPC is a valid do-not-sell-my-personal-information signal according to the California Consumer Privacy Act (CCPA), which stipulates that websites are legally required to respect a signal sent by users who want to opt-out of having their personal data sold.^[19] In July 2021, the California Attorney General clarified through an FAQ that under law, the Global Privacy Control signal must be honored.^[19] Similarly, Connecticut, Colorado, and New Jersey have required GPC signals to be honored through their own state laws such as the Connecticut Data Privacy Act (CDPA)^[17] Colorado Privacy Act (CPA)^[16], and New Jersey Data Privacy Law ^[18].

On August 24, 2022, the California Attorney General announced Sephora paid a $1.2 million settlement for allegedly failing to process opt-out requests via a user-enabled global privacy control signal.^[20] Later on July 1st, 2025 the California Attorney General announced the largest CCPA settlement to date of $1.55 million against Healthline.com for failing to allow consumers to opt out of targeted advertising and for sharing data with third parties without CCPA-mandated privacy protections.^[21]

Global Privacy Control

Implementation

Adoption

Legal status

References

External links

Wikiwand - on