Skip to main content
C
CookieBeam
Back to Guides
Compliance7 min read

Global Privacy Control (GPC) Explained: What It Is and Why Your Site Must Honor It

Global Privacy Control is a browser signal that lets users opt out of data sale and sharing automatically. In several US states, ignoring it is a legal violation. Here is how GPC works and how to respect it.

The Opt-Out That Travels With the User

For years, the burden of privacy choices fell entirely on the individual. To stop a business from selling your data, you had to visit each website, hunt for a "Do Not Sell My Personal Information" link, and submit a request — over and over, site by site. Global Privacy Control (GPC) flips that model. It is a single signal, set once in the browser or a browser extension, that automatically tells every website the user visits: do not sell or share my personal data.

What makes GPC more than a polite request is that, in a growing number of US jurisdictions, honoring it is legally mandatory. A business that ignores a valid GPC signal where the law requires it to be respected is in violation — regardless of whether the user ever clicked a banner. This guide explains what GPC actually transmits, where it carries legal weight, and what your website has to do to comply. For the wider landscape of privacy laws GPC plugs into, see GDPR vs CCPA vs PECR.

How the GPC Signal Actually Works

GPC is deliberately simple. It is a specification, developed by a coalition of privacy organizations, browsers, and publishers, that transmits the user's opt-out preference through two technical channels:

  • An HTTP headerSec-GPC: 1 — sent with requests when the user has enabled the control. Your server can read this header on any incoming request.
  • A JavaScript propertynavigator.globalPrivacyControl — which returns true when GPC is enabled, so client-side code can react without a round trip.

That is the entire wire format. There is no profile, no identity, no payload beyond "this user has opted out." The value 1 (or true) means the user is exercising their opt-out right; the absence of the signal is not consent — it simply means no preference was expressed through this channel. Users enable GPC by installing a supporting browser or extension, or by toggling a setting in browsers that ship it natively. Because the signal rides along with every request automatically, your site receives it before the user interacts with anything on the page.

Absence of GPC Is Not Permission

A common misreading is to treat "no GPC signal" as an affirmative opt-in. It is neither. GPC only ever communicates an opt-out. When the header is absent, you fall back to your normal legal basis for processing — which, for EU visitors, still means obtaining consent through a banner. GPC supplements your consent flow; it does not replace it.

Where GPC Is Legally Enforceable

GPC began as a voluntary standard, but US state privacy laws gave it teeth. California was first: regulators confirmed that GPC qualifies as a valid opt-out preference signal under the California Consumer Privacy Act, and the state's enforcement actions have explicitly cited failure to honor GPC as a violation. The mechanism is now woven into the regulations as a required "opt-out preference signal."

California is not alone. A wave of comprehensive state privacy laws — including those in Colorado, Connecticut, Texas, Oregon, Montana, and others — require businesses to recognize a universal opt-out mechanism, and GPC is the de facto implementation of that requirement. The practical upshot is that if you have visitors from these states and you sell or share personal data (which, under these laws, includes a lot of routine ad-tech and analytics activity), you must detect and honor the GPC signal. The definitions of "sale" and "share" are broad, so do not assume you are exempt simply because you do not exchange data for cash.

GPC vs a Cookie Banner Click

DimensionWhat it means
Where the choice livesGPC: set once in the browser, travels to every site. Banner: per-site, per-device, expires.
Direction of the signalGPC: opt-out only. Banner: can capture opt-in or opt-out per purpose.
Legal weight (US states)GPC: a mandatory opt-out preference signal. Banner: the surface for disclosures and choices.
RelationshipComplementary — honor GPC automatically and still present a banner for granular and EU consent.

How to Honor GPC on Your Website

Respecting GPC is a detection-then-suppression problem. The detection is trivial; the discipline is in making sure the signal actually changes what loads. A correct implementation does the following:

  • Detect the signal early — read navigator.globalPrivacyControl in your consent layer (and, where relevant, the Sec-GPC header server-side) before any non-essential tags fire.
  • Treat it as an opt-out — for applicable visitors, suppress data sale and sharing: do not load advertising or third-party marketing tags that would constitute a sale under the relevant state law.
  • Reflect the choice in the UI — your banner and preference center should show that the visitor is already opted out, so they are not asked to re-make a choice they have already expressed.
  • Log it — record that the opt-out came from a GPC signal, just as you would log any other consent decision. This feeds the audit trail described in Consent Logging & Audit Requirements.

The actual mechanics of stopping tags from firing are the same as any consent gating; if you have not built that layer yet, start with How to Block Scripts Until Cookie Consent. The key difference with GPC is that the decision arrives automatically, before interaction, so your gating logic must read it on initial load rather than waiting for a click.

GPC and GDPR: Two Different Models

It is worth being precise about how GPC interacts with European law, because the two operate on opposite defaults. GDPR is an opt-in regime: you may not process non-essential data until the user affirmatively consents. The major US state laws are opt-out regimes: processing is permitted until the user objects. GPC is an opt-out instrument, which is why it slots cleanly into the US model and only partially into the European one.

For an EU visitor, a GPC signal is a strong indication that the user objects to sale and sharing, and you should respect it — but its absence does not grant you consent, because under GDPR you needed opt-in consent in the first place. In practice this means GPC does not let you retire your consent banner for European audiences; it layers on top of it. Where GPC genuinely simplifies your life is in the US states that mandate a universal opt-out mechanism, where honoring the signal can satisfy the legal requirement directly.

The Compliance Bottom Line

If you have US visitors and you run advertising or marketing tags, assume GPC is legally relevant to you. Detect the signal before non-essential tags load, suppress data sale and sharing for opted-out users, reflect the choice in your UI, and log it. Doing this automatically is far cheaper than defending an enforcement action for ignoring it.

A Small Signal With Large Consequences

Global Privacy Control is one of the rare privacy mechanisms that is both technically trivial and legally serious. The entire specification fits in a single header, yet ignoring it has already triggered enforcement. The smart approach is to treat GPC as a first-class input to your consent management, sitting alongside banner choices and feeding the same suppression and logging logic. A modern consent management platform reads the signal, honors it automatically, and records it for your audit trail — so compliance is a configuration, not a code project.

To go deeper, read the official specification at globalprivacycontrol.org and the California Privacy Protection Agency's guidance at cppa.ca.gov. For the foundational rights GPC enforces, revisit What Is GDPR? and the US comparison in GDPR vs CCPA vs PECR.

Back to all guides
Global Privacy Control (GPC): What It Is & How to Honor It | CookieBeam | CookieBeam