Global Privacy Control (GPC) isn't a nice-to-have. In a growing list of US states it's a legally binding opt-out signal, and ignoring it has already cost money: California's very first CCPA enforcement action, a 1.2 million dollar settlement with Sephora in 2022, turned specifically on the company's failure to treat GPC as a valid opt-out of sale (California OAG). This guide is the technical how-to for honoring it in your own banner. For the legal background, start with GPC explained.
How the signal arrives
GPC reaches your site two ways, defined in the W3C Global Privacy Control specification:
- An HTTP request header,
Sec-GPC: 1, sent with navigations and requests. Useful for server-side and edge logic. - A DOM property,
navigator.globalPrivacyControl, a boolean readable in the browser (and in workers).
When a user has GPC enabled, the property is true and the header is 1. When they don't, the property is typically undefined (not false) and the header is absent. That distinction is worth handling explicitly.
Detecting GPC in the browser
Read the property as early as possible, before any tag that could sell or share data loads, and pre-apply the opt-out:
function detectGpc() {
// undefined means "no signal", so compare strictly to true
return navigator.globalPrivacyControl === true
}
if (detectGpc()) {
// Treat this as a valid opt-out of sale/sharing and targeted ads
applyOptOut({ sale: false, share: false, targetedAds: false })
// See the display-requirement section below
markSignalHonored()
}The key is timing: the check has to run and take effect before advertising and analytics tags fire, the same way a normal consent gate works. If GPC is present, those categories start denied.
Detecting GPC server-side
For SSR frameworks, edge middleware, or CDN workers, read the request header so the opt-out is applied before the first byte of HTML is generated. That way you can avoid injecting the relevant tags at all:
// Edge middleware / server handler
const gpc = request.headers.get('Sec-GPC') === '1'
if (gpc) {
// Don't inject sale/share tags; render the opt-out state
response.headers.set('X-Consent-Optout', '1')
}Server-side detection is the most reliable option because it doesn't depend on client JavaScript running first. Combine both: honor the header on the server and re-affirm with the DOM property on the client.
What "honoring" actually means
GPC is a US-style opt-out signal. Under the CCPA/CPRA and equivalent state laws, honoring it means treating the visitor as having opted out of the sale and sharing of their personal information and of cross-context behavioral advertising. Practically, you disable the tags and data flows that constitute a "sale" or "share" (most ad and some analytics vendors) while strictly necessary processing continues.
Scope matters: GPC is an opt-out mechanism, so it's decisive in opt-out jurisdictions. It doesn't, by itself, satisfy the GDPR's opt-in requirement in the EU/UK, where you still need affirmative consent before non-essential cookies. A correct global banner reads GPC in US opt-out states and still shows an opt-in banner in the EEA. See one banner, global compliance. Twelve states already require honoring universal opt-out signals, including California, Colorado, Connecticut, Texas, Oregon, and Montana; the count keeps growing, so treat GPC support as a baseline (US state privacy laws).
California's 2026 display requirement
This is the change most banners haven't caught up with. Under the revised CCPA regulations, Cal. Code Regs. tit. 11, § 7025(c)(6), the earlier permissive "may display" became a requirement: a business must display whether it has processed the consumer's opt-out preference signal as a valid request. The regulator's own example is showing "Opt-Out Preference Signal Honored" when a GPC-enabled browser visits (11 CCR § 7025; California OAG on GPC). The revised requirement took effect on 1 January 2026.
So silently suppressing cookies is no longer sufficient in California. You must visibly acknowledge the signal. A minimal implementation:
function markSignalHonored() {
const el = document.getElementById('gpc-status')
if (el) el.textContent = 'Opt-Out Preference Signal Honored'
// Also reflect the opt-out in any toggle/radio in your preferences UI
}Note the regulation's nuance: you must not fire a disruptive pop-up or interstitial in response to the signal itself, but a static status indicator (or a pre-set toggle in your preference center) is exactly what's expected.
Testing your implementation
GPC is enabled by default in some browsers and available as a setting in others. To test, use Firefox (Settings › Privacy & Security › "Tell websites not to sell or share my data"), Brave, or the DuckDuckGo browser, all of which send GPC natively; Chrome, Safari, and Edge need an extension such as OptMeowt. Then verify:
navigator.globalPrivacyControlreadstruein the console.- The
Sec-GPC: 1header is present on the document request (Network tab). - No sale/share tags fire and no advertising cookies are set.
- Your page visibly shows the signal was honored (California).
GPC is not the old Do Not Track
If you remember Do Not Track (DNT), don't treat GPC the same way. DNT was a voluntary header that almost no site honored and that carried no legal force. GPC is different: it's explicitly recognized as a valid opt-out mechanism under the CCPA and a growing set of state laws, which is why enforcement has followed. You can keep ignoring navigator.doNotTrack if you like, but navigator.globalPrivacyControl is now a legal obligation in the states that require it. The two aren't interchangeable.
Letting a CMP handle it
Doing this by hand across every tag, every state, and the display rule is fiddly and easy to regress. A consent platform like CookieBeam detects navigator.globalPrivacyControl and the Sec-GPC header automatically, applies the opt-out to the right vendor categories per region, renders the "signal honored" acknowledgment where required, and logs it for your proof-of-consent record. Pair it with the compliance checklist to cover the rest.