What Is Global Privacy Control?

Global Privacy Control (GPC) is a browser-level signal that lets people automatically tell every website they visit not to sell or share their personal data. Instead of clicking "reject" on a cookie banner site by site, a user enables GPC once — in their browser or an extension — and that preference travels with them across the entire web.

Think of it as a universal opt-out switch. When GPC is on, the browser attaches a signal to each request and exposes it to JavaScript. Your website is expected to read that signal and treat it as a valid, legally binding privacy choice, with no banner interaction required.

Why GPC Matters Legally

GPC is not merely a courtesy. In a growing number of jurisdictions, honoring it is a legal obligation, and regulators have already taken enforcement action against companies that ignored it.

California (CCPA/CPRA)

Under the CCPA as amended by the CPRA, businesses must treat an opt-out preference signal as a request to opt out of the sale or sharing of personal information. The California Attorney General and the California Privacy Protection Agency have confirmed that GPC is a valid opt-out signal that must be respected, and failing to honor it has already led to public enforcement.

Other US States

Colorado, Connecticut, Texas, Oregon, Montana and several other states now require recognition of universal opt-out mechanisms. The list grows every year, and GPC is the de facto standard these laws point to — building support once aligns you with all of them.

Europe and GDPR

The GDPR does not name GPC explicitly, but it does require that consent be freely given and that withdrawing it be as easy as giving it. A clear, automated opt-out signal fits squarely within that principle, and EU regulators are showing growing interest in machine-readable preference signals.

How GPC Works Technically

GPC is intentionally simple. When a user enables it, the browser communicates the preference in three complementary ways:

• An HTTP header — every request includes Sec-GPC: 1, so your server can detect the signal before a single line of page JavaScript runs.
• A JavaScript property — navigator.globalPrivacyControl returns true, letting client-side scripts and consent tools react in the browser.
• A discoverable policy — sites may publish a /.well-known/gpc.json file describing how they interpret the signal.

Because the signal is available both server-side and client-side, you can enforce it at whichever layer fits your stack best.

How to Detect and Honor GPC on Your Site

Honoring GPC means automatically applying the user's opt-out without making them touch your banner. A robust implementation looks like this:

• Detect early. Read the Sec-GPC header on the server, or check navigator.globalPrivacyControl as soon as your consent script loads.
• Apply the opt-out. Suppress non-essential cookies, advertising and analytics tags, and any data sale or sharing for that visitor by default.
• Reflect the state. Show the banner in an opted-out state so the user can see their choice was understood, and can still grant consent if they genuinely want to.
• Log it. Record that the decision was driven by a GPC signal, with a timestamp, so you have auditable proof of compliance.

GPC vs. Cookie Banners: Do You Still Need Both?

Yes. GPC and consent banners solve overlapping but different problems. GPC is an opt-out signal that mainly addresses US-style "do not sell or share" rules, while the EU operates on an opt-in model where you must collect affirmative consent before setting non-essential cookies. A compliant site uses GPC to pre-apply the user's global preference and a banner to capture explicit consent where the law requires it. The two should reinforce each other, never contradict.

Common Mistakes to Avoid

• Ignoring the header entirely and only checking on the client, so data leaves before GPC is ever evaluated.
• Detecting GPC but doing nothing with it — recognition without enforcement is not compliance.
• Overriding the user by re-prompting GPC visitors with a banner that nudges them back into tracking.
• Forgetting documentation — without logs you cannot prove to a regulator that the signal was honored.

How FlexyConsent Handles GPC

FlexyConsent detects the GPC signal automatically on both the server and the client, applies the matching opt-out before any non-essential script fires, and records an auditable consent log for every visitor. You get universal opt-out support, multi-jurisdiction coverage, and proof of compliance out of the box — without writing the detection logic yourself. Honoring Global Privacy Control is quickly becoming table stakes, and the sites that get it right build durable trust with their users.