Global Privacy Control

Global Privacy Control (GPC) is a set of web technologies that can be used to inform websites of the user's wish to have their information not be sold or used by ad trackers. Unlike the now-deprecated Do Not <span lang="español" dir="ltr">Track</span> header, which was unsuccessful as it was ignored by third parties, GPC is intended to have legal force under privacy laws.

GPC was developed in 2020 by privacy technology researchers including Sebastian Zimmeck, professor at Wesleyan University, and Ashkan Soltani, former Chief Technologist of the Federal Trade Commission, as well as a group of privacy-focused companies including the Electronic Frontier Foundation and Automattic (owner of Tumblr and WordPress).

Implementation

The GPC specification defines two parts for implementing GPC in clients, and one part when implementing for servers.

The first part of a client implementation is a HTTP header with the form:

<code>Sec-GPC: 1</code>

The character '1' is the only allowed value for the header. There is deliberately no mechanism for extensibility; the creators of the standard have stated that they will create new headers if extension becomes necessary.

The second part of a client implementation is setting the <code>navigator.globalPrivacyControl</code> property to the value <code>true</code>.

Websites can optionally host a JSON-formatted file known as the GPC support resource at the well-known URI <code>.well-known/gpc.json</code> to indicate how they respond to the GPC signal. This file has up to two relevant members (all other members should be ignored): a <code>gpc</code> boolean member where <code>true</code> means that the server intends on complying with GPC requests, and <code>false</code> means it does not, and a <code>lastUpdate</code> member. By default, a website's support is unknown.

Adoption

GPC has been implemented by Mozilla Firefox, Brave, and DuckDuckGo Private Browser. GPC is not yet supported by Google Chrome or Microsoft Edge, despite Chrome still allowing users to enable the Do Not Track header. However, there are third-party extensions available for Chrome that enable sending the GPC header during HTTP requests, including the EFF's Privacy Badger extension and the DuckDuckGo Privacy Essentials add-on amongst others. Many websites including the New York Times and Washington Post have started to recognize and respect GPC signals.

Legal status

, GPC has legal authority in four states:

• In Colorado, GPC was the first Universal Opt-Out Mechanism (UOOM) to be recognized as meeting the standards of the Colorado Privacy Act (CPA).
• GPC signals achieved legal status in Connecticut on January 1, 2025, when the Connecticut Data Privacy Act (CDPA) took effect.
• New Jersey started requiring businesses to respect universal opt-out mechanisms such as GPC under the New Jersey Data Privacy Law (NJDPL) which went into effect on July 15, 2025.
• In California, unlike the Do Not Track header, GPC is a valid do-not-sell-my-personal-information signal according to the California Consumer Privacy Act (CCPA), which stipulates that websites are legally required to respect a signal sent by users who want to opt-out of having their personal data sold. In July 2021, the California Attorney General clarified that under law, the Global Privacy Control signal must be honored.

Enforcement actions

On August 24, 2022, the California Attorney General announced Sephora paid a $1.2 million settlement for allegedly failing to process opt-out requests via a user-enabled global privacy control signal. Later on July 1, 2025, the California Attorney General announced the largest CCPA settlement to date of $1.55 million against Healthline.com for failing to allow consumers to opt out of targeted advertising and for sharing data with third parties without CCPA-mandated privacy protections.

References

External links

• Full technical specification