What Is Global Privacy Control (GPC)? How the Universal Opt-Out Signal Works

What is Global Privacy Control (GPC)? See how the Sec-GPC signal works, which browsers send it, which states require honoring it, and how to turn it on.


by Riad Us Salehin • 5 July 2026


Global Privacy Control (GPC) is a browser or device setting that automatically tells websites not to sell or share your personal data. When enabled, it acts as a universal "Do Not Sell or Share" request that several US state privacy laws legally require businesses to honor.

This guide covers how the GPC signal works under the hood, which browsers send it, and how to turn it on. It also covers which states enforce GPC and how it differs from the older Do Not Track setting.

What Is Global Privacy Control (GPC)?

Global Privacy Control is a technical specification, not a product. It lets a browser or extension automatically communicate a visitor's opt-out preference to every website it visits. This replaces the need to submit a separate opt-out request on each site.

Manually opting out of data sale on every website does not scale. A person might visit dozens of sites a week, and each one can bury its opt-out link in a different footer or settings page.

GPC solves this by turning on the signal once, in one browser or extension, so it applies everywhere automatically. It serves any web user who wants a standing, browser-level privacy preference instead of a per-site chore.

GPC was developed in 2020 by Sebastian Zimmeck, a Wesleyan University computer science professor, and Ashkan Soltani, former FTC Chief Technologist. The Electronic Frontier Foundation and Automattic backed the effort, alongside browser makers Brave, DuckDuckGo, and Mozilla.

Note: "GPC" also refers to Alpha-GPC, an unrelated nootropic supplement. This article covers only the privacy signal.

Site-side adoption is measurable and growing. As of May 2, 2026, close to 400,000 websites publicly declared that they honor GPC through a site-side /.well-known/gpc.json file. That figure comes from Wikipedia's count of the published resource. Major publishers including the New York Times and the Washington Post recognize the signal. Consumer awareness still lags that adoption. Community discussion on Reddit's r/privacy notes that most everyday users have never heard of GPC, even as participating sites grow.

How Does the Global Privacy Control Signal Work?

GPC works by sending an automatic, machine-readable opt-out signal with every page request, so a website never has to guess a visitor's privacy preference.

The signal moves through four steps:

  1. A user turns GPC on once, in a supporting browser or a browser extension.
  2. On every subsequent page request, the browser transmits the signal two ways at once. It sends an HTTP request header Sec-GPC: 1 (the only valid value is the character "1") and a JavaScript property navigator.globalPrivacyControl set to true.
  3. The website reads the incoming signal. A covered business must treat a valid GPC signal as an opt-out of the sale or sharing of that visitor's personal data.
  4. A site can publish its own honoring status at the well-known address /.well-known/gpc.json. That resource is a small JSON file such as { "gpc": true, "lastUpdate": "2025-04-15" } that server operators and auditors can check directly.

That /.well-known/gpc.json resource is a detail most GPC explainers skip. The W3C specification defines it precisely: it is optional and must be served as application/json. Any site can use it to machine-verify its own compliance status without inspecting live traffic.

Which Browsers and Extensions Support GPC?

Brave, DuckDuckGo, and Firefox support GPC directly; Chrome, Edge, and Safari need a browser extension to send the signal.

Browser or extensionNative GPC?How to enable
BraveYes, on by defaultNo action needed
DuckDuckGo (browser and Privacy Essentials extension)Yes, on by defaultNo action needed
Mozilla FirefoxYes, via a settings toggleSettings, then Privacy & Security
Google ChromeNoInstall an extension (see below)
Microsoft EdgeNoInstall an extension (see below)
SafariNoInstall an extension (see below)

Browsers That Send GPC Automatically

Brave and DuckDuckGo both enable GPC by default, so a user on either takes no action to start sending the signal. Firefox ships GPC as a toggle. Since version 120, a user checks one box in Settings to turn it on, and it stays on until switched off.

Why Chrome and Safari Need an Extension

Google Chrome and Microsoft Edge do not send GPC natively as of writing, and Safari has no built-in GPC setting either. A user on any of these three browsers adds an extension to start sending the signal instead. Options include Privacy Badger from the EFF, DuckDuckGo Privacy Essentials, or a dedicated extension like GPC Inspector.

Chrome's own platform-status tracker lists a GPC feature entry under consideration, so native support could change. No browser has shipped it as of this writing.

How to Turn On Global Privacy Control

Turning on GPC takes one setting change in a supporting browser, or one extension install in a browser that lacks native support.

  1. Confirm which browser you use. Brave and DuckDuckGo already send GPC; skip to step 4.
  2. In Firefox, open Settings, then Privacy & Security. Check the box under Website Privacy Preferences labeled "Tell websites not to sell or share my data."
  3. In Chrome, Edge, or Safari, install a GPC-supporting extension such as Privacy Badger instead.
  4. Visit the official Global Privacy Control test page at globalprivacycontrol.org and confirm it reports the signal as detected.

Turning GPC off reverses the same toggle in Firefox, or disables or removes the extension in Chrome, Edge, or Safari. Mozilla is direct about GPC's limits: the signal "only sends a request", so turning it on does not block scripts or delete data already collected. It will not break a site's normal functionality.

Is Global Privacy Control Legally Binding?

Yes, with scope. Because GPC is a single standardized signal, state privacy laws can point to it directly, which is what gives it legal weight. Covered businesses in states that recognize it must honor a GPC signal as a valid opt-out of data sale or sharing. GPC does not create a legal obligation everywhere on its own.

California established this first. The California Attorney General issued guidance in January 2021 that a GPC signal is a legally binding opt-out request. That guidance is reinforced by CCPA Regulations Section 7025 (formerly Section 999.315) and Civil Code Section 1798.135(c). A business that sells or shares personal data must offer at least two opt-out methods, and GPC can serve as one.

Enforcement is not theoretical. On August 24, 2022, the California Attorney General announced that Sephora paid a $1.2 million settlement. The company allegedly failed to process opt-out requests submitted through a user-enabled GPC signal. Community reporting on Reddit and elsewhere has since tracked sites ignoring GPC despite the CCPA's requirement, part of why enforcement keeps escalating across more states.

GPC's reach may extend beyond US state law. The GPC project's own FAQ notes that a GPC signal could create a legally binding obligation for data controllers under the GDPR. This reading is less settled than the CCPA framework, and this article covers only the CCPA-style state framework in depth.

The CCPA is the underlying statute that gives GPC its legal force in California. GPC automates the same "Do Not Sell or Share My Personal Information" request a consumer would otherwise submit by hand.

Which US States Require Businesses to Honor GPC

Six US states currently require covered businesses to honor GPC or an equivalent universal opt-out signal, and the list is growing.

  • California: legally binding since January 2021 Attorney General guidance, reinforced by CCPA regulations issued March 2023
  • Colorado: the Attorney General's registry named GPC the only recognized mechanism in February 2024; the honoring requirement took effect July 1, 2024
  • Connecticut: state guidance treats GPC as a valid universal opt-out under the CTDPA
  • New Jersey: state guidance treats GPC as a valid universal opt-out
  • Oregon: the honoring requirement took effect January 1, 2026, under the Oregon Consumer Privacy Act
  • Texas: the Texas Data Privacy and Security Act recognizes an opt-out signal once another state already recognizes it (cross-reference, not a direct GPC naming)

More states recognize a broader category of universal opt-out mechanisms that GPC satisfies. For the full state-by-state requirement matrix, see opt-out preference signals.

Global Privacy Control vs Do Not Track

GPC is the enforceable successor to Do Not Track. Do Not Track was a voluntary request websites could ignore, while GPC carries legal weight under laws like the CCPA.

AttributeDo Not Track (DNT)Global Privacy Control (GPC)
Introduced20092020
Legal enforceabilityNone; a polite, ignorable requestLegally binding in states that recognize it
Industry adoptionFizzled; Firefox retired its DNT toggleBacked by Brave, Firefox, DuckDuckGo, and integrated into consent platforms
What it signalsAn ambiguous, non-standardized "do not track me" preferenceA specific opt-out of the sale or sharing of personal data

Firefox has replaced its Do Not Track toggle with Global Privacy Control, reflecting the industry's shift toward the signal that regulators actually enforce.

How Websites Detect and Honor a GPC Signal

A covered business detects GPC by reading the incoming Sec-GPC header or the navigator.globalPrivacyControl property. It then treats a valid signal as an opt-out of sale or sharing for that visitor.

Honoring the signal means three things: suppressing the data-sharing the opt-out covers, applying it before any sale occurs, and recording the event as proof. One way a covered site suppresses that sharing at the tag level is to set up Google Consent Mode. Ad and analytics tags then respect the signal automatically.

A genuine, community-sourced caution is worth stating plainly: a vendor's documentation mentioning GPC support is not proof the signal is actually honored in production. Site owners and buyers should confirm real behavior instead, for example by checking a site's /.well-known/gpc.json file or testing with a GPC inspector extension.

How Consently Supports Your US Opt-Out Requirements

Consently gives you the consumer-facing side of US opt-out compliance: an opt-out banner, a Do-Not-Sell control, region-based display, and consent records. Honoring the GPC browser signal itself is a separate technical step, one a covered business handles at the server or tag level.

Consently's CCPA / US State Laws Opt-Out Template shows US visitors a compliant opt-out banner instead of the opt-in model GDPR requires. Automatic Geotargeting pairs with that template to display the correct banner by visitor location, without you building region logic yourself.

Consent Logs record every visitor's choice with export support, giving you an audit trail for how and when opt-out choices were captured. Consently's cookie and privacy policy generators help you disclose your sale and sharing practices in plain language alongside the banner.

One honest limit: Consently does not currently detect or honor the GPC browser signal itself. Pair Consently's opt-out banner and consent records with your own GPC-handling at the server or tag level if your traffic includes states that require it. The opt-out preference signals guide above covers what that obligation involves.

Start a free trial to set up your US opt-out banner and consent records in minutes.

FAQs

What is Global Privacy Control in simple terms?

Global Privacy Control is a browser or extension setting that automatically asks every website you visit not to sell or share your personal data. In states that recognize it, businesses must treat it as a valid opt-out request.

What does GPC stand for?

GPC stands for Global Privacy Control. It is the name of both the technical signal a browser sends and the nonprofit specification project that maintains it.

Is Global Privacy Control legit?

Yes. GPC is a real specification backed by the Electronic Frontier Foundation, Automattic, and major browser makers. State privacy regulators, including California's Attorney General, recognize it. Note that "GPC" separately refers to Alpha-GPC, an unrelated dietary supplement; this signal has nothing to do with that product.

How do I turn off Global Privacy Control?

Reverse the same setting you used to turn it on. Uncheck the toggle in Firefox's Privacy & Security settings, or disable or remove the GPC-sending extension in Chrome, Edge, or Safari. Turning it off does not affect any site's normal functionality.

Does GPC block all cookies or stop all tracking?

No. GPC signals a request to opt out of the sale or sharing of personal data. It is not an ad blocker, and it does not delete data already collected; essential cookies and other tracking outside that scope are unaffected.

How do I check if my GPC signal is working?

Visit the official Global Privacy Control test page at globalprivacycontrol.org, which confirms whether your browser is transmitting the signal. Alternatively, install a GPC inspector extension that reports the signal on any site you visit.

Does Google Chrome support Global Privacy Control?

Not natively, as of writing. Chrome users add an extension, such as Privacy Badger or a dedicated GPC extension, to send the signal. Chrome's own platform-status tracker lists native support as a tracked feature, but it has not shipped.

Is GPC the same as an opt-out preference signal?

GPC is the leading, most widely recognized opt-out preference signal. "Opt-out preference signal" is the broader legal term some state laws use for any qualifying mechanism. The opt-out preference signals guide linked above covers the full picture.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.