Global Privacy Control (GPC) explained

Global Privacy Control, usually shortened to GPC, is a signal that a browser or extension sends on the visitor's behalf to say they do not want their personal information sold or shared. Rather than clicking an opt-out on every site they visit, the person sets the preference once in their browser and it travels with them automatically.

It exists because opt-out laws put the burden on consumers to say no everywhere, which is impractical. GPC turns a per-site chore into a one-time choice that sites are expected to respect.

GPC is expressed two ways. As an HTTP header, Sec-GPC, sent with requests, and as a JavaScript property, navigator.globalPrivacyControl, that your code can read in the browser. When either is present and set, it means the visitor has enabled the control.

Detecting it is straightforward: your consent platform checks for the signal early in the page lifecycle and, if found, applies the opt-out before trackers that would sell or share data have a chance to run. The point is that no banner interaction is required, the signal itself is the opt-out.

California's CPRA is the clearest case. Regulators there have stated that a GPC signal must be treated as a valid request to opt out of the sale or sharing of personal information, and enforcement has followed against businesses that ignored it. Other US state laws, including Colorado, Connecticut, Texas and Oregon, also require honoring a universal opt-out mechanism, and GPC is the recognized one.

So if you serve consumers in these states, ignoring GPC is not a gray area. The signal carries the force of a submitted opt-out request.

Honoring GPC means three things. First, detect the signal as early as possible so you can act before any selling or sharing happens. Second, automatically apply the opt-out, suppressing the trackers and data flows that count as sale or sharing under the applicable law. Third, reflect the state back to the visitor where appropriate, so an informed user sees that their preference was recognized.

With ConsentX, GPC detection is built in. When the signal is present, the platform applies the opt-out automatically and records that it did, which is the evidence you would point to if a regulator asks whether you honored universal opt-out signals.

GPC does not replace your consent banner, it complements it. In opt-out regions the banner offers a manual Do Not Sell or Share control, and GPC offers the automatic one. A visitor with GPC enabled should be opted out without ever touching the banner, while a visitor without it can still use the on-page control.

In opt-in regions like the EU, GPC is less central because consent is already required up front, but honoring it still signals respect for the visitor's stated preference. The cleanest design treats GPC as one more input into the same consent state your banner manages.