Global Privacy Control Header How It Works And Who Supports

The Global Privacy Control (GPC) header represents a significant advancement in user privacy signaling on the web. Unlike its predecessor Do Not Track (DNT), GPC carries legal weight under several privacy regulations, making it a more practical tool for privacy-conscious users and developers alike.

What Is Global Privacy Control?

Global Privacy Control is an HTTP header that browsers send to indicate a user’s preference to opt out of data selling and targeted advertising. Unlike DNT, which was purely advisory, GPC has regulatory backing:

California Consumer Privacy Act (CCPA): California’s attorney general stated that GPC signals satisfy the “opt-out of sale” requirement
Virginia Consumer Data Protection Act (VCDPA): Recognizes GPC as a valid opt-out signal
Colorado Privacy Act: Also acknowledges GPC as a legitimate privacy preference

This legal recognition distinguishes GNC from earlier privacy headers and makes compliance more straightforward for businesses.

How the GPC Header Works

When a user enables privacy protections in their browser, every HTTP request includes the GPC header. The header value is straightforward:

Sec-GPC: 1

The Sec- prefix indicates this is a fetch metadata header, providing additional security context about the request.

Detecting GPC in JavaScript

You can check for GPC support using the navigator.globalPrivacyControl property:

if (navigator.globalPrivacyControl === true) {
  console.log('User has enabled Global Privacy Control');
  // Adjust tracking/personalization accordingly
}

This property returns true when the user has opted out, false when they haven’t, and undefined when the browser doesn’t support GPC.

Server-Side Detection

On the server, you can detect the GPC header in your request processing:

Node.js/Express:

app.get('/api/content', (req, res) => {
  const gpcValue = req.headers['sec-gpc'];

  if (gpcValue === '1') {
    // User has opted out of data sale
    // Disable analytics, personalization, and third-party sharing
    disableTracking(req.userId);
    disablePersonalization(req.sessionId);
  }

  res.json({ /* content */ });
});

Python/Flask:

@app.route('/api/content')
def get_content():
    gpc_header = request.headers.get('Sec-GPC')

    if gpc_header == '1':
        # Respect user's privacy preference
        disable_tracking()
        disable_personalization()

    return jsonify({ /* content */ })

PHP:

<?php
$gpc_value = $_SERVER['HTTP_SEC_GPC'] ?? null;

if ($gpc_value === '1') {
    // Respect privacy preference
    disable_analytics();
    disable_ad_tracking();
}
?>

If you manage cookies through a consent platform, GPC should override consent preferences:

function shouldBlockTracking() {
  // GPC takes precedence over cookie consent
  if (navigator.globalPrivacyControl === true) {
    return true;
  }

  // Fall back to cookie consent check
  return !hasCookieConsent();
}

Browser Support for Global Privacy Control

GPC support varies across browsers. Here’s the current landscape:

Desktop Browsers

Brave: Full support, enabled by default in all privacy settings
Firefox: Native support, user must enable in settings
Edge: Supports GPC but not enabled by default
Chrome: No native GPC support as of early 2026
Safari: Partial support through Intelligent Tracking Prevention

Mobile Browsers

Brave (iOS/Android): Full support
Firefox (iOS/Android): Supported
Safari (iOS): Integrates with iOS privacy features
Chrome (Android): Limited support

Browser Implementation Details

Users typically find GPC settings in:

Brave: Settings → Privacy and security → “Send Global Privacy Control signal”
Firefox: Settings → Privacy & Security → “Tell websites not to sell or share my data”

Who Supports GPC? Companies and Platforms

The list of companies honoring GPC signals has grown significantly:

Major Platforms

Google: Honors GPC for California users through AdSettings
Meta: Respects GPC for covered jurisdictions
Amazon: Implements GPC for advertising personalization
Microsoft: Applies GPC across its advertising ecosystem

Ad Networks and Trackers

Google Ads: Processes GPC signals in covered states
Meta Ads: Recognizes GPC for targeted advertising
Trade Desk: Supports GPC as a universal opt-out signal
LiveRamp: Honored GPC before retiring third-party data

Tools and Frameworks

Most modern consent management platforms (CMPs) respect GPC:

OneTrust: Automatically detects and honors GPC
Cookiebot: Processes GPC alongside consent signals
TrustArc: Recognizes GPC as a valid opt-out mechanism

Implementing GPC on Your Website

If you run a website, here’s how to properly handle GPC:

Step 1: Detect the Signal

Add server-side logic to check for the Sec-GPC header on incoming requests.

Step 2: Disable Tracking

When GPC is detected, ensure you:

Don’t set advertising cookies
Disable analytics personalization
Don’t share data with third parties
Don’t sell user data

Step 3: Communicate Compliance

Add a notice in your privacy policy acknowledging GPC support:

“We respect the Global Privacy Control (GPC) signal. When detected, we automatically disable all tracking, personalization, and data sharing that would constitute a sale under applicable privacy laws.”

Limitations of GPC

GPC isn’t a complete privacy solution. Be aware of these constraints:

Geographic limitations: Legal requirements apply only in specific jurisdictions
First-party tracking: GPC doesn’t block all tracking—just cross-site sharing
Implementation gaps: Some companies still ignore GPC despite legal requirements
No fingerprinting protection: GPC doesn’t prevent browser fingerprinting

Testing GPC Implementation

Verify your GPC handling works correctly:

# Test with curl
curl -H "Sec-GPC: 1" https://yourwebsite.com

# Check response headers for proper processing
# Verify no tracking cookies are set

Browser developer tools also show the GPC header in the Network tab when making requests.

Built by theluckystrike — More at zovo.one