Global Privacy Control

Global Privacy Control (GPC) is a set of web technologies that can be used to inform websites of the user's wish to have their information not be sold or used by ad trackers.^[1] Unlike the now-deprecated Do Not Track header, which was unsuccessful as it was ignored by third parties, GPC is intended to have legal force under privacy laws.^[2][3]

GPC was developed in 2020 by privacy technology researchers including Sebastian Zimmeck, professor at Wesleyan University, and Ashkan Soltani, former Chief Technologist of the Federal Trade Commission, as well as a group of privacy-focused companies including the Electronic Frontier Foundation and Automattic (owner of Tumblr and WordPress).^[4]

The GPC specification defines two parts for implementing GPC in clients, and one part when implementing for servers.

The first part of a client implementation is a HTTP header with the form:

Sec-GPC: 1

The character '1' is the only allowed value for the header.^[5] There is deliberately no mechanism for extensibility; the creators of the standard have stated that they will create new headers if extension becomes necessary.^[6]

The second part of a client implementation is setting the navigator.globalPrivacyControl property to the value true.^[7]

Websites can optionally host a JSON-formatted file known as the GPC support resource at the well-known URI .well-known/gpc.json to indicate how they respond to the GPC signal. This file has up to two relevant members (all other members should be ignored): a gpc boolean member where true means that the server intends on complying with GPC requests, and false means it does not, and a lastUpdate member.^[8] By default, a website's support is unknown.

GPC has been implemented by Mozilla Firefox,^[9] Brave,^[10] and DuckDuckGo Private Browser.^[11][10] GPC is not yet supported by Google Chrome^[12] or Microsoft Edge,^[10] despite Chrome still allowing users to enable the Do Not Track header.^[13] However, there are third-party extensions available for Chrome that enable sending the GPC header during HTTP requests, including the EFF's Privacy Badger extension^[14] and the DuckDuckGo Privacy Essentials add-on^[15] amongst others. Many websites including the New York Times and Washington Post have started to recognize and respect GPC signals.^[11]

As of March 2026^[update], GPC has legal authority in four states:

• In Colorado, GPC was the first Universal Opt-Out Mechanism (UOOM) to be recognized as meeting the standards of the Colorado Privacy Act (CPA).^[16]
• GPC signals achieved legal status in Connecticut on January 1, 2025, when the Connecticut Data Privacy Act (CDPA) took effect.^[17]
• New Jersey started requiring businesses to respect universal opt-out mechanisms such as GPC under the New Jersey Data Privacy Law (NJDPL) which went into effect on July 15, 2025.^[18]
• In California, unlike the Do Not Track header, GPC is a valid do-not-sell-my-personal-information signal according to the California Consumer Privacy Act (CCPA), which stipulates that websites are legally required to respect a signal sent by users who want to opt-out of having their personal data sold.^[19] In July 2021, the California Attorney General clarified that under law, the Global Privacy Control signal must be honored.

On August 24, 2022, the California Attorney General announced Sephora paid a $1.2 million settlement for allegedly failing to process opt-out requests via a user-enabled global privacy control signal.^[20] Later on July 1, 2025, the California Attorney General announced the largest CCPA settlement to date of $1.55 million against Healthline.com for failing to allow consumers to opt out of targeted advertising and for sharing data with third parties without CCPA-mandated privacy protections.^[21]

• Official website
• Full technical specification