Global Privacy Control (GPC) is a technical specification that enables a browser or device to transmit a persistent Sec-GPC HTTP header, signaling a user's universal opt-out preference from the sale or sharing of their personal data to all visited sites without requiring per-site interaction. It functions as a legally binding mechanism under regulations like the California Consumer Privacy Act (CCPA) and Colorado Privacy Act (CPA), transforming a browser setting into an automated exercise of rights.
Glossary
Global Privacy Control (GPC)

What is Global Privacy Control (GPC)?
A browser-level mechanism that automates the exercise of privacy rights by broadcasting a user's intent to opt out of data sales and sharing to every website they visit.
GPC eliminates the need for repetitive cookie consent banners by communicating a binary 1 (do not sell/share) or 0 signal at the transport layer. For privacy engineers and data architects, implementing GPC compliance requires modifying consent management platforms (CMPs) to respect the header as a valid opt-out, integrating it into identity resolution pipelines to suppress data flows, and ensuring downstream customer data platforms (CDPs) honor the signal to maintain a compliant data posture.
Core Characteristics of GPC
Global Privacy Control (GPC) is a technical specification that enables users to automatically broadcast a legally binding 'Do Not Sell or Share My Personal Information' signal to every website they visit, eliminating the need for repetitive cookie banners.
Browser-Level Opt-Out Signal
GPC operates as a persistent HTTP header or JavaScript property (navigator.globalPrivacyControl) sent with every request. Once a user enables the setting in a supported browser or extension, the signal is always on, communicating a universal opt-out preference without requiring per-site interaction. This shifts the burden from the user to the data controller, who must detect and respect the signal.
Interaction with Consent Management Platforms
A Consent Management Platform (CMP) must detect the GPC signal and propagate the opt-out status to downstream vendors. The standard interaction model dictates:
- If GPC is active, the CMP should suppress the sale of data by default.
- The CMP should not display a full consent wall if the user has already signaled a universal opt-out.
- The signal overrides conflicting legacy cookie preferences.
Technical Detection Mechanism
Websites detect GPC through two primary methods:
- Server-Side: Checking for the
Sec-GPC: 1HTTP header on incoming requests. - Client-Side: Reading the
navigator.globalPrivacyControlboolean property via JavaScript. The specification requires that the signal be sent at the top-level page load and to all embedded third-party iframes, ensuring ad-tech scripts also receive the opt-out.
Distinction from Do Not Track (DNT)
Unlike the failed Do Not Track (DNT) header, which was a voluntary advisory signal with no legal weight, GPC is backed by regulatory enforcement. DNT was a binary DNT: 1 header that advertisers ignored. GPC is a legally defined mechanism within modern privacy legislation, making it a mandatory compliance vector rather than a polite request.
Impact on Identity Resolution
When a GPC signal is active, deterministic and probabilistic cross-device identity resolution must be suspended for the purpose of selling or sharing data. The signal does not necessarily break essential first-party operations (like fraud prevention), but it strictly prohibits the transfer of the user's behavioral profile to external ad-tech networks, directly limiting the scope of a Customer Data Platform (CDP) activation.
Frequently Asked Questions
Clear, technical answers to the most common questions about the Global Privacy Control (GPC) signal, its legal standing, and its technical implementation for engineers and privacy professionals.
Global Privacy Control (GPC) is a browser-level signal that communicates a user's universal opt-out preference to every website they visit, automating the exercise of privacy rights under laws like the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA). Technically, GPC is implemented as an HTTP header—Sec-GPC: 1—or a JavaScript property—navigator.globalPrivacyControl—that the browser sends with every request. When a user enables GPC in their browser settings or via a privacy-focused extension, the signal acts as a persistent, machine-readable declaration that the user objects to the sale or sharing of their personal data. Websites and ad-tech platforms must detect this signal and suppress data sales, third-party cookie sharing, and targeted advertising for that session. Unlike per-site cookie consent banners, GPC provides a one-to-many enforcement mechanism, eliminating the need for users to manually opt out on every individual website they visit. The signal is binary: it is either present (true) or absent, leaving no ambiguity about the user's intent. The specification is maintained by a coalition of privacy advocates, technologists, and publishers, and is designed to be compatible with existing browser security models without introducing new fingerprinting vectors.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Global Privacy Control (GPC) operates within a broader ecosystem of privacy-enhancing technologies and regulatory frameworks. These related concepts define the technical and legal landscape for automated consent signaling.
Do Not Track (DNT)
The deprecated predecessor to GPC. DNT was an HTTP header (DNT: 1) that expressed a user's tracking preference but lacked legal enforcement. GPC improves upon DNT by being legally recognized under CCPA and transmitted as a browser-level setting that cannot be overridden by individual sites, solving the voluntary compliance problem that doomed DNT.
Universal Opt-Out Mechanism (UOOM)
The legal term of art used in regulations like the CCPA to describe a technical standard that allows a consumer to exercise opt-out rights with all businesses automatically, rather than on a site-by-site basis. GPC is the leading technical implementation of a UOOM, satisfying the requirement for a signal that is persistent, unambiguous, and consumer-controlled.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us