Global Privacy Control (GPC) is a proposed web standard that functions as a persistent, binary signal—either Sec-GPC: 1—sent via the HTTP header or the JavaScript navigator.globalPrivacyControl property. Unlike cookie-based consent banners that operate on a per-site basis, GPC is configured once at the browser or device level and automatically communicates the user's objection to the sale or sharing of personal data and targeted advertising to every online service they encounter, eliminating the need for repetitive manual opt-out interactions.
Glossary
Global Privacy Control (GPC)

What is Global Privacy Control (GPC)?
Global Privacy Control (GPC) is a browser-level technical specification that transmits a user's universal opt-out preference to every website and service they visit, legally recognized as a valid mechanism for exercising the right to opt out of the sale or sharing of personal information under the California Consumer Privacy Act (CCPA) as amended by the CPRA.
The signal is legally enforceable under the California Consumer Privacy Act (CCPA/CPRA) , where the California Attorney General has affirmed that businesses must honor GPC as a valid opt-out request. It is also recognized under Colorado's CPA and Connecticut's CTDPA. For privacy engineers, implementing GPC compliance requires detecting the signal at the application edge, suppressing third-party tracking scripts, and treating the preference as a verified consumer request that must be recorded in the consent audit trail alongside the timestamp and identity scope.
Key Features of Global Privacy Control
Global Privacy Control (GPC) is a technical specification that enables users to automatically signal their privacy preferences to every website they visit. Legally recognized under the California Consumer Privacy Act (CCPA/CPRA), it functions as a browser-level 'Do Not Sell or Share My Personal Information' toggle.
Browser-Level Signal Transmission
GPC operates as an HTTP header (Sec-GPC: 1) or a JavaScript DOM property (navigator.globalPrivacyControl). When enabled, the browser sends this signal with every outgoing request, eliminating the need for users to manually opt out on each individual website. This represents a shift from site-by-site consent management to a universal, set-and-forget privacy posture.
Interaction with Consent Management Platforms
GPC introduces a precedence conflict with traditional Consent Management Platforms (CMPs). When a user has both a GPC signal enabled and a prior CMP consent record, the GPC signal should override any conflicting consent. Technical implementations must:
- Detect the GPC signal before firing consent-gated tags
- Suppress data sharing even if a CMP previously recorded 'consent granted'
- Log the GPC signal as a consent audit trail event for compliance documentation
Technical Implementation for Websites
Websites detect GPC through two primary methods:
Server-Side Detection:
- Inspect the
Sec-GPCHTTP header on incoming requests - Apply opt-out logic before any data processing occurs
Client-Side Detection:
- Query
navigator.globalPrivacyControlvia JavaScript - If the value is
true, disable all third-party tracking scripts and data sale APIs
Both methods should be implemented redundantly to ensure robust detection across all browser implementations.
GPC vs. Do Not Track (DNT)
GPC is the legally enforceable successor to the failed Do Not Track (DNT) header. Critical differences:
- DNT: Voluntary compliance; largely ignored by industry
- GPC: Mandatory compliance under CCPA/CPRA; backed by regulatory enforcement
- DNT: Used the
DNT: 1header with no legal weight - GPC: Uses
Sec-GPC: 1and is recognized as a valid consumer request
This legal distinction transforms GPC from an advisory signal into a binding data subject right.
Frequently Asked Questions
Clear answers to the most common technical and legal questions about implementing and respecting the Global Privacy Control signal.
Global Privacy Control (GPC) is a browser-level signal that communicates a user's universal opt-out preference to every website they visit, legally recognized under the CCPA/CPRA. It functions as a 'Do Not Sell or Share My Personal Information' request transmitted automatically via the HTTP Sec-GPC header or the JavaScript navigator.globalPrivacyControl property. When enabled, the browser sends Sec-GPC: 1 with every request, eliminating the need for users to manually opt out on each individual site. This technical specification was developed by a coalition of privacy advocates, technologists, and publishers to create a standardized, machine-readable mechanism that respects user autonomy at scale. Unlike cookie-based consent banners that require per-site interaction, GPC operates as a persistent, set-and-forget preference that downstream servers must detect and honor. The signal is binary: a value of 1 indicates the user is exercising their right to opt out, while the absence of the header implies no preference has been declared. Under the amended CPRA regulations, businesses must treat the GPC signal as a valid consumer request to opt out of the sale and sharing of personal information, including cross-context behavioral advertising.
GPC vs. Other Opt-Out Mechanisms
A technical comparison of Global Privacy Control against traditional cookie-based opt-outs and the DNT header across key dimensions of automation, legal standing, and enforcement scope.
| Feature | Global Privacy Control (GPC) | Do Not Track (DNT) | Cookie Consent Banner |
|---|---|---|---|
Mechanism | Browser-level HTTP header or JavaScript API | Browser-level HTTP header | Per-site JavaScript modal |
Legal Recognition | CCPA/CPRA, Colorado CPA, Connecticut CTDPA | None (voluntary standard) | GDPR, ePrivacy Directive |
Scope | Universal (all sites visited) | Universal (all sites visited) | Single domain only |
User Action Required | One-time toggle in browser settings | One-time toggle in browser settings | Per-site interaction required |
Enforcement Mechanism | Attorney General enforcement | None (honor system) | Data Protection Authority fines |
Adoption Rate (Top 10K Sites) | 0.3% | 0.1% | 62% |
Server-Side Detection | |||
Prevents Data Sale |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding Global Privacy Control requires familiarity with the technical and legal mechanisms that enable automated opt-out signaling and consent enforcement.
Do Not Track (DNT)
The deprecated predecessor to GPC. DNT was an HTTP header (DNT: 1) that expressed a user's tracking preference but lacked legal enforcement. GPC solves DNT's fatal flaw by being explicitly recognized in CCPA/CPRA regulations as a valid opt-out mechanism.
- DNT: Voluntary compliance, widely ignored by advertisers
- GPC: Legally binding signal under California law
- Both use browser-level signaling, but GPC adds a DOM property for script-based detection
Opt-Out Preference Signal
The legal term used in CCPA § 1798.135 for a signal sent by a platform, technology, or mechanism that communicates a consumer's choice to opt out of the sale and sharing of personal data. GPC is the technical implementation of this legal concept.
- Must be in a format commonly used and recognized by businesses
- Must be persistent across sessions and websites
- Businesses must honor it as a valid consumer request without additional verification
Data Subject Access Request (DSAR)
A formal request by an individual to access, rectify, or delete their personal data. While GPC handles real-time opt-out signaling, DSARs address retrospective data rights. Both are pillars of data subject rights automation.
- GPC: Prevents future data sale/sharing automatically
- DSAR: Requires manual or automated fulfillment of access/deletion requests
- Privacy platforms often unify both workflows under a single identity graph
Consent Audit Trail
An immutable, time-stamped log recording the full history of a user's consent actions. When GPC is enabled, the audit trail must capture the exact timestamp the signal was received and the specific notice presented at that moment.
- Logs the
Sec-GPC: 1header receipt event - Records the CMP's interpretation and downstream propagation
- Provides proof of compliance for regulators during enforcement actions

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us