Inferensys

Glossary

Global Privacy Control (GPC)

A browser-level signal that communicates a user's universal opt-out preference to every website they visit, legally recognized under the CCPA/CPRA.
Control room desk with laptops and a large orchestration network display.
UNIVERSAL OPT-OUT SIGNAL

What is Global Privacy Control (GPC)?

Global Privacy Control (GPC) is a browser-level technical specification that transmits a user's universal opt-out preference to every website and service they visit, legally recognized as a valid mechanism for exercising the right to opt out of the sale or sharing of personal information under the California Consumer Privacy Act (CCPA) as amended by the CPRA.

Global Privacy Control (GPC) is a proposed web standard that functions as a persistent, binary signal—either Sec-GPC: 1—sent via the HTTP header or the JavaScript navigator.globalPrivacyControl property. Unlike cookie-based consent banners that operate on a per-site basis, GPC is configured once at the browser or device level and automatically communicates the user's objection to the sale or sharing of personal data and targeted advertising to every online service they encounter, eliminating the need for repetitive manual opt-out interactions.

The signal is legally enforceable under the California Consumer Privacy Act (CCPA/CPRA) , where the California Attorney General has affirmed that businesses must honor GPC as a valid opt-out request. It is also recognized under Colorado's CPA and Connecticut's CTDPA. For privacy engineers, implementing GPC compliance requires detecting the signal at the application edge, suppressing third-party tracking scripts, and treating the preference as a verified consumer request that must be recorded in the consent audit trail alongside the timestamp and identity scope.

UNIVERSAL OPT-OUT MECHANISM

Key Features of Global Privacy Control

Global Privacy Control (GPC) is a technical specification that enables users to automatically signal their privacy preferences to every website they visit. Legally recognized under the California Consumer Privacy Act (CCPA/CPRA), it functions as a browser-level 'Do Not Sell or Share My Personal Information' toggle.

01

Browser-Level Signal Transmission

GPC operates as an HTTP header (Sec-GPC: 1) or a JavaScript DOM property (navigator.globalPrivacyControl). When enabled, the browser sends this signal with every outgoing request, eliminating the need for users to manually opt out on each individual website. This represents a shift from site-by-site consent management to a universal, set-and-forget privacy posture.

Sec-GPC: 1
HTTP Header Format
03

Interaction with Consent Management Platforms

GPC introduces a precedence conflict with traditional Consent Management Platforms (CMPs). When a user has both a GPC signal enabled and a prior CMP consent record, the GPC signal should override any conflicting consent. Technical implementations must:

  • Detect the GPC signal before firing consent-gated tags
  • Suppress data sharing even if a CMP previously recorded 'consent granted'
  • Log the GPC signal as a consent audit trail event for compliance documentation
04

Technical Implementation for Websites

Websites detect GPC through two primary methods:

Server-Side Detection:

  • Inspect the Sec-GPC HTTP header on incoming requests
  • Apply opt-out logic before any data processing occurs

Client-Side Detection:

  • Query navigator.globalPrivacyControl via JavaScript
  • If the value is true, disable all third-party tracking scripts and data sale APIs

Both methods should be implemented redundantly to ensure robust detection across all browser implementations.

05

GPC vs. Do Not Track (DNT)

GPC is the legally enforceable successor to the failed Do Not Track (DNT) header. Critical differences:

  • DNT: Voluntary compliance; largely ignored by industry
  • GPC: Mandatory compliance under CCPA/CPRA; backed by regulatory enforcement
  • DNT: Used the DNT: 1 header with no legal weight
  • GPC: Uses Sec-GPC: 1 and is recognized as a valid consumer request

This legal distinction transforms GPC from an advisory signal into a binding data subject right.

GLOBAL PRIVACY CONTROL

Frequently Asked Questions

Clear answers to the most common technical and legal questions about implementing and respecting the Global Privacy Control signal.

Global Privacy Control (GPC) is a browser-level signal that communicates a user's universal opt-out preference to every website they visit, legally recognized under the CCPA/CPRA. It functions as a 'Do Not Sell or Share My Personal Information' request transmitted automatically via the HTTP Sec-GPC header or the JavaScript navigator.globalPrivacyControl property. When enabled, the browser sends Sec-GPC: 1 with every request, eliminating the need for users to manually opt out on each individual site. This technical specification was developed by a coalition of privacy advocates, technologists, and publishers to create a standardized, machine-readable mechanism that respects user autonomy at scale. Unlike cookie-based consent banners that require per-site interaction, GPC operates as a persistent, set-and-forget preference that downstream servers must detect and honor. The signal is binary: a value of 1 indicates the user is exercising their right to opt out, while the absence of the header implies no preference has been declared. Under the amended CPRA regulations, businesses must treat the GPC signal as a valid consumer request to opt out of the sale and sharing of personal information, including cross-context behavioral advertising.

PRIVACY SIGNAL COMPARISON

GPC vs. Other Opt-Out Mechanisms

A technical comparison of Global Privacy Control against traditional cookie-based opt-outs and the DNT header across key dimensions of automation, legal standing, and enforcement scope.

FeatureGlobal Privacy Control (GPC)Do Not Track (DNT)Cookie Consent Banner

Mechanism

Browser-level HTTP header or JavaScript API

Browser-level HTTP header

Per-site JavaScript modal

Legal Recognition

CCPA/CPRA, Colorado CPA, Connecticut CTDPA

None (voluntary standard)

GDPR, ePrivacy Directive

Scope

Universal (all sites visited)

Universal (all sites visited)

Single domain only

User Action Required

One-time toggle in browser settings

One-time toggle in browser settings

Per-site interaction required

Enforcement Mechanism

Attorney General enforcement

None (honor system)

Data Protection Authority fines

Adoption Rate (Top 10K Sites)

0.3%

0.1%

62%

Server-Side Detection

Prevents Data Sale

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.