Global Privacy Control (GPC) is a browser-level signal that automatically informs websites of user-specific opt-out signals. For example, instead of clicking "Do Not Sell" on each site, users set the preference once and GPC broadcasts it. Under California's CCPA/CPRA and several other US state laws, businesses must honor the GPC signal as a valid opt-out.
The GPC helps users communicate to sites they visit that they wish to opt out of the sale or sharing of their personal data
It's a single, persistent privacy choice, and in California, ignoring it is a violation.
How does the Global Privacy Control work?
GPC is transmitted as an HTTP header (Sec-GPC: 1) and a JavaScript property that a user's browser or privacy extension sends with each request. A website detecting the signal should treat it as a request to opt out of data "sale" and "sharing" as those terms are defined under applicable law without requiring any further action from the user.
Is Global Privacy Control legally binding?
| Jurisdiction |
Is GPC binding? |
| California (CCPA/CPRA) |
Yes, businesses must honor GPC as a valid opt-out of sale/sharing |
| Colorado, Connecticut, and other states with universal opt-out provisions |
Yes, recognized as a required opt-out mechanism |
| GDPR (EU/UK) |
Not specifically, the EU uses an opt-in model, so GPC is not a defined mechanism |
California regulators have already enforced against businesses that failed to process GPC signals, making technical support for GPC a compliance requirement, not an option.
How do you honor the GPC signal?
Your site must detect the signal and automatically apply the user's opt-out. A consent management platform handles this detection and enforcement.
Enzuzo's consent management platform (CMP) detects the Global Privacy Control signal and applies the corresponding opt-out automatically for US state privacy laws, so honoring GPC doesn't require manual engineering on every page.
Frequently asked questions
What does GPC stand for? GPC stands for Global Privacy Control — a browser-level signal that communicates a user's choice to opt out of the sale or sharing of their personal data.
Is GPC the same as "Do Not Track"? No. Do Not Track was an earlier signal that websites were never legally required to honor. GPC is legally enforceable under CCPA/CPRA and several US state laws.
Do I have to honor GPC? If you serve users in California or other states with universal opt-out requirements and you sell or share personal data, then yes, honoring GPC is mandatory.
Detect and honor GPC automatically
See how Enzuzo processes GPC and Do-Not-Sell signals →
