Guide to Global Privacy Control (GPC) & Real-World Examples

It’s no secret: online privacy is a major concern for consumers today. People are more aware than ever about how their data is used, and they’re demanding more control. This shift has led to new regulations like the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA). Furthermore, similar privacy laws emerging in other states like Colorado, Connecticut, and beyond are also beginning to require recognition of user opt-out signals.

Amidst these changes, a technology called Global Privacy Control (GPC) has emerged. If you’re a merchant doing business online, especially if you interact with consumers in states with modern privacy laws, GPC is something you absolutely need to understand.

This article will break down what GPC is, why it matters for your business (particularly regarding compliance with laws like CCPA/CPRA and others), and how you can effectively implement it.

What is Global Privacy Control (GPC)?

Think of GPC as a simple signal sent from a user’s web browser. It functions as a Universal Opt-Out Mechanism (UOOM), essentially broadcasting a user’s global privacy control opt-out preference automatically to every website the user visits. It indicates they do not want their personal information to be sold or shared (or used for targeted advertising, depending on the specific regulation).

Users enable GPC through settings in certain browsers (like Brave, Firefox) or by installing browser extensions (available for Chrome, Edge, etc.). When enabled, the browser automatically sends the GPC signal with each visit.
It’s important to know that Global Privacy Control is different from the older “Do Not Track” (DNT) signal. While DNT was mostly ignored because it wasn’t legally binding, GPC has real teeth under laws like the CCPA/CPRA and increasingly, other state regulations.

How Does GPC Work?

When a user with GPC enabled visits your website, their browser adds a special piece of information to the request it sends to your server. This is called the GPC header, and it looks like this: Sec-GPC: 1.

Your store needs to be set up to detect this incoming header.
Receiving the Sec-GPC: 1 signal is technically equivalent to the user actively clicking a “Do Not Sell or Share My Personal Information” link on your site. It means the user is exercising their legal right to opt out under applicable privacy laws.

Why GPC is Important for Merchants

Ignoring GPC isn’t just a bad practice; it can have serious consequences.

The Legal Mandate (CCPA/CPRA & Other States): This is the big one. California’s CCPA/CPRA led the way, explicitly stating that businesses must treat the Global Privacy Control signal as a valid request to opt out of the sale or sharing of personal information. Importantly, this isn’t just a California issue anymore. Other states like Colorado, Connecticut, Montana, and Oregon are enacting laws that also require businesses to honor universal opt-out signals like GPC, making compliance increasingly important across the US.

Consequences: Non-compliance can lead to significant fines, potential lawsuits, and serious damage to your brand’s reputation.

Building Customer Trust: In today’s privacy-conscious world, respecting user preferences isn’t just about avoiding fines; it’s about building loyalty. Proactively honoring GPC shows customers you respect their choices, which can significantly enhance their trust in your brand.
Streamlining Opt-Outs: While you still need other opt-out methods (like a Do Not Sell or Share My Personal Information), GPC provides a more automated and user-friendly way for consumers to express their preferences universally, simplifying the process for both them and potentially for you.

How to Implement Global Privacy Control

So, how do you actually handle Global Privacy Control signals? Here’s a step-by-step breakdown:

1. Verify Your Compliance Tool Handles GPC Appropriately

Most businesses use a Consent Management Platform (CMP) or similar privacy software to manage user preferences and opt-outs. While essential, simply having such a tool doesn’t guarantee compliance with the Global Privacy Control (GPC).

GPC is a technical signal (the Sec-GPC: 1 HTTP header) sent by browsers or extensions when a user has proactively chosen to opt out of data selling or sharing. Think of it as a pre-declared opt-out request that requires no further clicks on banners or links from the user.

Critically, your CMP or privacy tool is the primary mechanism responsible for automatically detecting this signal and acting upon it according to applicable laws (like CCPA/CPRA, CPA, CTDPA, etc.). It must function seamlessly without requiring manual intervention for each GPC signal received.

Essential GPC Functions Your Tool MUST Perform:

To ensure compliance, your chosen tool must perform these core functions:

• Signal Detection: Reliably identifies the Sec-GPC: 1 HTTP header.
• Correct Interpretation: Understands this signal means opt-out of sale/sharing/targeted advertising per applicable laws (CCPA/CPRA, CPA, CTDPA, etc.).
• Automated Action: Automatically prevents the execution of scripts or data transfers classified under the opt-out (e.g., blocking specific ad trackers) based solely on the GPC signal.
• Contextual Application: Applies the opt-out according to the nuances of different state laws you fall under.
• Technical Integration: Works seamlessly with your site structure and tag management systems to enforce the preference.
• Auditable Logging: Records the receipt and handling of GPC signals for compliance proof.

How to Verify Your Tool Meets These Requirements:

• Review vendor documentation for explicit GPC support statements.
• Query vendor support/account manager about GPC handling specifics for relevant state laws.
• Inspect tool settings for GPC configuration options.
• Conduct tests using a GPC-enabled browser to observe script blocking/behavior changes.

2. Understand the Technical Mechanics

Step 1: Detection: The first step in honoring GPC is being able to detect it. When a user enables GPC in their browser or extension, their HTTP requests will include a special Sec-GPC: 1 header.

Step 2: Interpretation: The value 1 in the Sec-GPC header is a standardized way of saying: “This user opts out of the sale or sharing of their personal information.” Under laws like the CCPA/CPRA, this is equivalent to a user invoking their right to opt out. No further explanation from the user is required.

Step 3: Action: This is the critical compliance step. Once the signal is received and interpreted, your site must take action. This typically includes:

• Cease selling or sharing personal information linked to that browser or user session.
• Suppress targeted advertising technologies that rely on personal data. This may involve:
  • Blocking third-party scripts (e.g., Facebook Pixel, Google Ads)
  • Disabling behavioral tracking cookies
• Associate the GPC signal with user accounts, if a logged-in user is detected or if identification is otherwise possible and required. This ensures the opt-out applies beyond the current session.

Step 4: Confirmation/Record Keeping (Recommended): Although not always required, it’s a best practice to:

• Acknowledge the GPC signal visually—for instance, by updating the state of a cookie banner to show data-sharing is disabled.
• Log the receipt and handling of GPC signals in your compliance records. This can help demonstrate good-faith efforts if you’re ever audited or face complaints.

What Merchants Don’t Need to Worry About

It’s helpful to understand what GPC doesn’t do:

• It doesn’t block all cookies: GPC is focused on opting out of specific activities like “sale/sharing” or “targeted advertising.” It generally doesn’t stop strictly necessary cookies required for your website to function (e.g., keeping items in a shopping cart).
• It doesn’t cover all data processing: The GPC opt-out applies specifically to activities defined in the relevant state laws (e.g., “sale,” “sharing,” “targeted advertising”). Other types of data processing might still be permitted, depending on the specific regulations and your privacy notices.
• GPC is an Opt-Out, Not Consent: Clarification: GPC is a mechanism for users to withdraw permission (opt-out) for specific data uses. It is not a mechanism for obtaining consent for other data processing activities. You still need appropriate methods (like cookie banners for non-essential cookies not covered by the Global Privacy Control opt-out, explicit consent for newsletters, etc.) to get user permission where required by law.

7 Examples of Global Privacy Control in Practice

Understanding the concepts is one thing, but seeing how companies actually address Global Privacy Control can be very insightful. This section provides examples of how different organizations acknowledge or implement GPC practices, often seen in their privacy statements or signaled through their consent tools.

#1 The New York Times

The American newspaper The New York Times is one of the early adopters and proponents of the GPC standard. They demonstrate their respect for readers’ choices by adhering to Global Privacy Control practices. This is clearly stated in their Privacy Policy. 

#2 Sephora

Sephora, a multinational retailer of personal care and beauty products, takes a different approach to demonstrating respect for data privacy.

In the footer, you can find the “Your Privacy Choices” button. After clicking it, you’ll see a pop-up with related information. Notably, there is a message stating: “Your Opt-Out Preference Signal has been honored”.

#3 Target

Target is a major American retail chain that offers a wide variety of products, including clothing, electronics, groceries, and home goods, at affordable prices in a department store-style setting.

In the screenshot below, you can see Target’s specific policy regarding the older DNT signal. They are stating that they currently ignore this specific signal. If your browser sends the DNT signal, Target’s website won’t change its behavior based on it. “However, Target treats Global Privacy Control signal…”, which means Target does pay attention to and act upon the GPC signal if your browser or extension sends it.

#4 Best Buy

Best Buy, a large American retail chain, does detect the Global Privacy Cotrol signal if your browser or extension is sending it. When they detect it, they will stop sharing the personal information collected on their website with their advertising partners if those partners intend to use that data for their own separate purposes (like building advertising profiles about you unrelated to just showing Best Buy ads). This directly relates to the “Do Not Sell or Share” rights under laws like the CCPA/CPRA.

#5 The Washington Post

The Washington Post is a major American newspaper based in Washington, D.C., known for its political reporting, investigative journalism, and coverage of national and international news.
The website recognizes and honors the Global Privacy Control (GPC) signal as a valid way for users (specifically mentioning California residents, as required by law) to exercise their right to opt out of the “sale” or “sharing” of their personal information for targeted advertising. They correctly note that Global Privacy Control works at the browser level, so you need it enabled on the browser you’re using to visit their site.

#6 GAP INC.

Gap Inc. is a global apparel retailer behind brands like Gap, Old Navy, Banana Republic, and Athleta. Its website systems are configured to detect the HTTP header signal sent by browsers/extensions with GPC enabled. Global Privacy Control is treated as a direct user instruction requiring no further verification, unlike manual requests submitted via webforms or agents.

#7 Macy’s

Macy’s, a well-known American department store chain offering clothing, beauty products, home goods, and more, confirms they do respect the Global Privacy Control signal. They use a special tool to detect it. 

When they see the signal, they stop giving your data to outside advertising companies that would use it to show you personalized ads across the internet or follow you with Macy’s ads on other sites. However, Macy’s will still track how you use their own website for basic functions and their own analysis.

To Wrap Up

Global Privacy Control is more than just a technical signal; it’s a clear indicator of user preference and a legal requirement under key regulations like CCPA/CPRA, with more states rapidly following suit.

For merchants, honoring GPC is essential for:

• Compliance: Avoiding potentially costly fines and legal trouble in California, Colorado, Connecticut, and an increasing number of other states.
• Trust: Building stronger relationships with customers by respecting their privacy choices.

Don’t wait to address GPC. We strongly urge you to:

1. Review your current privacy practices and data flows, considering all relevant state laws.
2. Consult with legal counsel experienced in privacy law (CCPA/CPRA, CPA, CTDPA, etc.).
3. Investigate whether your current Consent Management Platform (CMP) handles GPC correctly for all applicable regulations.
4. Implement a reliable solution to detect and honor GPC signals if you don’t already have one.

By embracing GPC, you position your business as forward-thinking, compliant, and trustworthy in an increasingly privacy-focused world.

If you have any questions or need clarification on GPC implementation, feel free to reach out to us—we’re here to help.

Frequently Asked Questions (FAQ)

Q: Is honoring GPC mandatory for my business?

A: Yes, if your business is subject to regulations like California’s CCPA/CPRA, Colorado’s CPA, Connecticut’s CTDPA (and others as they come into effect), you are legally required to treat the Global Privacy Control signal as a valid opt-out request according to the specifics of each law (e.g., for sale/sharing or targeted advertising).

Q: Does GPC replace my “Do Not Sell/Share My Personal Information” link?

A: No. Regulations typically require businesses to offer multiple ways for consumers to opt out. You generally need both a clear website link (like “Your Privacy Choices” or “Do Not Sell/Share My Info”) and the ability to honor GPC signals.

Q: How is GPC different from Do Not Track (DNT)?

A: The key difference is legal backing. DNT was largely voluntary and never gained widespread legal enforcement. GPC, however, is explicitly recognized as a valid opt-out method under laws like CCPA/CPRA and similar state regulations, making it legally binding for covered businesses.

Q: Can my current cookie banner tool handle Global Privacy Control?

A: It depends on the tool. Many modern Consent Management Platforms (CMPs) are specifically designed to detect and honor GPC signals in line with requirements from California, Colorado, Connecticut, etc. Check with your provider or look for documentation confirming GPC support for the specific regulations you need to comply with.

Q: What specific actions must I take when I detect a GPC signal?

A: You must stop the activities the user is opting out of under the relevant state law(s). This typically involves stopping the “sale” or “sharing” of personal information and/or suppressing targeted advertising for that user/browser, including preventing related tracking technologies from collecting data for those purposes.