Global Privacy Control: legal status
Global Privacy Control (GPC) is a specification that lets a browser or extension send a machine-readable opt-out signal to every site. Unlike the older Do Not Track, GPC has been given legal teeth in some US states: California's Attorney General and the CPPA have stated that GPC must be honoured as a valid do-not-sell-or-share request. This page summarises its status.
What GPC is and how it differs from DNT
GPC is a signal — an HTTP header (Sec-GPC) and a JavaScript property — that communicates a user's intent to opt out of the sale or sharing of their personal information. It was designed after Do Not Track failed to gain legal force, specifically to map onto opt-out rights created by laws like the CCPA/CPRA.
The key difference is legal grounding: DNT had no statute behind it, whereas GPC is tied to concrete opt-out rights in several US state privacy laws.
Where it is binding
California regulators have stated that businesses subject to the CCPA/CPRA must treat GPC as a valid request to opt out of sale/sharing. Several other US state privacy laws also require honouring universal opt-out mechanisms, sometimes on a defined timeline. The exact obligations, deadlines, and recognised mechanisms differ by state, so the binding effect is jurisdiction-specific.
- California: regulators treat GPC as a valid opt-out of sale/share
- Other states: several mandate universal opt-out signals
- Scope, timing, and recognition vary by jurisdiction
How it appears in analytics and logs
A GPC signal in a request is a user opt-out. In states that recognise it, ignoring it for sale/share of personal information can be an enforcement risk; elsewhere it is a strong signal of preference.
Diagnostic use case
Decide whether to treat an incoming GPC signal as a binding opt-out, recognising that enforceability depends on jurisdiction.
What WebmasterID can help detect
WebmasterID does not sell or share personal information, so its first-party model is structurally aligned with honouring opt-out signals like GPC.
Common mistakes
- Treating GPC like the unenforceable Do Not Track header.
- Assuming GPC obligations are identical across US states.
- Ignoring GPC because it is not relevant under GDPR's framing.
Privacy and accuracy notes
This page is educational and not legal advice. GPC's binding effect varies by jurisdiction and evolves with regulation and enforcement; confirm current requirements with counsel.
Related pages
- Do Not Track (DNT) and GPC
Do Not Track (DNT) was a browser-sent header asking sites not to track the user. It was never widely honoured and lacked legal force, so it largely faded. Global Privacy Control (GPC) is the spiritual successor: a signal that, under laws like the CCPA/CPRA, regulators have said must be treated as a valid opt-out. This is an educational overview, not legal advice.
- Do Not Sell or Share my personal information
Under California's CCPA as amended by the CPRA, consumers can direct a business not to sell or share their personal information, where 'sharing' specifically covers disclosure for cross-context behavioural advertising. Businesses must offer a clear opt-out and honour opt-out signals. This page explains the right and how analytics and ad tags can fall within 'sharing'.
- CCPA / CPRA and analytics
The CCPA (as amended by the CPRA) gives California residents rights over their personal information, including a right to opt out of its sale or sharing. For analytics, that turns on whether your tooling discloses identifiers to third parties for cross-context advertising. First-party, minimised measurement narrows the exposure. This is an educational overview, not legal advice.
- Privacy-first analytics
A model that does not sell or share personal data.
Sources and verification notes
- Global Privacy Control — official specification siteDefinition of the GPC signal.
- California Privacy Protection Agency / Attorney General — CCPA resourcesCalifornia position that GPC must be honoured (confirm current guidance).
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.