Clym Logo

Global Privacy Control (GPC)

What Is Global Privacy Control (GPC)?

Global Privacy Control (GPC) is a browser-level privacy signal that allows users to automatically communicate their preference to opt out of the sale or sharing of their personal data.

Once enabled in a supported browser or extension, GPC sends a standardized signal to websites indicating that the user does not want their information sold or shared for targeted advertising. It is designed to work automatically across websites without requiring users to manually click “Do Not Sell or Share My Personal Information” on every site.

GPC is recognized under certain U.S. state privacy laws, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the Colorado Privacy Act (CPA).

How Global Privacy Control works

When a user activates GPC in their browser:

  1. The browser sends a signal (typically the Sec-GPC: 1 HTTP header).
  2. A JavaScript property (navigator.globalPrivacyControl) may also be exposed.
  3. The website detects the signal.
  4. The site interprets it as a request to opt out of sale or sharing of personal data.

GPC operates automatically in the background and does not require repeated interaction on each website.

What is the purpose of GPC?

The primary purpose of Global Privacy Control is to provide a universal opt-out mechanism.

Instead of navigating individual website privacy settings, users can set their privacy preference once at the browser level. The signal then communicates that preference wherever GPC is recognized.

GPC focuses specifically on opt-outs related to the sale or sharing of personal information, particularly in the context of targeted advertising.

Is GPC the same as “Do Not Sell”?

GPC functions as a universal “Do Not Sell or Share” signal, but it is not identical to a traditional website opt-out link.

Traditional opt-out mechanisms:

  • Require manual interaction on each website
  • Appear in footers or privacy settings
  • Depend on user clicks

GPC:

  • Is activated at the browser level
  • Sends an automated technical signal
  • Applies across websites that detect it

It is designed as a broader, cross-site privacy preference mechanism.

Legal status of Global Privacy Control

Global Privacy Control is recognized under:

  • California Consumer Privacy Act (CCPA)
  • California Privacy Rights Act (CPRA)
  • Colorado Privacy Act (CPA)

Under California regulations, businesses subject to the law must treat valid universal opt-out preference signals as consumer requests to opt out of the sale or sharing of personal information.

Privacy regulations continue evolving, and applicability depends on factors such as business thresholds, geographic targeting, and data processing activities. Organizations typically assess their obligations based on the laws that apply to their operations.

Which browsers support GPC?

Global Privacy Control can be enabled in:

  • Mozilla Firefox
  • Brave
  • DuckDuckGo Browser
  • Certain browser extensions

Users can verify whether their GPC signal is active by visiting the official Global Privacy Control website.

Is GPC required for websites?

In jurisdictions like California and Colorado, businesses subject to applicable privacy laws may be required to recognize valid universal opt-out signals, including GPC.

Whether GPC recognition applies depends on:

  • Revenue thresholds
  • Volume of personal data processed
  • Whether data is sold or shared
  • Geographic scope of operations

Not all organizations are subject to the same regulatory requirements.

How GPC relates to a Consent Management Platform (CMP)

Global Privacy Control does not replace a Consent Management Platform (CMP).

A CMP:

  • Collects and manages user consent preferences
  • Controls cookie categories and tracking technologies
  • Stores consent records
  • Supports multiple regulatory frameworks

GPC:

  • Is a browser-generated opt-out signal
  • Focuses specifically on sale or sharing opt-outs
  • Does not manage broader cookie consent categories

Modern Consent Management Platforms, including Clym Consent Management, can detect GPC signals and align website behavior with user opt-out preferences while also managing cookie consent and privacy interactions across jurisdictions.

GPC vs cookie consent

GPC and cookie consent mechanisms serve different purposes.

GPC:

  • Operates primarily under U.S. state privacy frameworks
  • Functions as an opt-out signal
  • Targets sale or sharing of personal data

Cookie consent frameworks (such as those under GDPR and the ePrivacy Directive):

  • Often operate under opt-in models
  • Manage analytics, marketing, and functionality cookies
  • Address broader tracking technologies

GPC does not replace cookie banners or consent tools in jurisdictions that require prior consent for certain tracking technologies.

Related terms

Frequently asked questions about Global Privacy Control

o. GPC communicates an opt-out preference related to sale or sharing of personal information. It does not automatically block all cookies or tracking technologies. How the signal affects data processing depends on how a website implements it.

In certain U.S. states, businesses subject to applicable privacy laws must treat valid universal opt-out signals as consumer opt-out requests. The exact legal obligations depend on regulatory scope and applicability.

No. GPC is a browser-level opt-out signal. Cookie banners manage broader consent categories such as analytics, marketing, and functional cookies.

Websites detect GPC through:

  • The Sec-GPC HTTP request header
  • The navigator.globalPrivacyControl JavaScript property

Backend systems or a Consent Management Platform can then adjust data handling logic accordingly.

Related terms