The Problem with Cookie Banners
Cookie consent banners are everywhere — and nearly everyone dismisses them without reading. They place the burden of privacy on individual users, requiring them to make complex decisions on every site they visit. Global Privacy Control (GPC) is a technical specification designed to fix this by allowing users to express their privacy preferences once, at the browser level, and have those preferences automatically respected by websites.
GPC is recognized under California's CCPA/CPRA as a valid opt-out of the sale or sharing of personal data, and it's gaining traction under other privacy frameworks globally.
How GPC Works Technically
GPC operates through two mechanisms working together:
1. The HTTP Request Header
When a user has GPC enabled in their browser, every HTTP request includes the following header:
Sec-GPC: 1
Your server can read this header on any incoming request and adjust your data processing behavior accordingly — before any JavaScript runs, before any cookie is set.
2. The navigator.globalPrivacyControl Property
In the browser, JavaScript can check the user's GPC preference via:
if (navigator.globalPrivacyControl === true) {
// User has opted out of data sale/sharing
disableThirdPartyTracking();
}
This allows client-side code — including tag managers and analytics libraries — to respect the signal without server-side changes.
The .well-known/gpc.json File
Sites that support GPC publish a machine-readable declaration at /.well-known/gpc.json. This file confirms that your site recognizes and respects the GPC signal. The format is minimal:
{
"gpc": true,
"lastUpdate": "2025-01-01"
}
Publishing this file is how you signal compliance to browsers, privacy tools, and regulators. The lastUpdate field helps downstream systems know when you last reviewed your GPC implementation.
What "Honoring GPC" Actually Requires
Under CCPA/CPRA, when a California resident sends a GPC signal, your site must treat it as a valid opt-out of the sale or sharing of their personal information. In practice, this means:
- No data sale to third parties: Don't pass personal identifiers to advertising platforms or data brokers.
- No cross-context behavioral advertising: Don't build ad targeting profiles using data from users who sent GPC.
- First-party analytics can continue: Using aggregated analytics for your own operational purposes is generally permissible.
- Functional cookies are fine: GPC is not a blanket opt-out of all cookies — it specifically targets data sale and sharing.
GPC vs. Do Not Track (DNT): Key Differences
| Aspect | GPC | Do Not Track (DNT) |
|---|---|---|
| Legal backing | Recognized under CCPA/CPRA | No legal mandate; voluntary |
| Header sent | Sec-GPC: 1 | DNT: 1 |
| Scope | Opt-out of data sale/sharing | Opt-out of cross-site tracking |
| Browser support | Firefox, Brave, growing list | Broadly supported, rarely honored |
| Industry adoption | Growing, legally meaningful | Largely abandoned |
Implementing GPC: A Practical Checklist
- Publish
/.well-known/gpc.jsonwith"gpc": true. - Read the
Sec-GPCheader server-side on all requests from your application's regions of legal exposure. - Check
navigator.globalPrivacyControlbefore firing any third-party tracking scripts. - Configure your CMP (Consent Management Platform) to treat GPC as an opt-out signal.
- Document your GPC implementation in your privacy policy.
- Review your implementation whenever you add new third-party data integrations.
The Bigger Picture
GPC represents a shift from UI-based consent (click a banner) to protocol-based consent (send a signal). As privacy regulations mature globally, browser-level privacy signals are likely to gain more legal weight. Implementing GPC correctly today is both a compliance step and a signal to your users that you respect their preferences by default — not just when they catch you failing to.