Global Privacy Control (GPC).

A browser-level signal — an HTTP header and a JavaScript property — by which a user expresses a 'do not sell or share' opt-out, given binding legal force in California (CCPA/CPRA) and Colorado (CPA) regulations. It belongs to the Privacy & Data Protection category of cybersecurity.

A browser-level signal — an HTTP header and a JavaScript property — by which a user expresses a 'do not sell or share' opt-out, given binding legal force in California (CCPA/CPRA) and Colorado (CPA) regulations.

Global Privacy Control (GPC) is a browser-level privacy signal developed by a coalition of privacy advocates, publishers, and browser vendors (DuckDuckGo, Mozilla, Brave, EFF, NYT, WaPo, Disconnect) and first deployed in 2021. It is both an HTTP request header (`Sec-GPC: 1`) and a JavaScript property (`navigator.globalPrivacyControl`) which, when present, communicates that the user does not want their personal data sold or shared for cross-context behavioural advertising. Unlike the failed earlier Do-Not-Track signal, GPC has explicit regulatory force: the California AG and CPPA require businesses subject to CCPA/CPRA to treat GPC as a valid opt-out of sale and sharing; Colorado's CPA requires similar handling; other U.S. state laws (Connecticut, Delaware, New Jersey, Oregon) have followed. Major browsers (Firefox, Brave, DuckDuckGo, Safari via add-ons) send GPC by default or by toggle; Chrome and Edge currently do not. From a compliance perspective, sites serving U.S. users must implement server-side handling of GPC, link consent records to the signal, and update opt-out states accordingly.

Defences for Global Privacy Control (GPC) typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: GPC, Sec-GPC header.