How to Implement Global Privacy Control (GPC) on Your Website

What is Global Privacy Control?

Global Privacy Control (GPC) is an open web standard that lets users signal their privacy preferences — specifically, their desire to opt out of the sale or sharing of their personal data — at the browser level. Instead of clicking through cookie banners on every site, users can set GPC once in a supporting browser or extension, and participating websites are expected to honor that preference automatically.

GPC is legally significant. Under the California Consumer Privacy Act (CCPA) and similar regulations, websites operating in relevant jurisdictions are required to treat a valid GPC signal as an opt-out request.

How GPC Works Technically

GPC is communicated in two ways:

1. HTTP Header: The browser sends a Sec-GPC: 1 header with every request when the user has GPC enabled.
2. JavaScript Property: navigator.globalPrivacyControl returns true when GPC is active in the user's browser.

Both signals should be checked — the HTTP header for server-side processing and the JS property for client-side consent management platforms (CMPs).

Detecting GPC on the Server Side

In a Node.js/Express application, detecting the GPC header is straightforward:

app.use((req, res, next) => {
  const gpcEnabled = req.headers['sec-gpc'] === '1';
  if (gpcEnabled) {
    // Apply opt-out logic: don't load tracking scripts,
    // flag the session as opted out, etc.
    res.locals.gpcOptOut = true;
  }
  next();
});

Detecting GPC on the Client Side

Use the navigator.globalPrivacyControl property before loading any analytics or advertising scripts:

if (navigator.globalPrivacyControl === true) {
  console.log('GPC signal detected — skipping third-party trackers');
  // Do not load Google Analytics, ad pixels, etc.
} else {
  // Load analytics as normal (subject to cookie consent)
  loadAnalytics();
}

What You Must Do When GPC is Detected

• Do not sell or share the user's personal data with third parties for advertising purposes.
• Do not load third-party tracking scripts that would share data with advertising networks.
• Persist the opt-out so it applies to all future sessions from that user, not just the current one.
• Do not override the signal with your own cookie consent UI (the GPC signal takes precedence under CCPA).

Publishing a GPC Support File

To formally declare GPC support, publish a JSON file at /.well-known/gpc.json on your domain:

{
  "gpc": true,
  "lastUpdate": "2024-09-01"
}

This file signals to browsers, auditors, and regulators that your site officially honors the GPC standard.

Which Browsers Support GPC?

GPC is supported natively in Brave Browser and via extensions in Chrome and Firefox (notably the DuckDuckGo Privacy Essentials extension). As privacy regulations tighten globally, native browser support is expanding.

Summary

Implementing GPC is both a legal obligation in some jurisdictions and a meaningful signal of respect for your users' privacy preferences. The implementation is lightweight — a few lines of server and client-side code — and the /.well-known/gpc.json declaration takes minutes to publish. For any developer building privacy-first applications, GPC support should be on your checklist.