Global Privacy Control (GPC) in 2026: The Complete Compliance and Implementation Guide

Global Privacy Control is the closest thing the web has to a functioning universal opt-out. It is a browser-level signal (an HTTP header and a JavaScript property) that tells a site the user wants to opt out of sale and sharing of their personal information. It is now mandatory to recognize in twelve US states, has been the subject of a coordinated California, Colorado, and Connecticut enforcement sweep, and, as of January 1, 2026, carries a new specific display requirement under California's updated regulations. Sites that ignored it a year ago are fine targets now.

This post is the working guide to GPC for privacy engineers and the product teams building consent management. It covers the technical spec, the statutory obligations state by state, the new 2026 California display rule, and code for detecting GPC in the common server frameworks. If you are looking for the broader CCPA banner picture, see the CCPA Cookie Banner Requirements pillar. This post is specifically about the GPC signal.

TL;DR. GPC is sent two ways: the HTTP header Sec-GPC: 1 and the DOM property navigator.globalPrivacyControl. Twelve US states now require businesses that sell or share personal information to treat the signal as a valid opt-out: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. California's § 7025(c)(6), effective January 1, 2026, requires sites to visibly display that the GPC signal was honored. Sephora, Healthline, Disney, and Ford all had GPC-handling deficiencies in their enforcement actions. The fix is three layers: detect (middleware + client), honor (opt-out state written to the identity or session layer), and display (visible confirmation). Implementation is small. Ignoring it is now a direct regulatory liability.

What GPC actually is

Global Privacy Control is a specification maintained by a working group including the EFF, Mozilla, DuckDuckGo, and several privacy-focused publishers. The specification itself is a W3C Working Draft, and the two artifacts it defines are:

1. The HTTP request header Sec-GPC: 1. The spec is strict: "A user agent MUST generate a Sec-GPC header field with a field-value that is exactly the numeric character '1' if top-level browsing context's gpcAtNavigation is true." The only valid value is the literal character "1." Anything else should be treated as absent.

2. The JavaScript DOM property navigator.globalPrivacyControl. Returns a boolean. True if the browser is sending the header on requests, false otherwise. Documentation at MDN.

The specification defines GPC as signaling "the user's decision to exercise their legal rights to opt out of targeted advertising, the sale of their personal information or other data sharing." It is jurisdiction-agnostic as a signal; the legal force comes from state laws that adopt it as a recognized Universal Opt-Out Mechanism (UOOM).

A helper server rule in the spec: "A server processing an HTTP request that contains a Sec-GPC header MUST ignore it and process the request as if that header had not been specified unless the field value is exactly the character '1'." This means you can't send Sec-GPC: 0 to un-opt-out; the absence of the header is the default.

Browser support as of April 2026

Browser	GPC support	Default state
Brave	Native	On by default
DuckDuckGo browser	Native	On by default
Firefox	Native	User-controlled in settings
Safari	Not native	Via extensions only
Chrome, Edge	Not native	Via extensions (Privacy Badger, DuckDuckGo, OptMeowt)

The globalprivacycontrol.org homepage reports 150M+ users and 66,000+ compliant sites. The absence of native Chrome support is the reason the total numbers are not larger, but Firefox, Brave, and DuckDuckGo combined make GPC a signal that shows up on a non-trivial slice of traffic for most US consumer sites.

The legal force: twelve states and counting

California (the leading framework)

The core rule is in 11 CCR § 7025. The key subsections:

• § 7025(b): A business that sells or shares personal information must process opt-out preference signals in the format "commonly used and recognized by businesses." The regulation cites the HTTP header and DOM property explicitly.
• § 7025(c)(1): The signal must be treated as a valid request to opt out of sale and sharing under Civ. Code § 1798.120.
• § 7025(c)(2): For logged-in consumers, the opt-out must propagate to all accounts the business has associated with that consumer.
• § 7025(c)(3): The signal must be applied within 15 business days.
• § 7025(c)(6), new as of January 1, 2026: A business must display that the consumer's opt-out request has been recognized and processed. The word changed from "may" to "must" in the September 2025 rulemaking package.
• § 7025(f): The processing must be "frictionless." No fees, no consideration, no altered experience, no conditioning pop-up. Businesses that satisfy this are relieved of the separate "Do Not Sell or Share" link requirement.

The 2026 display rule is the single most underappreciated regulatory change. Before, a site could legally honor GPC silently in the background. Now, the consumer has to see it. In practice, that means a small confirmation in the banner region or preferences UI: "We detected your Global Privacy Control signal and have opted you out of sale and sharing of your personal information." Non-disruptive, but present.

The broader UOOM landscape

GPC is recognized as a required opt-out signal in twelve states as of April 2026:

State	Effective	Authority citing GPC specifically
California	January 1, 2023 (formalized)	CCPA Regs § 7025
Colorado	July 1, 2024	CO AG UOOM approval (first UOOM state)
Connecticut	January 1, 2025	CT AG guidance under CTDPA
Delaware	January 1, 2025	DPDPA
Maryland	October 1, 2025	MODPA
Minnesota	July 31, 2025	MCDPA
Montana	October 1, 2024	MCDPA
Nebraska	January 1, 2025	NDPA
New Hampshire	January 1, 2025	NH SB 255
New Jersey	January 15, 2025	NJ SB 332
Oregon	January 1, 2026	OCPA amendments
Texas	January 1, 2025	TDPSA § 541.055(e)

The list grows most years. Full state-by-state treatment is in the US State Privacy Law Tracker.

The coordinated sweep: CA, CO, CT

On September 9, 2025, the California Privacy Protection Agency, Colorado Attorney General, and Connecticut Attorney General jointly announced a coordinated investigative sweep of companies for non-compliance with opt-out preference signals. The CPPA's September 9 announcement was explicit: the three offices are sharing intelligence on non-compliant implementations. This is the first such coordinated action across state lines on a specific privacy-technical issue. For businesses that rely on "we'll deal with California first and think about other states later," the assumption is no longer safe.

The enforcement record for GPC specifically

GPC handling has been cited in the findings of at least four major CCPA cases:

• Sephora (August 2022, $1.2M). The CA AG's first-ever CCPA enforcement, announcement here. Failure to honor GPC signals was a named violation. This established the baseline that GPC is an enforceable requirement, not a voluntary courtesy.
• Healthline (July 2025, $1.55M). AG announcement. The opt-out mechanism, including GPC handling, was deficient: after processing an opt-out, data continued to flow to certain downstream partners.
• Disney (February 2026, $2.75M). AG announcement. GPC was honored only on the specific device that sent the signal and did not propagate to the user's account across the Disney ecosystem. This is a § 7025(c)(2) violation specifically.
• Ford (March 2026, $375,703). CPPA announcement. The settlement imposes an audit of every tracking technology on Ford's properties for GPC handling. This is now the baseline remedial obligation in similar cases.

The pattern is consistent. GPC-related findings tend to cluster with other opt-out-scope findings (Disney-style cross-device propagation, Healthline-style downstream flow continuation), because the same root cause (treating the opt-out as a device-scoped transient state rather than an identity-scoped durable preference) produces both failure modes.

The implementation: three layers

A compliant GPC implementation runs in three layers. Each corresponds to a distinct regulatory obligation.

Layer 1: Detection

Server-side (Next.js middleware):

// middleware.ts
import { NextResponse, type NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
  const gpc = request.headers.get('sec-gpc');
  const response = NextResponse.next();

  if (gpc === '1') {
    response.cookies.set('user_opt_out', '1', {
      httpOnly: true,
      sameSite: 'lax',
      secure: true,
      path: '/',
      maxAge: 60 * 60 * 24 * 365, // 1 year
    });
    response.headers.set('x-user-opted-out', '1');
  }

  return response;
}

Server-side (Express):

app.use((req, res, next) => {
  if (req.get('sec-gpc') === '1') {
    req.userOptedOut = true;
    // persist to session or DB keyed to user/session
  }
  next();
});

Server-side (Rails):

# ApplicationController
before_action :detect_gpc

private

def detect_gpc
  if request.headers['Sec-GPC'] == '1'
    session[:user_opted_out] = true
    @user_opted_out = true
  end
end

Client-side:

// Run before CMP init
if (typeof navigator !== 'undefined' && navigator.globalPrivacyControl === true) {
  // Flag the opt-out for the CMP
  window.__userOptedOutViaGPC = true;
}

The header and the property are redundant by design. Implement both, because extensions on Chrome set the header but may not set the property (or vice versa for older versions), and code that relies on only one will miss traffic.

Layer 2: Honoring the signal

Detection is not the opt-out. The opt-out is the state write: the user's preference is recorded somewhere durable and every downstream system that decides whether to fire a tag or share data reads that state.

Where to write the state:

• For authenticated users: write the opt-out flag to the user's account record in your identity service. On every subsequent session and device, read the flag from the account record. This is how you satisfy § 7025(c)(2) (cross-account propagation, the Disney rule).
• For anonymous users: write to a first-party cookie on the root domain, with a reasonable TTL (a year is standard). On subsequent pageviews, read the cookie. Also write to any first-party analytics session store your CMP uses.

What downstream systems must read the state:

• Your CMP. The CMP gates all the client-side tags.
• Your tag manager (GTM, Tealium). If you use Consent Mode v2, this maps to ad_user_data and ad_personalization denied signals.
• Server-side GTM. The opt-out state must be passed from the browser container to the server-side container in the event payload.
• Customer Data Platform. If your CDP forwards events to advertising destinations, those destinations should be suppressed for opted-out users.
• Every first-party analytics endpoint you run. Direct API calls that bypass the CMP are the common leak.
• Mobile and CTV app SDKs. If the user is authenticated, the opt-out flows to the app via the account record. If unauthenticated, the app needs its own in-app opt-out that writes to device-local state.

A deeper look at the CMP and Consent Mode wiring lives in the Google Consent Mode v2 + GPC + GPP unified implementation guide.

Layer 3: Display (the 2026 rule)

California's § 7025(c)(6) requires a visible confirmation that the signal was honored. Possible implementations:

• A persistent small banner in the header: "We detected your Global Privacy Control signal. You are opted out of sale and sharing of your personal information."
• A status indicator in the preferences UI that reflects the opt-out state on load.
• A subtle toast notification on first page load when GPC is detected for the first time in the session.

The regulation doesn't prescribe the UI. The prescribed effect is that the consumer sees the confirmation. It should not be modal (that would be "conditioning" the opt-out under § 7025(f)). It should not require a click to dismiss a pop-up. Think of it as how a "logged in" indicator works: present, visible, non-disruptive.

The propagation audit

For any business with meaningful scale in a US opt-out state, the audit that reveals the real state of GPC handling is a manual walkthrough:

1. Enable GPC. Use Firefox with the signal enabled, or install a GPC extension in Chrome.
2. Visit your site, not logged in. Check that the Sec-GPC: 1 header is present on the request (DevTools → Network). Check that navigator.globalPrivacyControl returns true in the console.
3. Check for the display (new 2026 rule). Is there a visible indication that the signal was honored?
4. Navigate the site for a few minutes. In the Network tab, inspect the outbound requests to Meta Pixel, Google Ads, TikTok, LinkedIn Insight, and any retargeting vendors. Are they firing? If yes, are they firing with identifiable data? The opt-out state should gate these.
5. Log in. Check that the opt-out persists after login, not just until the first session change.
6. Open the mobile app signed in to the same account. Does the opt-out state propagate?
7. On the mobile app, check server-side telemetry. Does the server-side GTM or CDP know about the opt-out?

Any "fires anyway" answer at any step is a § 7025 violation waiting to be cited. The CPPA's Ford order requires exactly this kind of audit; doing it proactively is cheaper than doing it under a settlement.

Common implementation mistakes

Patterns I've seen across client implementations, in rough order of frequency:

1. Detection only on first page load. The signal is re-checked on every request. Single-page apps that only check on initial hydration can miss GPC on subsequent navigations if the user's browser state changes.
2. Client-side detection without server-side. The Sec-GPC header is reliable; the JavaScript property can be blocked or overridden by some content-security-policy configurations. Implement both.
3. Opt-out state written to session storage, not cookies. Session storage is lost on browser restart. A user who opts out today and comes back tomorrow without GPC enabled would appear to have re-opted in. Use a first-party cookie with a year TTL for durability.
4. CMP sees GPC but downstream analytics does not. The CMP gates client-side tags, but if you have a first-party analytics endpoint that bypasses the CMP, you have to gate it separately.
5. Server-side GTM not propagating consent. The browser container knows about the opt-out; the server-side container does not. Pass consent state in the event payload, usually as a consent object or gcs parameter.
6. Disney pattern: device-scoped state for authenticated users. Write to the account record, not just the browser cookie. The cost is small; the regulatory obligation is explicit.
7. No 2026 display. Most CMPs do not ship with this out of the box yet. Configure it or add a custom element.

The Delete Act angle: data brokers and GPC

One ancillary requirement worth naming. California's Delete Act (SB 362, effective January 1, 2026) requires data brokers to register with the CPPA and, starting August 1, 2026, to honor a centralized deletion mechanism. The mechanism operates in parallel to GPC: GPC is an opt-out of sale/sharing, while the Delete Act mechanism is a global deletion request. A business that acts as a data broker must register and handle both.

If you are not a data broker, the Delete Act does not directly create GPC obligations for you, but the regulatory trajectory is the same: signal-based rights are getting stronger and more automated.

FAQ

Does GPC apply to GDPR?

GPC is a jurisdiction-agnostic signal. GDPR does not use the UOOM framework explicitly, but several DPAs have indicated that ignoring a consumer's clearly-expressed opt-out intent is inconsistent with GDPR's consent-as-freely-given standard. In practice, most businesses treat GPC as an opt-out for non-essential cookie categories in EEA traffic, which is both defensible under GDPR and operationally simpler than maintaining region-specific handling.

What if the user is behind a VPN in another state?

GPC does not carry geolocation. Your compliance obligation is to the user's residency, which you determine through IP geolocation, account-level billing address, or explicit attestation. A California resident behind a VPN is still a California resident for CCPA purposes. Honor the signal for any traffic you believe originates from a UOOM-recognizing state.

Should I honor GPC for users outside UOOM states?

The regulatory obligation is limited to UOOM states. But the signal is clean, the consumer intent is clear, and the operational cost of honoring it universally is typically lower than the cost of maintaining state-specific handling. Most mature implementations honor GPC globally for sale/share-style data flows.

Does GPC affect "strictly necessary" cookies?

No. GPC is an opt-out of sale and sharing. Cookies that are strictly necessary for the service (session cookies, authentication, load balancing, shopping-cart state) continue to function. The opt-out does not break the site.

How often do I need to re-check the signal?

Every request. Do not cache an absent header as "this user hasn't opted out." A user can enable GPC between pageviews and that should take effect immediately.

What's the difference between GPC and the IAB USP string or GPP?

GPC is an inbound signal from the user. USP (now deprecated) and GPP are outbound signals from your site to advertising partners. The two systems work together: the user sends GPC → your CMP reads it → your CMP updates the GPP string to reflect the opt-out → downstream ad-tech reads GPP and suppresses the user. The GPP section of the unified implementation guide walks through the full flow.

What happens if I just silently honor GPC without the display?

Pre-2026, that was fine. As of January 1, 2026, California requires a visible display under § 7025(c)(6). A silent implementation is the pattern the CPPA will cite in the next wave of enforcement. The fix is small; don't skip it.

Does the CPPA really audit GPC handling?

Yes. The Ford settlement (March 2026) requires Ford to audit every tracking technology on its properties for GPC handling. The CA-CO-CT coordinated sweep announced September 9, 2025 is explicitly investigating GPC non-compliance. This is an active enforcement area, not a theoretical one.

Where to go from here

If you have not implemented GPC detection and propagation, it is the highest-leverage privacy engineering change you can make this quarter. The implementation is small (a day of engineering for a straightforward stack), the regulatory obligation is clear, and the enforcement pattern is established in four named cases so far.

For the complete CCPA banner spec, see our CCPA Cookie Banner Requirements pillar. For the full enforcement record, see The Honda, Ford, and Disney Cases. For the technical orchestration of GPC with Google Consent Mode v2 and the IAB Global Privacy Platform, see the unified implementation guide. For the multi-state UOOM requirements, see the US State Privacy Law Tracker.

If you want a read on your current GPC implementation before the next sweep letter lands, Consenteo's engineering team has built this specific layer on 200+ corporate sites. Get in touch and we'll do a propagation audit against the patterns in this post.