It's a common practice among online businesses to sell or “share” website users' Personal Information. Asking websites or apps not to sell or share your Personal Information needs searching through each company website for a “Do not sell my data” button and then submitting this request to the company.

California consumers have strong protections under the California Consumer Privacy Act (CCPA/CPRA). And today, a growing number of U.S. states also give people the right to opt out of the sale/sharing of personal data and targeted advertising (although coverage and rules vary).

Global Privacy Control (GPC) is a browser-based opt-out preference signal that makes it much easier for users to exercise these rights across websites—without filling out forms one by one.

CookieScript supports the GPC signal through its Consent Management Platform (CMP). If a user has GPC enabled, your website can automatically honor the opt-out preference signal (where required) and adjust data sharing and ad/analytics behavior accordingly.

In 2026, GPC is no longer a ‘nice to have.’ Regulators in California, Colorado, and Connecticut have already launched coordinated enforcement efforts focused on businesses that appear not to honor opt-out signals like GPC, and California’s rules effective January 1, 2026 set clearer expectations for processing opt-out preference signals in a frictionless way.

What is the Global Privacy Control?

Global privacy control (GPC) is a browser setting that notifies website owners of users' privacy preferences regarding selling or sharing their personal information. GPC is an initiative to create a global technical specification that permits website users to control their privacy.

These privacy preferences are then transmitted as a signal to every website the user visits—primarily communicating an opt-out of the sale/sharing of personal information and (in many state laws) the use of personal information for targeted advertising.

GPC enables website users to inform about their privacy preferences for all websites at once without manually setting their preferences for each website.

The main purpose of GPC is to signal: ‘Do not sell or share my personal data’—and in many cases, to opt out of using personal information for targeted advertising. GPC matters because it gives users a single, scalable way to express their opt-out preference—while state privacy laws define when and how businesses must honor it.

This initiative is backed by a coalition of stakeholders including browser and extension vendors, publishers, and privacy organizations. GPC is supported by a growing ecosystem of organizations, including major publishers.

Visit the official website of the Global Privacy Control.

How does GPC Work?

First, users have to set up the Global Privacy Control signal on their browsers. When users have set it up, GPC sends a signal from users’ browsers or devices to websites, communicating that users do not allow their data to be sold or shared. 

In jurisdictions where opt-out preference signals are legally recognized (including several U.S. states), covered businesses must treat GPC as a valid request to opt out of sale/sharing and, where applicable, targeted advertising.

When a user enables the GPC signal and visits websites that recognize it, the user is automatically opted out of the sale or sharing of their personal data and targeted advertising.

Here’s how GPC works:

1. GPC activation by a user: Website users have to turn on GPC in their browsers or install browser extensions.
2. Signal transmission: When the user visits a website, the GPC signal is sent automatically to the website.
3. Website response: The website detects the GPC signal and automatically disables the sale or sharing of user data.
4. Legal compliance: Where required by law, the business must honor the signal and ensure the opt-out flows through its advertising/analytics and data-sharing setup.

Browser Support for GPC and GPC Extensions

Some privacy-focused browsers and extensions support GPC, but it is not enabled across all major browsers by default. However, different browsers offer different levels of support for GPC. Thus, both users and companies should understand how it works and choose the right browser.

As of 2026, GPC is available in some browsers (and through extensions in others). Common options include Firefox, Brave, and DuckDuckGo, as well as privacy-focused Firefox-based browsers like LibreWolf.

Other popular browsers have varying levels of GPC support:

• Microsoft Edge: GPC is not enabled natively. Users can enable GPC through extensions.
• Safari: Apple has not yet implemented GPC natively. Users can enable GPC through extensions.

Chrome and most Chromium-based browsers typically don’t offer a built-in GPC toggle. Users usually rely on extensions, or developers may add the header for testing purposes.

Browser extensions for GPC include the following ones:

• Abine
• Disconnect
• DuckDuckGo Privacy Essentials
• OptMeowt (developed by Privacy Tech Lab)
• Privacy Badger (developed by Electronic Frontier Foundation).

How to Enable GPC?

The simplest way to enable the GPC standard is to use web browsers that already have built-in the GPC signal. These browsers include Firefox Nightly, Brave, and DuckDuckGo.

There are also browser plugins for GPC, including Abine, Disconnect, OptMeowt, and Privacy Badger. These plugins could be used for Chrome, and other web browsers to enable GPC.

The third option to enable GPC is by using custom headers.

How to Enable GPC with Custom Headers?

This approach is mainly useful for testing. Most users enable GPC via a browser setting or extension.

To enable Global Privacy Control in a browser that doesn't support it natively (Chrome and Chromium-based browsers), you can simulate it by adding a custom HTTP header to your requests.

GPC uses the following HTTP request header:

http
Sec-GPC: 1

This signals that the user does not want their personal data to be sold or shared.

How to add GPC with custom headers in Chrome?

Since Chrome and Chromium-based browsers doesn’t allow setting custom headers globally through the browser UI, you should use a browser extension to do the task.

Method 1: use "ModHeader" extension

1. Install ModHeader from the Chrome Web Store.
2. Open the ModHeader panel.
3. Add a new header:

   Name: Sec-GPC
   Value: 1

4. Add conditions to apply only to specific domains or pages (optional).

Method 2: use a proxy or developer tool (advanced)

If you're developing or debugging:

Use Postman, curl, or browser dev tools to manually add Sec-GPC: 1 to your test requests.

Example with curl:

bash
curl -H "Sec-GPC: 1" https://your-website.com

How to Check if GPC Is Working?

After downloading a web browser or a plugin with the GPC signal, do not forget to check if the GPC signal really works on your website.

To check if GPC is really working  on the browser you are using, open a new browser tab and visit the official GPC test site:

• https://globalprivacycontrol.org
• https://globalprivacycontrol.org/tests

You should see a green light at the top of the page that says GPC signal detected. If you see it, that means GPC is sending out its “Do not sell my data” instructions on your behalf.

Privacy Compliance and GPC

Several U.S. state privacy laws require covered businesses to recognize a universal opt-out mechanism (often satisfied by GPC) for sale/sharing and/or targeted advertising.

Enforcement in 2026

Enforcement is catching up fast. California, Colorado, and Connecticut announced a joint investigative sweep focused on businesses that appear not to honor opt-out requests submitted through GPC.

California’s updated rules effective January 1, 2026 also spell out what it means to process opt-out preference signals in a frictionless way and allow businesses to show users that the signal was honored.

CCPA and Global Privacy Control

The CCPA was the first data privacy law in the USA to implement implement GPC. GPC allows easily respecting California consumer opt-out of sale requests. GPC is an acceptable method of opt-out request under the CCPA for not selling or sharing website users' private data. California Attorney General Rob Bonta informed that under the CCPA, companies are expected to deal with the GPC signal in the same way as with any other do-not-sell request from consumers.

The California Attorney General's office writes: “Under the law, it must be honored by covered businesses as a valid consumer request to stop the sale of personal information”. This explanation is important since previously many companies have ignored the GPC signal, making it a not-so-effective tool.

Beyond California, other US states also have enacted privacy laws that emphasize consumer rights and respect GPC. See the list of all US states that require recognizing the GPC or a comparable universal opt-out mechanism.

• California
• Colorado
• Connecticut
• Delaware
• Maryland
• Minnesota
• Montana
• Nebraska
• New Hampshire
• New Jersey
• Oregon
• Texas

GDPR and Global Privacy Control

While the GDPR doesn’t specifically mention GPC, it shares the broader goal of giving people control over how their personal data is used. That said, GPC is not a GDPR consent mechanism, and it doesn’t replace EU Cookie Consent requirements under the eprivacy framework.

If you operate in the EU/UK, you should treat GPC as a strong privacy preference signal—useful for reducing tracking—but you still need a valid lawful basis for any processing (and consent where required for cookies/trackers).

How CookieScript Can Help with GPC?

CookieScript supports the GPC signal through the Consent Management Platform. As a result, websites, using CookieScript CMP, can automatically accept the user’s GPC signal choices.

See the guide on how to enable the GPC signal.

CookieScript is also officially certified by the Interactive Advertising Bureau (IAB) Europe and comes with a full IAB Europe Transparency & Consent Framework (TCF) 2.2 framework integration. IAB TCF 2.2 allows businesses to conduct targeted advertisements and be GDPR compliant at the same time.

Geo-targeting and custom opt-out banner: The geo-targeting feature of CookieScript determines your website user location and automatically presents the correct compliance solution. Depending on the user's jurisdiction, CookieScript CMP displays a fully customizable opt-out banner to support compliance with the relevant privacy law.

By enabling GPC support and configuring consent flows correctly (including IAB TCF 2.2 where relevant), your website can better support compliance across regions—especially U.S. opt-out requirements and EU consent requirements. Like any compliance setup, the outcome depends on correct configuration, vendor behavior, and ongoing testing.

Frequently Asked Questions

What is the GPC signal?

Global Privacy Control (GPC) is a browser setting that notifies website owners of users' privacy preferences regarding selling or sharing their personal information. The main purpose of the GPC is to inform websites not to sell or share user personal data. Users enable GPC in their browser or via an extension. A CMP like CookieScript helps websites recognize and honor that signal where required.

How to enable GPC?

First, to enable Global Privacy Control (GPC), use web browsers that already have built-in GPC, like Firefox Nightly, Brave, DuckDuckGo, and Librewolf; or download browser plugins for GPC, including Abine, Disconnect, OptMeowt, and Privacy Badger. Second, use a CMP like CookieScript that supports GPC. See the CookieScript guide on how to enable the GPC signal. To make sure GPC is turned on, check that it works at https://globalprivacycontrol.org/.

What is a GPC browser?

Global Privacy Control (GPC) is a proposed standard to create a global technical specification that allows users to control their privacy. Firefox Nightly, Brave, DuckDuckGo, and Librewolf browsers have natively built-in the GPC signal, so the users do not need to search through each company website for a “Do not sell my data” button and then submit this request to the company.

What are GPC cookies?

Global Privacy Control (GPC) allows users to notify website owners of their privacy preferences regarding selling or sharing their personal information through their browsers. Once activated, the GPC is sending out its “Do not sell my data” instructions on your behalf every time you visit a new web page, so you do not need to use cookies for each website. Use a CMP like CookieScript that supports GPC.