Do Not Track is dead. Global Privacy Control is the replacement.
Do Not Track (DNT) was a great idea with no teeth. Browsers sent a DNT: 1 header, and websites ignored it. There was no legal requirement to honor it, and most did not.
Global Privacy Control (GPC) is different. It is legally binding under CCPA, and its scope is expanding.
What GPC actually does
GPC is a browser-level signal that says “do not sell or share my personal data.” Unlike DNT, it is legally enforceable under the California Consumer Privacy Act and recognized by the California Attorney General. Firefox, Brave, and DuckDuckGo support it natively. Chrome and Safari users can add it via extensions. The signal is binary: on or off, no ambiguity.
The legal difference
DNT was a voluntary standard. The W3C Tracking Protection Working Group shut down in 2019 without producing a binding specification.
GPC is different. The California AG explicitly stated that businesses must honor GPC as a valid opt-out request under CCPA. Ignoring it is a legal liability.
What this means for your consent banner
Your CMP should detect GPC on page load before any tracking scripts fire. Treat GPC as an opt-out, equivalent to the user clicking “Reject All.” Respect DNT as a fallback. Some users still have it enabled. And do not override GPC with a default consent. That defeats the whole point.
How Zest handles it
Zest checks for GPC and DNT before any scripts load. If either signal is present, the default is “denied.” No cookies, no trackers, no network requests. The user can still opt in manually, but the default is privacy-first.
This is not a config option. It is the default behavior. Privacy signals should not be opt-in.
—
May the source be with you.
Alex @ FreshJuice