Global Privacy Control — what it is and how to enable it
GPC is a browser-level signal that automatically tells websites 'do not sell or share my data.' Here's how it works and how to turn it on in every major browser.
Global Privacy Control (GPC) is a browser setting that sends a signal to every website you visit: “Do not sell or share my personal data.” It’s like a Do Not Track that actually has legal teeth. If you’ve read our CCPA guide, you’ll recognize this as the opt-out mechanism California codified, and it’s increasingly echoed across US state privacy laws.
How it works
When GPC is enabled, your browser sends a Sec-GPC: 1 HTTP header with every request. Websites that honor GPC read this header and treat it as a legally binding opt-out under CCPA.
Unlike Do Not Track (DNT), which was voluntary and widely ignored, GPC is recognized by the California Attorney General as a valid mechanism for exercising CCPA opt-out rights.
Which browsers support it
| Browser | Native support | How to enable |
|---|---|---|
| Firefox | Yes (desktop + Android) | Settings → Privacy & Security → “Tell websites not to sell or share my data” |
| Brave | Yes (desktop + Android) | Settings → Shields → “Block cookie consent notices” (includes GPC) |
| DuckDuckGo | Yes (desktop + mobile) | Built in, no toggle needed |
| Chrome | Via extension | Install “Global Privacy Control” extension from Chrome Web Store |
| Safari | Via extension | Install a GPC-compatible content blocker |
| Edge | Via extension | Same as Chrome |
What GPC does NOT do
- It does not block cookies or trackers (that’s a separate feature)
- It does not prevent websites from collecting data. It tells them not to sell it
- It is not a replacement for a consent banner. It’s an additional layer
- It only applies to data selling and sharing, not to all data processing
How website owners should handle GPC
If your site serves California visitors and meets CCPA thresholds, you must honor GPC. The obligation sits alongside the broader consent duties in GDPR, and the mechanics are similar. That means:
- Detect the
Sec-GPCheader on the server side, or checknavigator.globalPrivacyControlon the client side - Treat GPC as equivalent to the user clicking “Do Not Sell My Personal Information”
- Do not override GPC with a default opt-in
- Log the signal for compliance records
Zest checks for GPC on page load and defaults to “denied” when it’s present. No configuration needed.
How Zest handles it
Zest reads navigator.globalPrivacyControl on load and treats a positive signal as a sale-of-data opt-out, flipping every non-essential category to denied before any script runs. You don’t need a separate GPC handler wired into your app. The same Zest install that handles your banner and GDPR consent flow already honors it.