Jump to content

Global Privacy Control

Add links
From Wikipedia, the free encyclopedia
(Redirected from Sec-GPC)
Global Privacy Control project logo

Global Privacy Control (GPC) is a set of web technologies that can be used to inform websites of the user's wish to have their information not be sold or used by ad trackers.[1] Unlike the now-deprecated Do Not Track header, which was unsuccessful as it was ignored by third parties, GPC is intended to have legal force under privacy laws.[2][3]

GPC was developed in 2020 by privacy technology researchers including Sebastian Zimmeck, professor at Wesleyan University, and Ashkan Soltani, former Chief Technologist of the Federal Trade Commission, as well as a group of privacy-focused companies including the Electronic Frontier Foundation and Automattic (owner of Tumblr and WordPress).[4] The development of GPC was initiated by a National Science Foundation grant.[5]

Implementation

[edit]

The GPC specification defines two parts for implementing GPC in clients, and one part when implementing for servers.

The first part of a client implementation is a HTTP header with the form:

Sec-GPC: 1

The character '1' is the only allowed value for the header.[6] There is deliberately no mechanism for extensibility; the creators of the standard have stated that they will create new headers if extension becomes necessary.[7]

The second part of a client implementation is setting the navigator.globalPrivacyControl property to the value true.[8]

Websites can optionally host a JSON-formatted file known as the GPC support resource at the well-known URI .well-known/gpc.json to indicate how they respond to the GPC signal. This file has up to two relevant members (all other members should be ignored): a gpc boolean member where true means that the server intends on complying with GPC requests, and false means it does not, and a lastUpdate member.[9] By default, a website's support is unknown.

Adoption

[edit]

GPC has been implemented by Mozilla Firefox,[10] Brave,[11] and DuckDuckGo Private Browser.[12][11] GPC is not yet supported by Google Chrome[13] or Microsoft Edge,[11] despite Chrome still allowing users to enable the Do Not Track header.[14] However, there are third-party extensions available for Chrome that enable sending the GPC header during HTTP requests, including the EFF's Privacy Badger extension[15] and the DuckDuckGo Privacy Essentials add-on[16] amongst others. Starting January 1, 2027 the CCPA requires businesses that develop or maintain a browser to include functionality configurable by a consumer that enables the browser to send an opt-out preference signal.[17] effectively requiring GPC in all browsers available to California residents. Many websites including the New York Times and Washington Post have started to recognize and respect GPC signals.[12] As of May 2, 2026 close to 400,000 websites declare via their .well-known/gpc.json that they respect GPC.[18]

[edit]

As of March 2026, GPC has legal authority in five states:

  • In Colorado, GPC was the first Universal Opt-Out Mechanism (UOOM) to be recognized as meeting the standards of the Colorado Privacy Act (CPA).[19]
  • GPC signals achieved legal status in Connecticut on January 1, 2025, when the Connecticut Data Privacy Act (CDPA) took effect.[20]
  • New Jersey started requiring businesses to respect universal opt-out mechanisms such as GPC under the New Jersey Data Privacy Law (NJDPL) which went into effect on July 15, 2025.[21]
  • In California, unlike the Do Not Track header, GPC is a valid do-not-sell-my-personal-information signal according to the California Consumer Privacy Act (CCPA), which stipulates that websites are legally required to respect a signal sent by users who want to opt-out of having their personal data sold.[22] In July 2021, the California Attorney General clarified that under law, the Global Privacy Control signal must be honored.
  • As of January 1, 2026, under the Oregon Consumer Privacy Act (CPA) businesses have to honor opt-out signals that meet certain technical requirements, such as GPC.[23]

Enforcement actions

[edit]

On August 24, 2022, the California Attorney General announced Sephora paid a $1.2 million settlement for allegedly failing to process opt-out requests via a user-enabled global privacy control signal.[24] Later on July 1, 2025, the California Attorney General announced the largest CCPA settlement to date of $1.55 million against Healthline.com for failing to allow consumers to opt out of targeted advertising and for sharing data with third parties without CCPA-mandated privacy protections.[25] On September 9, 2025, the Connecticut, California, and Colorado Attorneys General announced a joint investigative privacy sweep that involved sending letters to businesses that do not appear to be processing consumer requests to opt out of the sale of their personal information submitted via GPC as required by law and requested that those businesses come into immediate compliance.[26] On February 11, 2026, the California Attorney General announced a $2.75 Million settlement with Disney resolving allegations that the company violated the CCPA by failing to fully effectuate consumers' opt-out requests across all devices and streaming services associated with consumers' Disney accounts clarifying that GPC applies to all devices of a consumer's account.[27] On March 5, 2026, the California Privacy Protection Agency Board issued a decision requiring Ford Motor Company to pay a $375,703 fine for creating unnecessary friction in the opt-out process under the CCPA and required Ford to conduct an audit of the tracking technologies on its website and ensure compliance with opt-out preference signals, including GPC.[28]

References

[edit]
  1. ^ "Global Privacy Control (GPC)". privacycg.github.io. Retrieved August 17, 2024.
  2. ^ "Global Privacy Control (GPC)". State of California - Department of Justice - Office of the Attorney General. 2025-01-28. Retrieved 2025-03-17.
  3. ^ Desai, Anokhy (25 October 2022). "Is GPC the new 'do not track'?". iapp.org. Retrieved 2025-03-17.
  4. ^ "Frequently Asked Questions | Global Privacy Control". globalprivacycontrol.org. Retrieved August 17, 2024. Who is supporting the development of GPC?
  5. ^ "Award Abstract # 2055196 SaTC: CORE: Small: Improving Internet Privacy with Global Privacy Control". nsf.gov. Retrieved 2026-05-02.
  6. ^ "Global Privacy Control (GPC) - The Sec-GPC header for HTTP requests". w3c.github.io. Retrieved 2025-03-17.
  7. ^ "Global Privacy Control (GPC) - Extensibility of the Sec-GPC field value". w3c.github.io. Retrieved 2025-03-17.
  8. ^ "Global Privacy Control (GPC) - Preference caching". w3c.github.io. Retrieved 2025-03-17.
  9. ^ "Global Privacy Control (GPC) - GPC Support Resource". w3c.github.io. Retrieved 2025-07-26.
  10. ^ "Global Privacy Control". Mozilla Support. Retrieved December 20, 2024.
  11. ^ a b c Vigliarolo, Brandon (2024-12-12). "Mozilla removing Do Not Track option from Firefox 135". The Register. Retrieved 2024-12-20.
  12. ^ a b "What is Global Privacy Control, the Do Not Track replacement?". Circuit Bulletin. 2024-12-20. Retrieved 2024-12-20.
  13. ^ "Chrome Privacy Now!". Chrome Privacy Now!. Retrieved August 17, 2024.
  14. ^ "Turn "Do Not Track" on or off". Google Chrome Help. Google Inc.
  15. ^ "Privacy Badger". Electronic Frontier Foundation. Retrieved August 17, 2024. What is Global Privacy Control (GPC)?
  16. ^ "Global Privacy Control (GPC) Enabled by Default in DuckDuckGo Apps & Extensions". Spread Privacy. January 28, 2021. Retrieved August 17, 2024.
  17. ^ "AB-566 California Consumer Privacy Act of 2018: opt-out preference signal,". gpcsup.com. Retrieved May 2, 2026.
  18. ^ "Check a site - GPC Support". gpcsup.com. Retrieved May 2, 2026.
  19. ^ "Universal Opt-Out and the Colorado Privacy Act". coag.gov. Retrieved July 26, 2025.
  20. ^ "Attorney General Tong advises Connecticut consumers and businesses of opt out rights and requirements". ct.gov. December 30, 2024. Retrieved July 26, 2025.
  21. ^ "New Jersey Data Privacy Law FAQs". njconsumeraffairs.gov. Retrieved July 28, 2025.
  22. ^ "California Consumer Privacy Act (CCPA)". State of California - Department of Justice - Office of the Attorney General. October 15, 2018. Retrieved August 17, 2024.
  23. ^ "Consumer Privacy - Oregon Department of Justice: Consumer Protection". doj.state.or.us. Retrieved May 2, 2026.
  24. ^ Merken, Sara (August 24, 2022). "Sephora to pay $1.2 mln in privacy settlement with Calif. AG over data sales". Reuters. Archived from the original on May 10, 2023. Retrieved June 13, 2024.
  25. ^ "Attorney General Bonta Announces Largest CCPA Settlement to Date, Secures $1.55 Million from Healthline.com". oag.ca.gov. Retrieved 2025-07-27.
  26. ^ "Connecticut, California and Colorado Announce Joint Investigative Privacy Sweep". portal.ct.gov. Retrieved 2026-05-02.
  27. ^ "California Won't Let It Go: Attorney General Bonta Announces $2.75 Million Settlement with Disney, Largest CCPA Settlement in California History". oag.ca.gov. Retrieved 2026-05-02.
  28. ^ "Ford to Change Practices, Pay Fine for Adding Unnecessary Friction to Opt-Out Process". privacy.ca.gov. Retrieved 2026-05-02.
[edit]
Retrieved from "https://en.wikipedia.org/w/index.php?title=Global_Privacy_Control&oldid=1352180610"