What Is Global Privacy Control (GPC)?
Global Privacy Control is an open-standard browser signal that tells every website you visit to stop selling, sharing, and using your personal information for targeted advertising. Six US states now legally require businesses to honor it. Enable it once, and the signal travels with you across every site \u2014 no per-site opt-out clicking.
At a glance
- Standard
- HTTP header Sec-GPC: 1 + navigator.globalPrivacyControl
- Legally enforced in
- CA, CO, CT, OR, NH, NJ
- On by default in
- Brave, DuckDuckGo browser
- Opt-in in
- Firefox (about:config)
- Extension required for
- Chrome, Safari, Edge
- Covers
- Sale, sharing, targeted advertising (not deletion)
How to enable GPC in 2 minutes
Brave
Already enabled by default. Confirm at globalprivacycontrol.org.
DuckDuckGo browser
Enabled by default.
Firefox
Type about:config in address bar → search "privacy.globalprivacycontrol.enabled" → set to true. Restart browser.
Chrome / Edge
Install Privacy Badger (privacybadger.org) or DuckDuckGo Privacy Essentials extension. Both enable GPC automatically.
Safari
Install DuckDuckGo Privacy Essentials or Privacy Badger from App Store / Safari Extensions.
Mobile (iOS/Android)
Use Brave Mobile, Firefox Mobile (enable in about:config), or DuckDuckGo mobile browser.
States that legally recognise GPC
In these states, businesses receiving a GPC signal from a resident must treat it as a legally binding opt-out of sale, sharing, or targeted advertising \u2014 same effect as clicking "Do Not Sell" on every site.
California
CCPA/CPRA (Sephora settlement $1.2M set precedent, 2022)
Colorado
Colorado Privacy Act (CPA)
Connecticut
Connecticut Data Privacy Act (CTDPA)
Oregon
Oregon Consumer Privacy Act (OCPA)
New Hampshire
New Hampshire Data Privacy Act (NHDPA)
New Jersey
NJ Data Privacy Act (NJDPA)
GPC is necessary but not sufficient
GPC covers: prospective sale, sharing, and targeted-advertising use of your data. It\u2019s always-on, passive, and works the moment you enable it.
GPC does NOT cover: data already collected about you, data held by brokers you\u2019ve never visited, or government/public-records sources that feed brokers. To remove existing data, you need active deletion requests.
The right combo: Enable GPC for passive future protection + use OfflistMe (or direct CCPA requests) for active cleanup of existing broker records.
Complete your privacy stack
GPC for future + OfflistMe for past
GPC prevents future sale and sharing. OfflistMe cleans up the 200+ brokers that already have your data. $2 one-time.
Start for $2 →FAQ
What is Global Privacy Control?+
Global Privacy Control (GPC) is an open-standard browser signal that tells every website you visit that you opt out of the sale or sharing of your personal information and out of targeted advertising. It is transmitted as an HTTP header (Sec-GPC: 1) and a corresponding JavaScript property (navigator.globalPrivacyControl). Instead of clicking "Do Not Sell" on every site, you enable GPC once in your browser and every compliant site receives the signal automatically.
Which browsers support GPC?+
Firefox (enable in about:config — privacy.globalprivacycontrol.enabled), Brave (on by default), DuckDuckGo browser (on by default). For Chrome and Safari, install the Privacy Badger extension from EFF or the DuckDuckGo Privacy Essentials extension. GPC cannot be enabled on most default Chrome or Edge installations without an extension.
Which states legally require businesses to honor GPC?+
As of 2026, six states legally recognise GPC as a binding opt-out signal: California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Oregon (OCPA), New Hampshire (NHDPA), and New Jersey (NJDPA). A growing number of other states are adopting similar recognition through amendments or regulatory guidance.
Has anyone been fined for ignoring GPC?+
Yes. California AG’s first public CCPA enforcement action against Sephora in 2022 ($1.2M settlement) specifically cited Sephora’s failure to honor GPC signals. This set precedent that ignoring GPC is a CCPA violation. More recently, Disney’s $2.75M 2026 settlement also included GPC-enforcement failures.
Does GPC replace the need to submit deletion requests?+
No. GPC is an opt-out-of-sale / opt-out-of-sharing / opt-out-of-targeted-advertising signal. It does not trigger deletion of data already collected. To actually delete your data from a broker, you need a separate verifiable deletion request (CCPA § 1798.105). GPC is a passive always-on layer; deletion is an active one-time request. Use both.
Does GPC work on mobile?+
Yes on Firefox Mobile, Brave Mobile, and DuckDuckGo mobile browsers. For native iOS/Android apps that are not browsers, GPC does not apply — app-level tracking uses advertising identifiers instead. Limit those in iOS Settings > Privacy > Tracking or Android Settings > Privacy > Ads.
How do I check if GPC is enabled?+
Visit globalprivacycontrol.org — the page detects and displays your current GPC status ("GPC signal detected" or "not detected"). Alternatively, in browser dev tools console, type: navigator.globalPrivacyControl. A return value of true means GPC is active.
Does GPC work across countries?+
GPC is most strongly enforced in the US states that have adopted it. The EU has a functionally similar mechanism under GDPR (ePrivacy Directive cookie consent) but does not use the GPC standard. UK ICO has referenced GPC as a valid mechanism under UK GDPR. For EU/EEA residents, direct opt-out requests under GDPR Article 21 remain the primary path.
Related
Source: Global Privacy Control specification \u00b7 California AG GPC enforcement cases. Verified April 2026.