Global Privacy Control (GPC) Signal

Overview

Global Privacy Control (GPC) is a browser-level privacy signal that lets a visitor express a single, persistent opt-out preference to every website they visit — without having to click a "Do Not Sell" link on each one.

When enabled, the browser:

• Sends an HTTP request header: Sec-GPC: 1
• Exposes a JavaScript property: navigator.globalPrivacyControl === true

A growing number of U.S. state privacy laws require businesses to recognize GPC as a legally valid opt-out request. Rather than gating GPC handling by region, Consent Pro honors the signal for every visitor whose browser sends it, anywhere in the world. This goes beyond the legal minimum and treats GPC as what it was designed to be: a universal expression of a visitor's privacy preference.

Consent Pro V2 handles GPC detection, the opt-out logic, and the user-facing confirmation display automatically.

---

Scope: Every GPC-Enabled Visitor

GPC is honored globally, with no region check. If navigator.globalPrivacyControl === true, Consent Pro applies the opt-out — whether the visitor is in California, Berlin, São Paulo, or anywhere else.

This decision is deliberate:

• Legal compliance is a floor, not a ceiling. Twelve U.S. states currently mandate GPC recognition (with more on the way). Honoring GPC universally satisfies every existing mandate and any future one without requiring a code change.
• It matches user intent. A visitor who has explicitly enabled GPC has made a clear privacy choice. Ignoring it because they happen to be visiting from a jurisdiction without an enforcement statute is bad faith.
• It simplifies the runtime. No geo-IP lookup, no region allowlist to maintain, no edge cases when geolocation fails or returns ambiguous results.

The signal still has no practical effect on Opt-In or Informational banners (see Supported Banner Types below) — those don't pre-enable categories, so there's nothing for GPC to override.

---

How Visitors Enable GPC

A visitor can turn on GPC in one of two ways:

• Native browser support — Brave, Firefox, and DuckDuckGo's browser ship with GPC built in (Brave and DuckDuckGo enable it by default; Firefox exposes it as a setting).
• Browser extension — Privacy Badger, OptMeowt, and DuckDuckGo Privacy Essentials add GPC support to browsers that don't include it natively (such as Chrome and Edge).

Once enabled, the signal is sent automatically with every request — there is nothing the website operator needs to do to receive it.

---

How Consent Pro Handles the Signal

When Consent Pro loads, it checks navigator.globalPrivacyControl. The behavior depends on what's already stored:

Situation	Behavior
No prior consent stored (first visit)	The GPC signal is honored. Non-essential categories (analytics, marketing, personalization) are automatically opted out. The gpc-honored element is shown.
Consent was previously saved	The stored consent choice takes precedence; the GPC signal is not re-applied.
Visitor manually updates preferences	Any manual interaction through the Preferences panel overrides the GPC signal going forward.

---

Supported Banner Types

GPC has a meaningful effect only on banners where categories are pre-enabled by default. Consent Pro therefore applies GPC behavior on:

• Opt-Out banners
• Do Not Sell banners

For both types, all categories are enabled on first visit. When a visitor has GPC active, that default is overridden and non-essential categories (analytics, marketing, personalization) are automatically opted out.

GPC has no effect on Opt-In or Informational banners, since those don't pre-enable categories in the first place.

---

California Display Requirement (§ 7025(c)(6))

Effective January 1, 2026, the updated CCPA regulations changed § 7025(c)(6) from "may" to "must": businesses are now required to visibly display that a consumer's opt-out preference signal has been processed. A silent backend implementation is no longer compliant for visitors in California.

Consent Pro satisfies this requirement automatically. Because the gpc-honored element is shown for every GPC-active visitor — not just those in California — the California display obligation is met as a side effect of the universal scope. The default copy ("The GPC signal has been honored.") meets the regulation's example wording (e.g., "Opt-Out Request Preference Signal Honored").

Regulators have actively scrutinized businesses' handling of opt-out preference signals, so organizations should ensure GPC requests are both honored and clearly communicated to visitors.

If your banner was generated before the gpc-honored element was added, see Updating an Existing Banner below.

---

No Configuration Required

GPC support is built into Opt-Out and Do Not Sell banners and works automatically. There is no toggle, setting, or region list to enable. When a visitor has GPC active in their browser, Consent Pro will honor it and display the confirmation.

---

Banner Behavior and Styling

When GPC is honored, Consent Pro sets a fs-consent-gpc attribute on the banner, preferences, and fixed-preferences elements:

• fs-consent-gpc="true" — GPC is active and has been honored
• fs-consent-gpc="false" — GPC is not active

An element with the attribute fs-consent-element="gpc-honored" is automatically shown when GPC is honored and hidden when it is not. Use this to display a message confirming that the visitor's GPC preference has been respected.

Updating an Existing Banner

The gpc-honored element is included by default in newly generated Opt-Out and Do Not Sell banners. If your banner was generated before GPC support was added, you can either:

1. Regenerate the banner from the Consent Pro app (recommended), or
2. Manually add the element using the markup below.

Place the following HTML inside both your banner element and your Preferences panel:

<div fs-consent-element="gpc-honored" class="consent_gpc-honored">
  <div class="consent_gpc-honored-icon w-embed">
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="currentColor" class="size-6">
      <path
        fill-rule="evenodd"
        d="M2.25 12c0-5.385 4.365-9.75 9.75-9.75s9.75 4.365
        9.75 9.75-4.365 9.75-9.75 9.75S2.25 17.385 2.25
        12Zm13.36-1.814a.75.75 0 1 0-1.22-.872l-3.236
        4.53L9.53 12.22a.75.75 0 0 0-1.06 1.06l2.25
        2.25a.75.75 0 0 0 1.14-.094l3.75-5.25Z"
        clip-rule="evenodd"
      />
    </svg>
  </div>
  <div class="consent_gpc-honored_text">The GPC signal has been honored.</div>
</div>

Style the consent_gpc-honored element and its children using the Webflow Style panel or custom CSS.

---

Optional: Publishing /.well-known/gpc.json

The GPC specification defines an optional, machine-readable support file that websites may host at:

/.well-known/gpc.json

This file is a public declaration that your site recognizes and honors GPC. Privacy tools, browser extensions, scanners, and compliance reviewers may check for it.

Do I need it?

No — it is optional. Your site can fully honor GPC without it, because the signal is transmitted directly by the browser with every request. Consent Pro does not require this file to function.

That said, publishing it is a low-effort transparency win and is recommended for audit readiness.

File contents

{
  "gpc": true,
  "lastUpdate": "2026-04-28"
}

Field	Description
gpc	true declares that your site intends to honor GPC requests.
lastUpdate	The date this declaration was last reviewed, in ISO format (YYYY-MM-DD).

Where to host it

The file must be publicly accessible on your website's domain:

https://yourdomain.com/.well-known/gpc.json

Do not host it on the Consent Pro CDN or script domain — this declaration belongs to the website operator, not the CMP vendor.

---

Best Practice Recommendation

For strongest transparency and audit readiness:

1. Use an Opt-Out or Do Not Sell banner (Consent Pro handles GPC automatically).
2. Confirm the gpc-honored element is present in your banner and Preferences panel.
3. Publish /.well-known/gpc.json on your domain.
4. Keep the lastUpdate value current when your privacy policies change.

---

Looking Ahead: California's "Opt Me Out" Act (AB 566)

California enacted AB 566 ("Opt Me Out" Act) in October 2025. Effective January 1, 2027, all major web browsers distributed in California will be required to include built-in functionality for sending opt-out preference signals.

The practical implication: GPC adoption — currently around 1% of U.S. users — is expected to rise sharply once Chrome and Edge are required to expose it. Sites that already honor GPC today will see no behavioral change; sites that don't will see a sharp increase in opt-out traffic they're failing to handle. Because Consent Pro honors GPC for every visitor, no migration is needed when adoption grows.

---

Summary

• GPC is a browser-level signal that communicates a user's opt-out preference automatically.
• Consent Pro honors GPC for every visitor whose browser sends it, regardless of region.
• This satisfies all U.S. state mandates (currently twelve states) and the California § 7025(c)(6) display requirement as a side effect.
• The gpc-honored element is shown to every GPC-active visitor and is included by default in new banners.
• Publishing /.well-known/gpc.json is optional but recommended.
• No configuration is required — GPC support is built in.