Global Privacy Control

GPC has three implementations, two of which allow browsers to communicate preferences to web servers and web content, and the third allowing website operators to signal information about GPC compliance to the rest of the Internet.

The first is an HTTP header with the form

Sec-GPC: 1

The character '1' is the only allowed value for the header.{{Cite web |title=Global Privacy Control (GPC) - The Sec-GPC header for HTTP requests |url=https://w3c.github.io/gpc/#the-sec-gpc-header-field-for-http-requests |access-date=2025-03-17 |website=w3c.github.io}} There is deliberately no mechanism for extensibility; the creators of the standard have stated that they will create new headers if extension becomes necessary.{{Cite web |title=Global Privacy Control (GPC) - Extensibility of the Sec-GPC field value |url=https://w3c.github.io/gpc/#extensibility-of-the-sec-gpc-field-value |access-date=2025-03-17 |website=w3c.github.io}}

The GPC preference may also be signalled by the browser setting the gpcAtNavigation property of the top-level browsing context of loaded pages to the value true.{{Cite web |title=Global Privacy Control (GPC) - Preference caching |url=https://w3c.github.io/gpc/#preference-caching |access-date=2025-03-17 |website=w3c.github.io}}

Finally, websites can optionally host a JSON-formatted file at the well-known URI .well-known/gpc.json to indicate how they respond to the GPC signal.

GPC has been implemented by Mozilla Firefox,{{cite web | title=Global Privacy Control | website=Mozilla Support | url=https://support.mozilla.org/en-US/kb/global-privacy-control | access-date=December 20, 2024}} Brave,{{cite web | last=Vigliarolo | first=Brandon | title=Mozilla removing Do Not Track option from Firefox 135 | website=The Register | date=2024-12-12 | url=https://www.theregister.com/2024/12/12/firefox_do_not_track/ | access-date=2024-12-20}} and DuckDuckGo Private Browser.{{cite web | title=What is Global Privacy Control, the Do Not Track replacement? – Circuit Bulletin | website=Circuit Bulletin | date=2024-12-20 | url=https://circuitbulletin.com/what-is-global-privacy-control-the-do-not-track-replacement/ | access-date=2024-12-20}} GPC is not yet supported by Google Chrome{{Cite web |title=Chrome Privacy Now! |url=https://chromeprivacy.org/ |access-date=August 17, 2024 |website=Chrome Privacy Now! |language=en-US}} or Microsoft Edge, despite Chrome still allowing users to enable the Do Not Track header.{{Cite web |title=Turn "Do Not Track" on or off |url=https://support.google.com/chrome/answer/2790761 |website=Google Chrome Help |publisher=Google Inc.}} However, there are third-party extensions available for Chrome that enable sending the GPC header during HTTP requests, including the EFF's Privacy Badger extension{{Cite web |title=Privacy Badger |url=https://privacybadger.org/#What-is-Global-Privacy-Control |access-date=August 17, 2024 |website=Electronic Frontier Foundation |language=en |quote="What is Global Privacy Control (GPC)?"}} and the DuckDuckGo Privacy Essentials add-on{{Cite web |date=January 28, 2021 |title=Global Privacy Control (GPC) Enabled by Default in DuckDuckGo Apps & Extensions |url=https://spreadprivacy.com/global-privacy-control-enabled-by-default/ |access-date=August 17, 2024 |website=Spread Privacy |language=en}} amongst others.

The New York Times and Washington Post have both implemented the signal. The GPC is supported by Firefox creator Mozilla{{Cite web |title=Founding Organizations {{!}} Global Privacy Control |url=https://globalprivacycontrol.org/orgs |access-date=August 17, 2024 |website=globalprivacycontrol.org |language=en}} as well as the California Attorney General.{{Cite web |date=October 15, 2018 |title=California Consumer Privacy Act (CCPA) |url=https://oag.ca.gov/privacy/ccpa |access-date=August 17, 2024 |website=State of California - Department of Justice - Office of the Attorney General |language=en}}

Unlike the Do Not Track header, GPC is a valid do-not-sell-my-personal-information signal according to the California Consumer Privacy Act (CCPA), which stipulates that websites are legally required to respect a signal sent by users who want to opt-out of having their personal data sold. In July 2021, the California Attorney General clarified through an FAQ that under law, the Global Privacy Control signal must be honored.

On August 24, 2022, the California Attorney General announced Sephora paid a $1.2 million settlement for allegedly failing to process opt-out requests via a user-enabled global privacy control signal.{{Cite news |last=Merken |first=Sara |date=August 24, 2022 |title=Sephora to pay $1.2 mln in privacy settlement with Calif. AG over data sales |url=https://www.reuters.com/legal/litigation/sephora-pay-12-mln-privacy-settlement-with-calif-ag-over-data-sales-2022-08-24/ |url-status=live |archive-url=https://web.archive.org/web/20230510060201/https://www.reuters.com/legal/litigation/sephora-pay-12-mln-privacy-settlement-with-calif-ag-over-data-sales-2022-08-24/ |archive-date=May 10, 2023 |access-date=June 13, 2024 |work=Reuters}}

{{Reflist}}

• {{official website}}
• [https://w3c.github.io/gpc/ Full technical specification]

Category:Hypertext Transfer Protocol headers

Category:Internet privacy