What if your browser could automatically tell every website you visit not to sell or share your personal data? That's exactly what Global Privacy Control (GPC) does. This universal opt-out signal is now legally recognized in 12 U.S. states, and starting in January 2027, all major browsers will be required to support it. Here's everything you need to know about GPC and how to start using it today.
What Is Global Privacy Control?
Global Privacy Control (GPC) is a browser-based signal that automatically communicates your privacy preferences to every website you visit. When enabled, your browser sends a Sec-GPC: 1 header with every HTTP request, telling the website that you do not want your personal data sold or shared with third parties.
Think of GPC as a universal "Do Not Sell" switch. Instead of clicking through cookie banners and privacy settings on every individual website, GPC does it for you automatically, in the background, on every page you load.
How GPC Works Technically
When GPC is enabled, two things happen: (1) The browser attaches a Sec-GPC: 1 header to every outgoing HTTP request, and (2) the JavaScript property navigator.globalPrivacyControl is set to true. Websites can detect either signal and are expected to adjust their data collection and sharing practices accordingly. No personal information is transmitted — just a single preference flag.
Where GPC Is Legally Enforceable
GPC isn't just a suggestion — in a growing number of states, businesses are legally required to honor the signal. As of 2026, GPC is recognized as a valid opt-out mechanism in at least 12 states:
- California — Under the CCPA/CPRA, businesses must treat GPC as a valid opt-out of sale and sharing of personal information
- Colorado — The Colorado Privacy Act recognizes universal opt-out mechanisms including GPC
- Connecticut — The Connecticut Data Privacy Act requires businesses to honor universal opt-out signals by January 2025
- Montana — The Montana Consumer Data Privacy Act recognizes universal opt-out mechanisms
- Texas — The Texas Data Privacy and Security Act includes universal opt-out recognition
- Oregon — The Oregon Consumer Privacy Act requires opt-out signal recognition
- Delaware, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland — All have enacted privacy laws recognizing universal opt-out signals
In 2025, California, Colorado, and Connecticut conducted a coordinated enforcement sweep targeting businesses that failed to honor GPC signals, signaling that regulators are taking compliance seriously.
California's New 2026 Requirement
As of January 1, 2026, updated California regulations require businesses to display whether they have processed a consumer's opt-out preference signal. When you visit a website with GPC enabled, the business must show a visible confirmation such as "Opt-Out Request Honored." This makes it easier to verify whether websites are actually respecting your privacy preferences.
How to Enable GPC in Your Browser
Enabling GPC depends on which browser you use. Here's the current support landscape:
Browsers With GPC Built In (On by Default)
- Brave: GPC is enabled by default. No action needed.
- DuckDuckGo Browser: GPC is enabled by default on both desktop and mobile versions.
Browsers With GPC Available in Settings
- Firefox: Go to Settings → Privacy & Security → look for the "Tell websites not to sell or share my data" option and enable it.
Browsers That Don't Support GPC Yet
- Google Chrome, Apple Safari, and Microsoft Edge do not currently support GPC natively. However, you can install browser extensions like Privacy Badger or OptMeowt that send the GPC signal on your behalf.
This is changing. Beginning January 2027, under updated California regulations, all browsers will be required to support the GPC signal. They must also make it easy for users to locate and configure the setting, and clearly disclose how it works.
What GPC Does and Doesn't Do
What GPC Does
- Signals your preference not to have data sold or shared with third parties
- Works automatically on every website without manual action
- Is legally binding in states with privacy laws recognizing universal opt-out
- Reduces targeted advertising based on cross-site tracking
What GPC Doesn't Do
- Remove existing data: GPC tells websites not to sell your data going forward. It doesn't delete personal information that data brokers already have.
- Block all tracking: GPC is an opt-out of sale/sharing, not a blocker. Websites can still collect data for their own internal purposes.
- Work on data brokers directly: People-search sites like Spokeo, BeenVerified, and Whitepages already have your data. GPC won't make them delete it. You still need to submit individual opt-out requests or use a service like PrivacyOn.
- Guarantee compliance: Not all websites honor GPC, especially those outside states with enforceable privacy laws.
GPC vs. Opt-Out Cookies vs. Do Not Track
GPC is sometimes confused with older privacy mechanisms. Here's how they differ:
- Do Not Track (DNT): An older browser signal introduced in 2009. DNT was never legally mandated, and most websites ignore it entirely. GPC is its spiritual successor with actual legal backing.
- Opt-out cookies: Some websites set a cookie recording your advertising opt-out, but these cookies can be deleted when you clear your browser data. GPC persists as a browser setting regardless of cookie state.
- Cookie consent banners: These banners ask you to accept or reject cookies per website. GPC automates the "reject" choice across all websites at once.
Using GPC Together With Data Removal Services
GPC is an important first step, but it only addresses future data collection. It doesn't clean up the personal information that data brokers have already aggregated about you across dozens or hundreds of sites.
For comprehensive privacy protection, you need both:
- Enable GPC to signal your opt-out preference automatically going forward
- Use a data removal service to clear out the information data brokers already have
PrivacyOn handles the data removal side by automatically submitting opt-out requests to more than 100 data brokers, monitoring for your data reappearing, and re-submitting removals as needed. Combined with GPC, this gives you both proactive and retroactive privacy protection.
PrivacyOn plans start at just $8.33/month and include dark web monitoring, family plans for up to 5 people, and 24/7 automated monitoring.
How to Check If a Website Honors GPC
With California's new 2026 display requirement, checking compliance is getting easier. Here's how to verify:
- Look for confirmation messages: California businesses must now display when they've honored your GPC signal
- Check the privacy policy: Look for language about "universal opt-out mechanisms" or "Global Privacy Control" in the site's privacy policy
- Use browser developer tools: Open the Network tab and check that outgoing requests include the
Sec-GPC: 1header - Report non-compliance: If a business in a GPC-mandated state ignores your signal, file a complaint with your state attorney general or the relevant privacy agency
The Future of Universal Opt-Out
GPC is gaining momentum. As more states enact privacy laws recognizing universal opt-out signals, and as the 2027 browser mandate approaches, GPC will become a standard feature of web browsing. This is a meaningful shift from the current model where privacy is opt-in and confusing, toward a future where your default preference is respected everywhere.
Enable GPC today, and pair it with PrivacyOn's automated data removal for the most complete privacy protection available.