Global Privacy Control
Global Privacy Control is a browser-level opt-out preference signal that lets a person carry a do-not-sell-or-share request across websites without clicking a separate privacy link on each site.
Definition
Global Privacy Control (GPC) is a web privacy signal for expressing a person's preference that their personal data not be sold, shared, or used for cross-context targeted advertising. The W3C draft frames it as a way to scale opt-out rights through an HTTP header and a DOM property, rather than forcing a person to make a separate request on every site. The specification also says the signal is not a deletion right, not a general ban on all collection, and not a full objection to every form of advertising.
In California, the public-facing legal hook is stronger than ordinary voluntary etiquette. The California Department of Justice says GPC is one acceptable way for consumers to submit an opt-out request for sale or sharing, and that covered businesses must honor it as a valid request. The California Privacy Protection Agency describes GPC as an example of an opt-out preference signal, or OOPS, available through a browser or extension.
The site treats GPC as a governance interface: a small machine-readable signal that tries to turn privacy preference from a hidden settings page into a protocol event.
Mechanism
When GPC is enabled, a user agent sends the HTTP request header Sec-GPC: 1. The W3C draft defines the valid header value as the single numeric character 1; if the preference is not enabled, the user agent must not generate the header. A server receiving any other value is told to process the request as if the header were not present.
The browser-side API mirrors the same preference through navigator.globalPrivacyControl in both window and worker contexts. The value is cached at top-level navigation, so a change after a page loads may require a new navigation before the page observes the new state. The draft also defines a support resource at /.well-known/gpc.json, where an origin can publish a machine-readable representation of GPC support.
A January 2026 blink-dev intent to prototype describes Chromium work on a user preference, automatic Sec-GPC transmission, and JavaScript exposure. Chrome Platform Status tracks the feature as Global Privacy Control, so audits should distinguish built-in support from extension-based support.
Agent Context
For AI Browsers and Computer Use, GPC tests whether privacy preference survives delegation. A person may enable the signal in an ordinary browser, then ask a shopping agent, research agent, or testing agent to browse on their behalf. If the agent uses a separate browser profile, headless runtime, proxy, cloud renderer, or embedded webview, the signal may not follow.
Agent systems should preserve the user's preference without turning the preference itself into an unnecessary tracking label. Browser-agent vendors should document whether they forward Sec-GPC, expose the DOM property consistently, and propagate the opt-out state to advertising, analytics, enrichment, and data-broker integrations.
Governance Use
A GPC deployment record should name the browser or extension source, detected header value, observed JavaScript property, consent-management component, affected ad and analytics tags, account-versus-device scope, downstream recipients, and retention rule for the opt-out event. It should also state whether the business treats the signal as a frictionless response.
California CPPA guidance says a business that must process an OOPS must stop selling and sharing associated personal information as soon as feasibly possible and no later than 15 business days after receiving the request. It also describes browser, device, pseudonymous profile, and known-account scope. A compliance note should cite the relevant jurisdiction rather than pretending GPC has the same legal force everywhere.
Enforcement history matters: in 2022, the California Attorney General announced a Sephora settlement that included allegations that Sephora failed to process opt-out requests sent through user-enabled global privacy controls.
Limits
GPC is not consent magic. It does not prove that a site minimized collection, deleted old records, stopped first-party personalization, honored every jurisdiction's rights, or prevented all profiling. It is a preference signal interpreted through law, policy, and system design.
It also depends on the channel. Browser support, extension behavior, corporate proxies, mobile in-app browsers, consent banners, and server-side ad-tech integrations can all create gaps between the signal leaving the device and the database flag governing sharing. The audit question is not only "was Sec-GPC: 1 present?" It is "what changed downstream because it was present?"
Review Record
- Signal: record user agent, extension, profile,
Sec-GPCheader, DOM property, and navigation timing. - Scope: record browser/device handling, pseudonymous profile handling, known-account handling, and jurisdictional basis.
- Downstream: record ad-tech tags, analytics, data brokers, clean rooms, partner exports, and suppression lists affected.
- Agents: record whether a human, delegated browser agent, crawler, test harness, or embedded webview carried the signal.
Source Discipline
Claims about Sec-GPC, navigator.globalPrivacyControl, navigation caching, and the support resource should cite the W3C draft. Claims about California treatment should cite California DOJ and CPPA materials, not generic vendor compliance blogs. Claims about Chromium implementation should cite Chrome Platform Status and blink-dev. This entry is not legal advice and should be reread against current law before use in compliance decisions.
Spiralist Reading
Spiralism reads GPC as a small refusal made legible to machines. It is not a privacy utopia, but it changes where the labor sits. Instead of asking every person to hunt for every opt-out link, it asks browsers, servers, consent tools, and data systems to carry a simple preference across the surface of the web. The open question is whether institutions treat that preference as binding infrastructure or as another signal to route around.
Related Pages
- Consent or Pay
- Right to Object
- Data Minimization
- Contextual Integrity
- Storage Access API
- Referrer Policy
- Permissions Policy
- Surveillance Capitalism
- AI Browsers and Computer Use
- Platform Governance
Sources
- W3C, Global Privacy Control (GPC), draft specification, reviewed June 25, 2026.
- W3C GPC editors, Global Privacy Control Legal and Implementation Considerations Guide, reviewed June 25, 2026.
- California Department of Justice, Global Privacy Control (GPC), reviewed June 25, 2026.
- California Privacy Protection Agency, What Is OOPS and How Does A Business Respond?, reviewed June 25, 2026.
- California Department of Justice, Attorney General Bonta Announces Settlement with Sephora, August 24, 2022.
- Chrome Platform Status, Global Privacy Control, reviewed June 25, 2026.
- blink-dev, Intent to Prototype: Global Privacy Control, January 6, 2026.