What is Global Privacy Control (GPC)?

Global Privacy Control is a setting in your web browser or browser extension that automatically signals to websites your preference to opt out of having your personal data sold or shared. It is designed to be a universal, set-it-and-forget-it privacy tool.

Is GPC legally binding on companies?

In certain jurisdictions, yes. In California, the California Privacy Rights Act (CPRA) explicitly recognizes GPC as a valid opt-out request. The state's Attorney General has confirmed that businesses must honor it. Other regions may adopt similar interpretations in the future.

How can I enable GPC?

You can enable GPC in the privacy and security settings of browsers that support it, such as Brave, Firefox, and DuckDuckGo. You can also use privacy-focused browser extensions like Privacy Badger, which will enable the GPC signal.

Why are so many companies ignoring GPC?

The reasons vary. Some may be due to technical challenges in implementing the standard across complex advertising systems. Others may be related to different legal interpretations of what constitutes a "sale" or "sharing" of data. However, for many, it is likely tied to business models that rely heavily on revenue from targeted advertising based on user data.

How is GPC different from the old 'Do Not Track' (DNT) signal?

The primary difference is legal enforceability. The 'Do Not Track' signal was an earlier attempt at a universal opt-out, but it had no legal backing. Companies were free to ignore it, and most did. GPC was developed specifically to align with legal frameworks like the CCPA/CPRA, giving it regulatory teeth that DNT lacked.

Big tech fails to opt-out users requesting not to be tracked much of the time, new research says

Introduction: A privacy signal sent, but not received

A new audit has revealed a significant disconnect between user privacy preferences and the practices of the online advertising industry. Research published in March 2024 by privacy organization webXray found that 194 online advertising services systematically ignore the Global Privacy Control (GPC), a legally recognized signal for users to opt out of having their personal data sold or shared. The study, which focused on web traffic in California, highlights a critical failure in compliance that undermines consumer rights established under state law.

The GPC was designed to be a simple, one-time solution for users to assert their privacy rights across the web. Instead of navigating confusing cookie banners and privacy settings on every site, a user can enable GPC in their browser to automatically broadcast their opt-out request. In California, the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), give this signal legal weight. The California Attorney General’s office has explicitly stated that businesses must honor GPC as a valid request to opt out of data sales, a position solidified by a $1.2 million settlement with Sephora in 2022 for failing to do so (Source: Office of the Attorney General, State of California).

This recent webXray report suggests that while the Sephora case served as a warning, its message has not been heeded by a large segment of the ad tech ecosystem, particularly the third-party trackers embedded across countless websites.

Technical details: How GPC works and why it's being ignored

The Global Privacy Control is not a complex piece of technology. It functions as a simple signal sent from a user's browser to the web servers it communicates with. This is primarily achieved in two ways:

HTTP Header: The browser adds a `Sec-GPC: 1` header to its outgoing web requests. This is a direct, machine-readable message to the server, indicating the user's preference.
JavaScript Property: It also sets a `navigator.globalPrivacyControl` property to `true`, which can be read by scripts running on the webpage.

When a website or an embedded third-party service receives this signal, a compliant entity is legally obligated under California law to stop any processes that constitute a "sale" or "sharing" of that user's personal information. This includes activities like passing on browsing history to data brokers or using the data for cross-site targeted advertising.

The non-compliance identified by webXray is not a security vulnerability or a system bug; it is a failure to respect a standardized privacy control. The 194 advertising services identified in the report continued their tracking activities despite receiving the GPC signal. Their scripts and pixels persisted in:

Setting and reading third-party cookies to track users across different websites.
Collecting data points like IP addresses, browser versions, screen resolutions, and other device characteristics for fingerprinting.
Transmitting user behavior data (pages visited, time on page, links clicked) back to their servers.

The webXray audit likely involved using automated browsing tools, configured with a California IP address and GPC enabled, to visit a large number of popular websites. By monitoring all network traffic, the researchers could identify which third-party domains continued to engage in tracking behavior after being presented with the opt-out signal.

Impact assessment: Widespread and systemic non-compliance

The impact of these findings is significant and affects multiple parties. For millions of internet users, this report confirms that a key tool for exercising their legal privacy rights is being rendered ineffective. Individuals who have proactively enabled GPC in their browsers are operating under a false sense of privacy, as their data continues to be collected, shared, and monetized against their explicit wishes. This erodes trust not only in the companies involved but also in the regulatory frameworks designed to protect consumers.

The 194 non-compliant ad tech services are now at direct risk of regulatory enforcement. The California Privacy Protection Agency (CPPA) has the authority to investigate and levy substantial fines for violations of the CPRA. The webXray report provides a data-driven foundation for regulators to launch targeted investigations.

Furthermore, the first-party websites that embed these non-compliant trackers are also exposed to risk. Under the CPRA, a business is responsible for ensuring its service providers honor consumer opt-out requests. A website may have its own GPC compliance in order, but if the third-party ad services it uses do not, the website itself could be held liable. This creates a complex compliance challenge for any online publisher that relies on third-party advertising revenue.

How to protect yourself

While the report's findings are disheartening, it does not mean that privacy controls are useless. It does, however, underscore the need for a multi-layered defense strategy rather than relying on a single signal to be honored. Here are actionable steps you can take:

Enable Global Privacy Control (GPC). Despite the compliance gaps, GPC is still a legally important signal. Enabling it creates a clear record of your intent to opt out. You can enable it in the privacy settings of browsers like Brave, Firefox, and DuckDuckGo, or by using browser extensions like Privacy Badger.
Use a Privacy-Focused Browser. Browsers like Brave have multiple layers of tracker-blocking enabled by default, in addition to supporting GPC. This provides a more active defense than simply sending a signal and hoping it is respected.
Install a Reputable Ad and Tracker Blocker. Tools like uBlock Origin can physically prevent tracking scripts from loading in your browser in the first place. If a tracker cannot run, it cannot collect your data, regardless of its GPC compliance status.
Mask Your IP Address. Your IP address is a fundamental piece of information used for tracking your location and activity. Using a trusted hide.me VPN encrypts your connection and masks your real IP address, making it much harder for trackers to profile you.
Regularly Clear Cookies and Site Data. Periodically clearing your browser's cookies and cached data can help sever tracking links established by services that may have bypassed your other defenses.

The webXray audit is a critical piece of evidence demonstrating that legal mandates alone are not enough to shift the practices of an industry built on data collection. It reinforces the necessity of robust enforcement from regulators and continued vigilance from users. Until compliance becomes the norm, a proactive and layered approach to personal privacy remains the most effective strategy.