Global Privacy Control, usually shortened to GPC, is a simple idea executed at exactly the right layer. Instead of hunting through every website's cookie banner to click "do not sell my personal information," your browser sends one signal, automatically, to every site you visit. The signal says: I am exercising my opt-out rights. The website is expected to treat it as a legally valid request.
What makes this more than another well-meaning standard is the legal scaffolding underneath it. The earlier Do Not Track header failed because nothing required anyone to honor it; sites simply ignored it for a decade. GPC was designed from the start to plug into real opt-out laws, and that design decision is why it works where Do Not Track didn't.
How GPC Works Technically
GPC transmits in two redundant ways so that both servers and on-page scripts can detect it. The browser sends an HTTP request header, Sec-GPC: 1, with outgoing requests, and it exposes a JavaScript property, navigator.globalPrivacyControl, that returns true when the signal is active. A site can react server-side, client-side, or both.
That is the entire mechanism. There is no per-site account, no cookie, no negotiation. It is a stateless declaration of preference attached to your traffic. The complexity isn't in the wire format — it's in what the law obligates a business to do when it receives the signal.
GPC is deliberately thin. It carries no data about you and asks for nothing complicated. Its power comes entirely from being recognized as a legally binding "opt-out preference signal" under specific privacy statutes — not from the bytes themselves.
Where It Is Legally Binding
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, requires businesses subject to it to honor opt-out preference signals for the sale and sharing of personal information. California's regulators have explicitly identified GPC as such a signal. That means a covered business that detects Sec-GPC: 1 from a California resident must treat it as a valid request to stop selling or sharing their data — without making the user do anything else.
In 2022, the California Attorney General announced a settlement with the cosmetics retailer Sephora over allegations that it failed to honor GPC signals and did not properly disclose its data "sales," among other findings. The case was widely read as a signal to the industry that opt-out preference signals are enforceable, not optional. Since then, several other states with comprehensive privacy laws — including Colorado and Connecticut — have built recognition of universal opt-out mechanisms into their frameworks.
The shift GPC represents is from "opt out site by site, banner by banner" to "set it once, and the burden moves to the business." That reversal of effort is the entire point. — Why a single header matters
What GPC Does Not Do
It is important to be precise about the limits, because GPC is easy to oversell. It is an opt-out from data sale and sharing as those terms are defined in privacy law — not a magic invisibility cloak.
| GPC does | GPC does not |
|---|---|
| Signal a legally recognized opt-out from selling/sharing your data, where such laws apply | Stop a site from collecting data it needs to function or that it has another legal basis to process |
| Apply automatically to every site, with no per-site clicking | Encrypt your traffic or hide your IP address — that is what a VPN or Tor does |
| Shift the compliance burden onto the business | Bind businesses outside the jurisdictions that recognize the signal |
| Work alongside cookie controls and tracker blockers | Prevent browser fingerprinting, which sidesteps cookies entirely |
Crucially, GPC is a request layered on top of regular web browsing. It does nothing to address cross-device tracking performed by parties that aren't subject to the relevant law, and it cannot touch the data brokers who already hold your information. For that, you need to combine it with active data broker opt-outs and tools that block tracking at the network level.
How to Turn It On
Several browsers and extensions support GPC out of the box. The exact menus change between versions, so treat this as a map rather than turn-by-turn directions:
- Firefox — has a setting to tell websites not to sell or share your data; enabling it sends GPC.
- Brave — sends GPC by default as part of its privacy posture.
- DuckDuckGo — its browser and extension send the signal automatically.
- Other Chromium browsers — often rely on an extension, such as the one published by the GPC project itself, to add the header.
Once enabled, there is nothing else to do. The signal rides along with your normal browsing, and compliant businesses act on it. You can confirm it is working by visiting a GPC detector page, which reads the header and property back to you.
Where It Fits in a Real Privacy Stack
Think of GPC as the legal layer of your defenses. It is the cheapest meaningful privacy action available — one toggle, lasting effect, with a regulator's enforcement behind it in the places it applies. But "legal layer" implies there are other layers, because a determined adversary or a non-compliant business will simply not honor it. Treat GPC as the floor, not the ceiling.
A coherent privacy stack pairs GPC's legal opt-out with technical controls that don't depend on anyone's cooperation: a tracker-blocking browser, encrypted DNS, and end-to-end encrypted communication where the provider never holds your plaintext in the first place.
Where Haven Fits
Haven sits at the layer GPC can't reach: the contents of your conversations. A legal opt-out can stop a business from selling your data, but it relies on that business behaving, and it does nothing for messages that pass through a provider who can read them. Haven's model removes the question of trust from the equation — your messages are encrypted on your device before they ever reach our servers, so there is no plaintext to sell, share, or be compelled to hand over.
Turn on GPC today; it costs nothing and it's enforceable where you live or it isn't. Then make sure the communications that matter most are protected by something that doesn't depend on a company choosing to respect a header.