GPC is a browser- or extension-level signal that lets users automatically express a "do not sell or share my personal information" preference to every website they visit. The signal is sent as an HTTP header (Sec-GPC: 1) and via a JavaScript property (navigator.globalPrivacyControl), allowing websites to honor it without requiring the user to click an opt-out on every site individually.
Legally, GPC has gained recognition rapidly. The California Privacy Protection Agency confirmed in 2022 that GPC must be honored as a valid opt-out under CCPA/CPRA. Colorado, Connecticut, and several other state privacy laws have adopted similar requirements, generally framed as obligations to honor "universal opt-out mechanisms" (UOOMs). The EU's emerging ePrivacy Regulation drafts contemplate analogous mechanisms.
For organizations operating in covered US jurisdictions, honoring GPC is no longer optional. The implementation challenge is plumbing: the signal needs to be detected at the edge, propagated through the consent management platform, and applied consistently across analytics, advertising, and personalization tooling — without breaking essential site function. Compliance is mostly an engineering problem dressed up as a legal one.