What is Global Privacy Control?
Global Privacy Control (GPC) is a browser-level signal that communicates a user’s preference to opt out of having their personal data sold or shared. When enabled, the signal is sent automatically to every website the user visits.
Unlike earlier mechanisms such as Do Not Track, GPC is backed by privacy legislation. Several US state laws recognize GPC as a legally valid opt-out request, making it enforceable.
Complianz detects GPC signals and adjusts consent behavior automatically. When a visitor has GPC enabled, Complianz recognizes the opt-out preference and blocks non-essential cookies and tracking scripts without requiring any action from the visitor.
What is DNT (Do Not Track)?
Do Not Track was an early adoption of an HTTP header field that notified websites if a user explicitly set Do Not Track in their browser settings. A website could choose to conform to the request by dismissing all tracking, and subsequently dismissing the consent management to “Functional Only”.
GPC vs. Do Not Track
Do Not Track (DNT) was an HTTP header field that allowed users to signal their tracking preferences. Although adopted by all major browsers in its earlier stages, it never gained traction because no law required websites to honor it. DNT is now deprecated by most browsers.
Global Privacy Control is the successor to DNT. The fundamental difference is that GPC is tied to legal requirements. Where DNT was voluntary, GPC must be honored in jurisdictions that recognize universal opt-out signals.
| Do Not Track (DNT) | Global Privacy Control (GPC) | |
|---|---|---|
| Legal backing | None | CCPA/CPRA, Colorado Privacy Act, Connecticut Data Privacy Act, and others |
| Browser support | Deprecated by most browsers | Active and growing |
| Enforcement | No enforcement actions taken | California has issued fines for non-compliance |
| Scope | General “do not track” preference | Specific opt-out of data selling and sharing |
Which laws require honoring GPC?
As of 2026, twelve US states require businesses to recognize universal opt-out mechanisms such as GPC:
- California (CCPA/CPRA) – The California Attorney General has explicitly recognized GPC as a valid opt-out signal. Enforcement actions have been taken against businesses that failed to honor it.
- Colorado Privacy Act (CPA) – Requires honoring universal opt-out mechanisms since July 2024.
- Connecticut Data Privacy Act (CTDPA) – Requires recognition of opt-out preference signals since January 2025.
- Texas Data Privacy and Security Act (TDPSA) – Requires honoring universal opt-out mechanisms since January 2025.
- Montana, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland – All include universal opt-out signal requirements, effective between 2025 and 2026.
The GDPR does not specifically mention GPC. However, European Data Protection Authorities may consider GPC signals as an expression of user intent. Honoring GPC is consistent with GDPR principles of data minimization and purpose limitation.
When does GPC apply to your website?
GPC is relevant if your website collects personal data, uses tracking cookies, or shares data with third parties, and receives visitors from any of the states listed above.
For WordPress sites using analytics, advertising pixels, or third-party integrations, this applies in most cases.
How Complianz handles GPC
Complianz can detect GPC signals and adjust consent handling automatically. When a visitor with GPC enabled loads a page, Complianz reads the browser signal and treats it as a valid opt-out request.
If GPC is detected, the cookie banner is not displayed, since the user’s preference is already established. Complianz sets the consent state to “Functional Only,” meaning tracking scripts and cookies that require consent are not loaded.
The console in your browser’s Developer Tools will show a confirmation message:
global privacy control or do not track detected: no banner.
Enabling this feature in Complianz
To enable GPC detection, look for the option in the wizard:
- Go to Complianz > Wizard
- Navigate to General > Security & Consent
- Enable the option Respect Do Not Track and Global Privacy Control
- Save your settings
No additional configuration is needed. Complianz handles GPC detection on every page load.
How to verify that Global Privacy Control is working
After enabling the option to respect Global Privacy Control (GPC) in Complianz, you can easily verify whether the signal is detected by using your browser’s Developer Tools.
Follow the steps below:
-
- Open your website in a browser that supports Global Privacy Control (for example, Brave).
-
- Make sure Global Privacy Control is enabled in your browser settings.
-
- Right-click anywhere on the page and click Inspect, or use
Ctrl + Shift + I(Windows) orCmd + Option + I(Mac).
- Right-click anywhere on the page and click Inspect, or use
-
- Go to the Console tab.
-
- Reload the page.
If Global Privacy Control is detected, you will see a message similar to:
global privacy control or do not track detected: no banner.
This confirms that Complianz has detected the GPC signal and automatically adjusted the consent behavior accordingly.
Below is an example of how this looks in the browser console:
Frequently asked questions
No. GPC is the successor to Do Not Track. The key difference is that privacy laws such as the CCPA/CPRA legally require businesses to honor GPC signals. Do Not Track had no legal backing.
The GDPR does not specifically require honoring GPC. However, respecting the signal is consistent with GDPR principles. If you have any visitors from the US, particularly from states with opt-out signal requirements, GPC should be honored.
In states where GPC is legally recognized, not honoring the signal is treated the same as ignoring a user’s opt-out request. The California Attorney General has taken enforcement action against businesses for this, resulting in fines.
Yes. With GPC support enabled in Complianz Premium, the plugin detects GPC signals and sets the consent state accordingly. No manual intervention is needed.
GPC signals a request to opt out of data selling and sharing. This typically affects marketing and advertising cookies and third-party tracking. Strictly necessary cookies, such as session cookies, are not affected.