Do I need to honor the Global Privacy Control (GPC) signal in the EU?

Global Privacy Control is a browser signal — an HTTP header and a JavaScript property — that lets a user broadcast a privacy preference once and have every site they visit respect it without per-site banner clicks. Sec-GPC: 1 on the request header means “treat me as having opted out of any sale, sharing, or tracking that my jurisdiction’s law lets me opt out of.”

In California, Colorado, Connecticut, and Texas, GPC is legally binding under each state’s consumer privacy statute. In the EU, GPC is not codified. The question of whether SMB sites should honor it has a defensible answer that is not “wait for the EDPB to require it.”

Where GPC is binding today

• California CCPA / CPRA. California Civil Code §1798.135(a)(1) requires businesses to honor opt-out preference signals; the California AG’s regulations specifically name GPC as one such signal.
• Colorado CPA. Colorado regulations (4 CCR 904-3 §5.04) require honoring “universal opt-out mechanisms”; GPC qualifies as of January 2024.
• Connecticut CTDPA. Similar universal-opt-out provision; GPC named by AG guidance.
• Texas TDPSA. Effective 1 July 2024, includes a universal-opt-out recognition.
• Several other US states (Delaware, Maryland, Oregon, Minnesota, New Jersey) have adopted similar provisions in 2024–2025.

Where GPC sits in EU law in 2026

GDPR Article 21 grants the right to object to processing for direct marketing. This is a textual right; how it is exercised is left to implementation. The EDPB has not issued binding guidance making GPC the canonical mechanism for exercising Article 21, but several member-state DPAs have signaled that GPC is a reasonable mechanism.

The ePrivacy Regulation draft (still in trilogue as of 2026) contains a provision in Article 10 requiring browsers to support a consent signal and obliging sites to honor it. The text’s evolution has been turbulent; the current draft is friendlier to a universal-signal approach than 2017’s. When and if ePrivacy Regulation passes, GPC-style signals will likely become binding EU-wide.

National DPAs. The French CNIL and the Italian Garante have both published support for honoring opt-out browser signals as a privacy-friendly practice. The German DSK has been more cautious, noting that GPC by itself does not satisfy ePrivacy 5(3) consent (consent is opt-in, not opt-out — GPC is an opt-out signal, so it interacts with the right to object, not with the consent requirement).

The right way to honor GPC in the EU

Honoring GPC in the EU is a layered concept because GDPR consent and ePrivacy consent are opt-in. GPC says “I opt out” — useful for processing the site does under legitimate interest, less useful for processing that already requires consent. The clean integration:

1. On every request, check the Sec-GPC header. If 1, treat the user as having objected to processing under Article 21 and opted out of any sale or sharing that would otherwise be permissible under legitimate interest.
2. On the client, check navigator.globalPrivacyControl.Use this as a fallback for SPA-style navigations or when the cookie banner hydrates before a server round-trip.
3. Suppress the cookie banner. A GPC-signalling user has expressed a preference for privacy; presenting a banner asking them to accept tracking is friction without value. Persist the rejection in a first-party cookie so future visits stay banner-free.
4. Do not load non-essential trackers, ever. The GPC user has opted out of the universe of tracking that requires their consent. Loading GA4 / Meta Pixel / LinkedIn Insight on a GPC visit is inconsistent with the opt-out, regardless of whether the user clicked anything.
5. Honor the user’s right to revoke. A user who clears the consent cookie and explicitly accepts tracking after a GPC-rejection should be respected; the GPC signal expresses a preference, not an unmovable absolute.

Implementation, briefly

On a Next.js application, the cleanest pattern is to detect Sec-GPCin middleware and stamp a first-party cookie on the response. The client then reads that cookie via React context and never mounts the consent banner. The same context controls whether non-essential analytics modules are mounted at all.

Veracly’s own marketing site implements this pattern. The middleware at apps/web/src/middleware.ts writes veracly_gpc=1 when it sees Sec-GPC: 1. The ConsentProvider reads that cookie before the banner mounts. The cookie banner never appears for a GPC-signalling visitor.

What about Do Not Track?

Do Not Track (DNT) was the predecessor to GPC. It was widely ignored by sites and eventually deprecated by browser vendors as ineffective. GPC succeeded where DNT failed because GPC is statutorily binding in at least four US states from launch — a single jurisdiction with enforcement creates the network effect DNT never achieved.

Sites that already implemented DNT respect probably still have the code path. Migrating it to honor GPC instead is straightforward: read Sec-GPC where you previously read DNT, treat truthy as opt-out.

Veracly’s scan check

Veracly’s privacy scanner runs every page twice — once with a default browser profile and once with Sec-GPC: 1 set. If the site behaves differently (loads different trackers, shows or hides the banner, sets or clears different cookies), the report records both behaviors. Sites that already honor GPC see their compliance score improve on the GPC scan; sites that ignore GPC see no change. The check is informational at launch — once EU legislation codifies GPC, it becomes a scored requirement.

See also: GDPR vs ePrivacy: which one governs cookies? · What reject-all has to do under GDPR