For much of 2021–2024, Global Privacy Control (GPC) felt like a forward-looking technical standard: browsers could send a signal, regulators encouraged honor, but enforcement was sparse and often complaint-driven. California acknowledged GPC as a valid opt-out mechanism, yet many eCommerce brands treated implementation as a backlog item.
That posture stopped being viable in 2025. The California Privacy Protection Agency (CPPA) advanced automated enforcement infrastructure — including the DROP system (Data Rights Order Processing) for detection and complaint routing tied to rights violations, including scenarios where GPC signals are received but sale/sharing behaviors continue. The CPPA also issued non-compliance notices in 2025 that explicitly referenced GPC failures — a clear signal that honoring universal opt-out signals is no longer theoretical.
For eCommerce brands, GPC is now a hard requirement with active enforcement risk: if your stack fires sale/sharing tags for California visitors who have sent GPC, your brand is not debating “privacy culture” — your brand is in technical non-compliance territory.
Who must care: marketing owns the customer experience of consent; engineering owns tag order; legal owns proof. If those three groups are not looking at the same test plan, your brand will ship a banner that looks compliant while the network tab tells a different story.
What Is Global Privacy Control?
Global Privacy Control (GPC) is a browser-level signal that communicates a user preference: do not sell or share my personal information for advertising purposes where CPRA applies. When GPC is enabled, supporting clients expose the signal to websites via:
- An HTTP request header:
Sec-GPC: 1 - A JavaScript property:
navigator.globalPrivacyControl === true
Under CPRA, businesses subject to CCPA must treat a valid GPC signal as an opt-out of sale and sharing (including sharing for cross-context behavioral advertising) — without requiring the consumer to take extra steps beyond using a compatible browser or extension.
That matters for workflows: your brand cannot demand a separate web form submission “to make it official” when GPC is already on. The signal is the opt-out mechanism for sale/sharing, subject to your business’s scope and exceptions under CPRA.
Common clients and tools that can send GPC (availability varies by version and settings):
- Mozilla Firefox (GPC support; defaults differ by region and release)
- Brave (often enabled by default)
- DuckDuckGo browser and related extensions
- Privacy Badger and similar privacy extensions
- Some VPN and privacy browser products
Estimated share of California visitors sending GPC is often discussed in the 15–25% range for privacy-conscious cohorts, with movement as defaults change.
What GPC covers (CPRA framing):
- Opt-out of sale of personal information
- Opt-out of sharing for cross-context behavioral advertising
What GPC does not do:
GPC is not a global “stop all analytics” switch. It does not, by itself, replace your cookie banner for every purpose. It targets sale/sharing pathways — not every first-party service message or fraud control your brand needs to run a store.
Analytics nuance: some analytics configurations may still be permissible under your brand’s lawful basis and vendor settings, but ad measurement pixels and data sharing to ad partners are the usual enforcement focus when GPC is on. Treat “analytics” and “ads” as separate rows in your tag inventory.
The CPPA DROP System: Why GPC Enforcement Is Now Automated
The CPPA’s DROP system is best understood as enforcement infrastructure: it helps identify and route issues at scale rather than waiting for manual complaints alone. Public materials describe automated capabilities tied to consumer rights and business practices — including scenarios where signals like GPC are ignored.
Mechanically, the concern is simple: if a California visitor sends Sec-GPC: 1 and your site still loads ad measurement tags that constitute sharing for behavioral advertising, that mismatch is detectable in principle — because the browser advertises the signal and your page behavior is observable.
Before DROP-style scaling, enforcement often depended on someone filing a complaint and staff manually triaging. After, the CPPA can prioritize work using signals and patterns — which changes the risk calculus for high-traffic eCommerce properties that previously hid in the noise.
None of this replaces your privacy policy or your vendor DPAs. It changes how quickly mismatches between policy and behavior can become visible to regulators and plaintiffs who know where to look.
For context on what DROP is and how brands should interpret it, read how the CalPrivacy DROP system works and what it means for eCommerce brands.
Practical takeaway: high-traffic eCommerce sites with always-on ad pixels should assume they are in the population DROP-style systems can prioritize — not because your brand is a bad actor, but because the technical mismatch is easy to see at scale.
How to Honor GPC Correctly: Technical Requirements
Step 1 — Detect the signal
Your CMP or tag governance layer must read Sec-GPC on the request and/or navigator.globalPrivacyControl on the client before non-essential sale/sharing tags execute.
Step 2 — Suppress sale/sharing for GPC users
When GPC is on, block or suppress tags that implement sale or sharing under CPRA — including many ad pixels and data feeds to third parties for behavioral advertising.
Step 3 — Suppress before transmission
Suppression must prevent the network request, not “fix” it after. This is the same structural point as CIPA-focused pre-consent blocking: once data has left the browser, your brand is arguing about cleanup, not prevention.
Step 4 — Show that the signal was honored
CPRA expects consumers to see that an opt-out signal was recognized — commonly via an “Opt Out Signal Honored” style indicator in the footer or preference experience.
Step 5 — Persist
GPC is not just a single-page fluke. Treat it as a durable opt-out for sale/sharing for that browser profile — consistent with how your CMP stores other choices.
Edge cases your brand should test: checkout subdomain vs. marketing site, headless commerce routes, mobile web views, and third-party embedded widgets (reviews, chat) that load their own tags. GPC honor must hold across the full surface area, not only the homepage.
Agency and tag container discipline: if performance marketing adds a new pixel outside the CMP gate, GPC cannot save you. Treat unapproved tags with the same severity as unapproved discount codes — they bypass controls.
For a practical audit workflow, use how to audit whether your cookie banner is actually blocking tags before consent — the same “does the tag fire early?” test applies to GPC suppression for sale/sharing.
GPC vs. Your Cookie Banner: They Are Not the Same Thing
Many teams assume the banner “handles privacy.” GPC is orthogonal: a user can click “Accept” and still send Sec-GPC: 1. For sale/sharing, CPRA expects GPC to win — even when the banner would otherwise allow advertising tags.
| User situation | Correct behavior |
|---|---|
| Accepted cookies on banner + GPC enabled | Honor GPC for sale/sharing; non-sale categories follow banner rules |
| Declined non-essential cookies + GPC enabled | Honor both — block non-essential tags per banner and sale/sharing per GPC |
| No banner interaction + GPC enabled | Honor GPC for sale/sharing — treat as valid opt-out mechanism |
| Accepted cookies + no GPC | Standard consent rules apply |
Key point: GPC overrides banner consent for sale/sharing — not for every purpose. Your CMP must encode that intersection explicitly.
Training: support teams should know how to answer “I opted out — why do I still get order emails?” Service emails tied to a transaction are not the same as sale or sharing for ads — but the customer experience must match the policy story your brand tells.
What CMPs Must Do to Support GPC in 2026
Use this as a vendor-neutral evaluation checklist:
- Read
Sec-GPCon the server or edge where possible and mirror into client state - Read
navigator.globalPrivacyControlon page load - Suppress sale/sharing tags before they fire when GPC is true
- Resolve banner × GPC correctly (GPC wins for sale/sharing even if “Accept” was clicked)
- Display an “opt-out signal honored” indicator when applicable
- Persist GPC treatment across sessions for that browser profile
- Log detections and suppression actions for audit evidence
Most basic banners that only paint a modal do not implement this — which is exactly the gap automated enforcement infrastructure is designed to surface.
Server-side vs. client-side: reading Sec-GPC at the edge (CDN, server, middleware) can help your brand set a first-party flag that client code consumes consistently. Client-only reads of navigator.globalPrivacyControl can work, but they fail when tags are injected before your CMP boots — which is why order matters more than slider settings.
Logging for audits: regulators and enterprise customers increasingly ask for proof of honor, not a screenshot of a banner. Your CMP should record timestamped events: GPC detected, categories suppressed, user saw confirmation. If your brand cannot export that trail, your brand is one reorg away from losing the story.
Conclusion
GPC moved from aspiration to enforcement reality in 2025–2026. DROP-style capabilities mean your brand cannot treat “no complaints yet” as proof of honor — the CPPA can prioritize work using signals and patterns at scale.
The technical fix is straightforward in concept: detect Sec-GPC: 1 / navigator.globalPrivacyControl, then stop sale/sharing tags before they transmit. The hard part is doing it consistently across templates, markets, and agencies — which is why CMP maturity matters.
Continue with the GPC compliance checklist for step-by-step coverage, then talk to PieEye about CCPA signal honor, pre-fire suppression, and audit logs built for enforcement season — not for checkbox screenshots alone.
If your brand is preparing a Q3 roadmap, put GPC next to Consent Mode and DSR SLAs — the same steering committee that funds acquisition should fund signal honor, because both determine whether measurement is lawful and whether your brand can defend the numbers in the deck.