Global Privacy Control
How ConsentStack honors Global Privacy Control (GPC) browser signals on your behalf.
What is Global Privacy Control
Global Privacy Control (GPC) is a browser-level signal that tells websites the user wants to opt out of the sale or sharing of their personal information. It is expressed two ways:
- An HTTP request header:
Sec-GPC: 1 - A JavaScript property:
navigator.globalPrivacyControl === true
GPC is legally binding in 12 US states as of 2026 (California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas). It is also arguably binding under GDPR Article 21(5) for processing grounded in legitimate interest.
Browser support
| Browser | Support | Default |
|---|---|---|
| Brave | Native | On |
| DuckDuckGo Browser | Native | On |
| Firefox | Native | Off (user opts in at Settings, then Privacy, then Tell websites not to sell or share my data) |
| Chrome, Edge, Safari, Opera | Extension only | Requires installing a privacy extension |
How ConsentStack detects GPC
ConsentStack reads GPC from both surfaces at every page load:
- Edge detection at the config-delivery worker. The
Sec-GPC: 1header is read and included in the config response. - Client detection in the SDK.
navigator.globalPrivacyControlis read at initialization.
The effective GPC state is the OR of both signals. This belt-and-suspenders approach catches proxies that strip the header and extensions that inject GPC after the config fetch.
What ConsentStack does when GPC is detected
Behavior branches on the visitor's jurisdiction.
Opt-out jurisdictions (CA, CO, CT, DE, MD, MN, MT, NE, NH, NJ, OR, TX, and other US states)
- The consent banner does not show.
- A small toast appears at the bottom of the page confirming the opt-out, with a link to manage preferences.
- All non-essential cookie categories are set to denied.
- Consent Mode v2, Meta LDU, TikTok Limited Data Use, Pinterest Limited Data Sharing, and equivalent downstream signals fire automatically.
Opt-in jurisdictions (EU GDPR, UK, EEA)
- The consent banner does show, as it always has in these jurisdictions. Non-essential categories are pre-denied by default, which is the normal opt-in behavior.
- If the visitor has previously saved an explicit consent choice on this site, that choice is preserved. GPC sets the default for first-time visitors but does not wipe a prior, explicit decision. This matches CCPA § 7025(c)(6)(B), which permits users to consent as an exception to GPC, and the W3C GPC spec's stance that explicit user choices override the default signal.
All other jurisdictions
ConsentStack defaults to honoring GPC globally. Dashboard controls to customize this per-publisher will ship in a later release.
What publishers need to do
Nothing. GPC handling is fully automatic once ConsentStack is installed.
Two optional steps improve your compliance posture:
1. Publish /.well-known/gpc.json on your site
Automated compliance scanners look for this file at the root of your domain. Add a static file at https://yoursite.com/.well-known/gpc.json:
{ "gpc": true, "lastUpdate": "2026-01-01" }2. Update your privacy policy
Add a paragraph like this to your privacy policy:
This website honors Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we treat it as a valid opt-out of the sale or sharing of your personal information under applicable US state privacy laws, and as an objection to processing based on legitimate interest under the GDPR. We will not sell or share your personal information for the purposes GPC covers while your browser continues to send the signal. You may revisit this choice at any time through our preferences center.
Microsoft Clarity users: one additional step
If you use Microsoft Clarity alongside ConsentStack, configure your Clarity project dashboard with "cookies off by default." ConsentStack will call clarity("consent", true) only when the user grants consent. This matches Microsoft's recommended integration pattern and ensures Clarity does not fire cookie-based tracking pre-consent.
FAQ
Does my banner still show if the visitor has GPC enabled
In EU and other opt-in jurisdictions, yes. The banner is still required to collect affirmative consent for consent-based processing. Non-essential categories are pre-denied.
In US opt-out jurisdictions, no. A toast appears instead, and all non-essential tracking is denied.
What if a visitor previously accepted tracking, then enables GPC later
Their prior explicit consent is preserved. Per CCPA § 7025(c)(6)(B), users may consent to specific processing as an exception to GPC, and that explicit choice persists. New visitors with GPC enabled get default-deny on opt-out categories; they can still grant per-category exceptions through the preferences panel, and that exception survives reloads. To reset their state, the visitor clears site data or revokes individual categories from the preferences UI.
Do I need to change my Google Ads or Meta Pixel setup
No. ConsentStack automatically sets Google Consent Mode v2 to denied and applies Meta Limited Data Use when GPC is honored. No changes to your pixel code are required.
What percentage of my traffic has GPC enabled
Typically 2 to 8 percent for consumer sites, higher for tech-niche audiences. Most of it comes from Brave and DuckDuckGo Browser (default on) plus privacy-extension users on Chrome and Firefox.