Sec-GPC

Privacy regulations require a machine-readable opt-out signal for data sale and sharing. The Sec-GPC request header transmits that signal, expressing a preference against cross-context targeted advertising.

Usage

The Sec-GPC header is part of the Global Privacy Control (GPC) specification developed at the W3C. When a browser sends Sec-GPC: 1, the signal expresses the preference to opt out of data sale and sharing. The absence of the header means no preference has been stated.

GPC builds on the concept behind Do Not Track (DNT) but carries stronger legal backing. Several privacy regulations recognize GPC as a valid opt-out mechanism. The California Consumer Privacy Act (CCPA/CPRA) requires businesses to treat GPC as a binding opt-out of data sale and sharing. Colorado and other US states with comprehensive privacy laws include similar provisions. California legislation requires browsers to provide a built-in GPC setting.

The header uses the Sec- prefix, preventing JavaScript from setting or modifying the value via the XMLHttpRequest and fetch() APIs. On the client side, the navigator.globalPrivacyControl property exposes the same preference as a boolean. Scripts checking this property see true when GPC is active and false otherwise.

The header is sent with every request when the user has enabled the preference. Servers receiving the signal are expected to apply applicable privacy protections. In the absence of regulatory requirements, the specification leaves the response to server discretion.

Firefox sends Sec-GPC by default in private browsing and exposes the preference as a manual setting for regular browsing. Brave and DuckDuckGo browsers send the header by default. Chromium-based browsers without built-in GPC support rely on third-party extensions.

Values

1

The value 1 is the only defined value. The header is either sent with this value or omitted entirely. There is no 0 value. The absence of the header is the neutral state.

Example

A browser with GPC enabled sends the header on every request. The value 1 indicates the preference to opt out of data sale and sharing.

Sec-GPC: 1

A server receiving GPC alongside other privacy-related headers. The combination of Sec-GPC and DNT signals the preference through both the modern and legacy mechanisms.

Sec-GPC: 1
DNT: 1

JavaScript access to the GPC preference through the navigator.globalPrivacyControl property. The value mirrors the state of the Sec-GPC header for the current page load.

if (navigator.globalPrivacyControl) {
  // disable third-party sharing features
}

See also

• Global Privacy Control (W3C)
• Global Privacy Control (globalprivacycontrol.org)
• Global Privacy Control (Chrome Status)
• DNT
• HTTP headers