Founding price — $3.99/mo locked forever. Claim yours →
Home/Blog/Universal Opt-Out & GPC
Back to Blog
Privacy Guide

Universal Opt-Out Explained: One Browser Setting Stops Data Selling in 12 States

9 min read

There is a browser setting that legally forces businesses to stop selling your personal data — and it works in twelve US states right now. It is called Global Privacy Control, or GPC, and most people have never heard of it. Turning it on takes about thirty seconds. Here is what it does, where it works, how to enable it in every major browser, and where its limits are.

What Is Global Privacy Control?

Global Privacy Control is a technical specification that lets your browser automatically tell every website you visit: "Do not sell or share my personal data." It works by sending a machine-readable signal — an HTTP header called Sec-GPC and a JavaScript property called navigator.globalPrivacyControl — with every page request. When a website receives this signal, it is the legal equivalent of you manually clicking through the site's privacy settings and submitting an opt-out form.

The GPC specification was developed by a consortium of privacy researchers, engineers, and organizations including the Electronic Frontier Foundation, Mozilla, DuckDuckGo, Consumer Reports, and the W3C Privacy Community Group. Version 1.0 of the specification was published in 2022. By early 2026, it has become the dominant standard for Universal Opt-Out Mechanisms (UOOMs) — the legal term used in state privacy laws for signals like GPC.

The concept is straightforward. Instead of visiting every website individually, finding their privacy settings page, navigating a confusing interface, and manually opting out of data sales, you flip one setting and your browser does it everywhere, automatically, from that point forward.

GPC in 30 Seconds

  • What it is: A browser signal that says "don't sell my data"
  • How it works: Sends an HTTP header with every web request
  • Who built it: EFF, Mozilla, DuckDuckGo, Consumer Reports, W3C
  • Legal weight: 12 US states require businesses to honor it
  • Cost: Free — built into browsers or available via extensions
  • Setup time: Under one minute

Which States Require Businesses to Honor GPC?

As of early 2026, twelve US states have enacted comprehensive privacy laws that require businesses to recognize and honor Universal Opt-Out Mechanisms. In practice, GPC is the only widely adopted UOOM, making it the de facto standard these laws point to.

StateLawUOOM Requirement Effective
CaliforniaCCPA / CPRAJanuary 2023
ColoradoCPAJuly 2024
ConnecticutCTDPAJanuary 2025
TexasTDPSAJanuary 2025
MontanaMCDPAJanuary 2025
OregonOCPAJanuary 2025
DelawareDPDPAJanuary 2025
New JerseyNJDPAJanuary 2025
New HampshireNHDPAJanuary 2025
NebraskaNDPAJanuary 2025
MinnesotaMCDPAJuly 2025
MarylandMODPAOctober 2025

Several more states have privacy laws taking effect in 2026 and 2027 that include UOOM provisions, including Iowa, Indiana, Tennessee, and Kentucky. The trend is accelerating — the number of states requiring GPC compliance has roughly doubled every year since 2023.

In California, the legal obligation is particularly strong. The California Attorney General's office issued a $1.2 million fine against Sephora in 2022 specifically for failing to honor GPC signals — the first enforcement action of its kind. The CCPA amendments that took effect in 2023 explicitly name "opt-out preference signals" as a legally binding mechanism. If a business is covered by the CCPA and receives a GPC signal from a California user, ignoring it is a violation of state law.

How GPC Actually Works Under the Hood

When you enable GPC, your browser adds two things to every web request:

  • An HTTP request header: Sec-GPC: 1 — This is sent with the initial request for every page and resource. The website's server sees this before the page even loads.
  • A JavaScript property: navigator.globalPrivacyControl = true — This is available in the page's JavaScript environment. Scripts running on the page (including third-party ad trackers and analytics tools) can check this property and adjust their behavior.

A website that receives a GPC signal is expected to treat it as a legally binding opt-out request under applicable state laws. In practice, this means the site should stop selling or sharing the user's personal information with third parties, suppress targeted advertising based on cross-site tracking, and refrain from sharing data with data brokers or other downstream buyers.

Importantly, GPC is not the same as Do Not Track (DNT). DNT was a similar browser signal proposed in the early 2010s, but it was never backed by any legal requirement. Websites were free to ignore it, and nearly all of them did. GPC has teeth because state privacy laws explicitly require compliance. The FTC and state attorneys general have enforcement authority, and as the Sephora case shows, they are willing to use it.

How to Enable GPC in Every Major Browser

The process varies by browser. Some have GPC built in. Others need an extension. Here is the current state of GPC support as of 2026.

Brave (Built-In)

Brave has supported GPC natively since 2020 and enables it by default. If you use Brave, GPC is already active — you do not need to do anything. You can verify it under Settings → Shields → Global Privacy Control.

Firefox (Built-In)

Firefox has included native GPC support since version 120. To enable it:

  1. Open Firefox and navigate to Settings (or type about:preferences in the address bar).
  2. Go to Privacy & Security.
  3. Scroll to the Website Privacy Preferences section.
  4. Check the box labeled "Tell websites not to sell or share my data."

That is all it takes. Firefox will now send the GPC signal with every request.

DuckDuckGo Browser (Built-In)

The DuckDuckGo browser — available on macOS, Windows, iOS, and Android — enables GPC by default. No configuration is needed.

Chrome (Extension Required)

Google Chrome does not include native GPC support. Google has not committed to adding it. To use GPC in Chrome, you need a browser extension:

  • Privacy Badger (by EFF) — Free, open source. Sends GPC signal and also blocks third-party trackers. Available from the Chrome Web Store.
  • DuckDuckGo Privacy Essentials — Free. Adds GPC along with tracker blocking and private search. Available from the Chrome Web Store.
  • OptMeowt — Free, open source, developed by privacy researchers. Sends GPC and also provides a dashboard showing which sites honor the signal. Available from the Chrome Web Store.

Install any one of these extensions and GPC will be active in Chrome immediately.

Safari (Extension Required)

Apple has not added native GPC support to Safari. On macOS, you can install the DuckDuckGo Privacy Essentials Safari extension from the Mac App Store to enable GPC. On iOS, the DuckDuckGo browser app sends GPC natively, but Safari itself requires the DuckDuckGo extension from the App Store.

Edge (Extension Required)

Microsoft Edge does not include native GPC. Because Edge is Chromium-based, the same Chrome extensions work — install Privacy Badger or DuckDuckGo Privacy Essentials from the Edge Add-ons store.

Quick Reference: GPC by Browser

BrowserNative GPCEnabled by DefaultExtension Needed
BraveYesYesNo
FirefoxYesNo (opt-in)No
DuckDuckGoYesYesNo
ChromeNoN/AYes
SafariNoN/AYes
EdgeNoN/AYes

What GPC Does and Does Not Do

GPC is powerful for what it is, but it is important to understand its boundaries. Misunderstanding what GPC covers can give you a false sense of security.

What GPC Does

  • Sends a legally binding opt-out signal to every website you visit in states with UOOM requirements.
  • Stops future data sales from the moment the website receives the signal. In covered states, the site must stop selling your personal information to third parties.
  • Works automatically — you set it once and it applies to every site without further action.
  • Covers ad trackers — third-party scripts on the page can read the navigator.globalPrivacyControl property and suppress data sharing.
  • Has legal enforcement backing — state AGs can fine businesses that ignore the signal. The FTC has also expressed support for GPC as a legitimate opt-out mechanism.

What GPC Does Not Do

  • Does not delete data already collected. GPC is forward-looking only. Data that was sold or shared before you enabled GPC is unaffected.
  • Does not remove you from data broker databases. Your profiles on Spokeo, BeenVerified, Whitepages, and hundreds of other people-search sites remain fully intact. GPC does not send deletion requests to data brokers.
  • Does not work on sites that do not check for it. GPC depends on the website actively reading the signal and complying. Many sites — especially smaller ones — simply do not check for it yet.
  • Does not apply in states without UOOM requirements. If you live in one of the 38 states without a comprehensive privacy law, businesses have no legal obligation to honor the signal.
  • Does not stop first-party data collection. Websites can still collect your data for their own use. GPC only restricts selling or sharing with third parties.
  • Does not cover mobile apps. GPC is a browser-level signal. It does not apply to native mobile apps, which collect data through entirely separate mechanisms.

The Gap Between GPC and Full Privacy Protection

Think of GPC as a "Do Not Enter" sign you hang on your door going forward. It tells new visitors to respect your privacy. But it does nothing about the people who already walked in, took photos of your belongings, and distributed copies around the neighborhood.

The average American's personal information — name, address, phone number, email, age, relatives, income estimates, political affiliations — appears on more than 50 data broker sites. That data was collected and sold before you ever turned on GPC. The broker listings, the people-search profiles, the marketing databases — all of that persists. GPC cannot reach it.

Data brokers also collect from sources that have nothing to do with your browser activity. Public records, voter registrations, property deeds, court filings, and social media scraping all feed broker databases through channels that GPC never touches.

This is where active data removal comes in. Data brokers need to be contacted individually with specific removal requests. Those requests need to be monitored, because brokers routinely re-list people within weeks of a successful removal. The process is ongoing, not one-and-done — which is why services like GhostVault exist. GhostVault continuously scans broker databases, submits removal requests, verifies deletions, and re-submits when data reappears. GPC handles the flow of new data going forward; GhostVault handles the data that is already out there.

How to Verify GPC Is Working

After enabling GPC, you should confirm it is actually sending the signal. There are a few ways to do this:

  1. Visit global-privacy-control.glitch.me — This test page by the GPC specification team detects whether your browser is sending the signal and displays the result.
  2. Check your browser's developer tools. Open DevTools (F12), go to the Network tab, click on any request, and look at the Request Headers section. You should see Sec-GPC: 1 in the headers.
  3. If using an extension: Most GPC extensions display an icon badge or dashboard showing GPC status. Privacy Badger shows a shield icon; OptMeowt shows per-site compliance information.

GPC Compliance in the Real World

Not every website honors GPC, even in states where they are legally required to do so. A 2025 study by Consumer Reports found that among the top 100 US websites, only about 40% properly detected and responded to GPC signals. Among smaller websites, compliance rates were significantly lower.

The enforcement landscape is still developing. California has been the most active, with the Sephora fine and several follow-up actions from the AG's office. Colorado's AG issued compliance guidance in 2024 reminding businesses of their obligation to honor UOOMs. Connecticut's data privacy division has begun auditing compliance. But most states with newer privacy laws have not yet brought UOOM enforcement actions.

The practical reality is that GPC works best on large, well-known websites that have privacy compliance teams and actively monitor for regulatory signals. It is least effective on smaller sites, offshore operations, and companies that calculate that the risk of enforcement is low.

GPC vs. Do Not Track: Why This Time Is Different

If you remember the Do Not Track browser setting from the early 2010s, you might be skeptical that GPC will fare any better. The comparison is understandable but the situations are fundamentally different.

  • DNT had no legal backing. No US law ever required companies to honor the DNT signal. It was purely voluntary, and virtually every major company chose to ignore it. GPC is backed by enforceable state laws with real financial penalties.
  • DNT had no clear definition. There was no agreement on what "Do Not Track" actually meant in practice. Companies could claim they honored it while continuing to collect data for "analytics" or "service improvement." GPC has a clear legal definition tied to specific statutes: do not sell or share personal data with third parties.
  • GPC has enforcement precedent. The Sephora fine established that ignoring GPC has real financial consequences. DNT never had a comparable enforcement moment.
  • Industry adoption is broader. Major ad tech companies including Google's Consent Management Platform, OneTrust, and several demand-side platforms now detect and respond to GPC. The ad industry largely ignored DNT.

A Complete Privacy Checklist

GPC is one piece of a larger privacy strategy. Here is the full picture of what effective personal data protection looks like in 2026:

  1. Enable GPC in your browser. This takes thirty seconds and covers future data sales on websites that comply. Do this first — it is the easiest step.
  2. Use a data removal service. GhostVault scans 500+ data broker sites, submits removal requests, and monitors for re-listings — covering the data that GPC cannot touch. At $3.99/month, it is the most affordable option on the market.
  3. Lock down your social media profiles. Set Facebook, Instagram, LinkedIn, and TikTok to maximum privacy settings. Our social media privacy guide walks through every platform step by step.
  4. Use unique passwords and a password manager. Credential stuffing from data breaches is the primary way accounts get compromised. A password manager makes unique passwords automatic.
  5. Enable two-factor authentication everywhere. Prioritize your email, banking, and social media accounts. Use an authenticator app, not SMS.
  6. Monitor for breaches. When your data leaks, you need to know immediately. GhostVault includes dark web monitoring that alerts you when your information appears in a breach.

The Bottom Line

GPC is the single most impactful privacy setting most people are not using. If you do one thing after reading this article, enable it. But recognize that GPC is a forward-looking defense — it stops new data from being sold but does nothing about data already collected. Pairing GPC with active data broker removal gives you both layers of protection.

Frequently Asked Questions

What is Global Privacy Control (GPC)?

Global Privacy Control is an HTTP header signal and JavaScript property that your browser sends to every website you visit. It tells the site that you are exercising your right to opt out of the sale or sharing of your personal data. When a website receives a GPC signal, it is the technical equivalent of you manually submitting an opt-out request through the site's privacy settings. The specification was developed by the EFF, Mozilla, DuckDuckGo, Consumer Reports, and the W3C Privacy Community Group.

Which states require websites to honor GPC?

As of early 2026, twelve US states legally require businesses to honor Universal Opt-Out Mechanisms like GPC: California, Colorado, Connecticut, Texas, Montana, Oregon, Delaware, New Jersey, New Hampshire, Nebraska, Minnesota, and Maryland. Several additional states — including Iowa, Indiana, Tennessee, and Kentucky — have privacy laws taking effect in 2026 and 2027 that include UOOM provisions. The number of states with enforceable GPC requirements has been roughly doubling each year since California first required it in 2023.

Does GPC remove data that was already collected?

No. GPC only prevents future sale or sharing of your data from the moment the signal is received. It does not delete data already collected, remove your information from data broker databases, or affect data that was sold before you enabled GPC. Your existing profiles on people-search sites like Spokeo, BeenVerified, and Whitepages remain fully intact. For removing data that is already out there, you need to submit deletion requests to data brokers directly or use a data removal service like GhostVault.

How do I enable GPC in Chrome?

Chrome does not natively support GPC as of 2026. Google has not announced plans to add it. To enable GPC in Chrome, install a browser extension that supports it. The most popular options are Privacy Badger by the EFF, DuckDuckGo Privacy Essentials, and OptMeowt. All three are free, available from the Chrome Web Store, and add the GPC signal to your browsing requests automatically once installed. If you want native GPC without an extension, consider switching to Firefox, Brave, or the DuckDuckGo browser.

Is GPC enough to protect my privacy?

GPC is one important layer but not a complete solution. It only affects websites that check for the signal, only applies going forward, and does not cover offline data collection or data already held by brokers. A comprehensive privacy strategy combines GPC with active data broker removal, breach monitoring, and careful management of what you share online. Think of GPC as a lock on your front door — necessary, but not sufficient by itself if your address, phone number, and personal details are already listed on fifty broker sites.

This is just one of 500+ brokers selling your data.

GhostVault removes you from all of them automatically — and keeps you removed.

Try a free scan →

Related guides