GPC Checker: How to Test Global Privacy Control Compliance on Any Website

Your site has a cookie banner. Your privacy policy says all the right things. But when a user visits with Global Privacy Control enabled, which tens of millions of privacy-conscious users do, your trackers are probably still firing.

That's not a hypothetical risk. It's an active legal exposure under California law. And the only way to know for certain is to run a real GPC checker against your own domain. If you want the fastest path to an answer, our free GPC checker tool runs a live network-level test against any URL in under a minute.

What Is Global Privacy Control (GPC)?

Global Privacy Control is an open browser signal that consumers use to communicate a single, universal opt-out from the sale or sharing of their personal data. When enabled, it attaches a Sec-GPC: 1 header to every HTTP request and sets navigator.globalPrivacyControl = true in the browser JavaScript context.

Under AB 3048 (effective January 1, 2026), California businesses are legally required to honor this signal as a valid opt-out, the same as clicking "Do Not Sell or Share My Personal Information." There is no opt-in required from the user. There is no grace period. If your site is loading advertising trackers for a GPC-enabled visitor, you are out of compliance right now.

Why You Need a GPC Scanner, Not Just a Policy Review

Most companies address GPC compliance by reviewing their Consent Management Platform (CMP) settings and assuming the job is done. It isn't. Here's why a real GPC scanner is the only reliable verification:

How to Do a Manual Global Privacy Control Check

If you want to perform a quick manual GPC check before running a full privacy scanner, here are the steps:

  1. Install a GPC browser extension. Extensions like Privacy Badger or dedicated GPC signal tools (available for Chrome and Firefox) let you enable the signal with one click.
  2. Open DevTools → Network tab before navigating to your site.
  3. Visit your homepage with GPC active. Filter the Network tab for requests to known ad-tech and analytics domains:doubleclick.net, googlesyndication.com, connect.facebook.net, pixel.advertising.com, and similar.
  4. Repeat without GPC enabled and compare. If the same third-party requests appear in both sessions, your site is not honoring GPC.

This manual approach works for spot-checking one page. It doesn't scale to your full site, doesn't catch subtler partial-block failures, and doesn't produce audit-grade evidence for a regulator. For that, you need an automated GPC scanner.

What a Proper GPC Scanner Tests

A comprehensive GPC scanner (not just a header checker) should verify all of the following:

How Privisy's GPC Scanner Works

Privisy was built specifically to solve the GPC verification problem that manual testing and CMP dashboards can't adequately address. The GPC validation stage of the Privisy privacy scanner:

  1. Runs a full Playwright headless browser session with both Sec-GPC: 1 request headers and navigator.globalPrivacyControl = true injected at the browser context level: simultaneously, exactly as a real user's browser would.
  2. Intercepts all outbound network requests in real time, comparing them against a categorized tracker database (marketing, social media, analytics, functional, ad networks).
  3. Flags any tracker in the "requires opt-out" categories that fires despite GPC being active: with the specific request URL as evidence, not just a domain match.
  4. Produces a pass/fail GPC compliance result with a severity rating and the full network trace as exportable audit evidence.

This is the difference between a basic global privacy control check and a production-grade GPC scanner. Privisy doesn't just look for the signal: it verifies the behavioral outcome that the law requires.

Common GPC Failures We Find (And What to Do About Them)

Running Privisy's GPC checker against real sites, these are the failure patterns that appear most often:

How to Enable GPC in Your Browser

Before you can test whether a site honors GPC, you need a browser that actually sends the signal. Support varies by browser, and the toggle isn't always where you'd expect. Here's what's current as of this writing, though browser settings menus do change over time so it's worth double-checking your browser's own privacy documentation if something doesn't match:

Once enabled, you can confirm the signal is live by visiting globalprivacycontrol.org: the page reads your browser's signal directly and displays a "GPC signal detected" confirmation at the top if it's working. That confirms your browser is sending the signal. It says nothing about whether the site you actually care about is honoring it, which is the harder problem this whole post is about.

Manual GPC Test: DevTools Walkthrough

You don't need special tools to run a basic GPC test yourself. Chrome, Firefox, and Edge all ship the DevTools panel you need built in. Here's the walkthrough:

  1. Enable GPC using one of the methods above, then open DevTools (F12 or Cmd+Option+I on Mac) and switch to the Network tab. Check "Preserve log" so requests survive page navigation.
  2. Navigate to the target site's homepage. Click the first document request in the Network panel (usually the top-most entry, the HTML document itself) and inspect the Request Headers section. You should see Sec-GPC: 1 listed among the headers your browser sent. If it's missing, GPC isn't actually enabled and nothing past this point is a valid test.
  3. Filter the Network panel by typing fragments of known tracker domains into the filter box: doubleclick, facebook.net, google-analytics, googlesyndication, criteo, taboola. A pass looks like an empty result list, or only requests to categories that don't require opt-out (like strictly necessary functional cookies). A fail looks like connect.facebook.net/tr?id=... or a doubleclick.net ad-serving call showing up in the list despite the GPC header being present on the page request.
  4. Open the console and run navigator.globalPrivacyControl. It should return true. If it returns undefined or false, the site's own JavaScript (or your browser) isn't exposing the signal at the API level, which matters because some client-side ad loaders check this property directly instead of relying on the server to read the header.
  5. Disable GPC and repeat the same page load. Compare the two Network panel captures side by side. If the same third-party requests fire in both the GPC-on and GPC-off sessions, the site is not differentiating behavior based on the signal at all, regardless of what its cookie banner claims.

This walkthrough is exactly what our free GPC checker automates, minus the manual clicking, and it runs the comparison across your whole crawlable site instead of one page at a time.

What the Law Actually Requires

The GPC obligation in California isn't a single sentence. It's a regulatory framework spread across several subsections of 11 CCR § 7025, and the details matter because they define exactly what "pass" and "fail" mean for a compliance test:

Put together, these subsections mean a compliant site must (1) actually stop the sale/sharing-category trackers, (2) do it automatically without requiring the visitor to log in or click anything, and (3) tell the visitor it did so. A scanner that only checks for the presence of a cookie-banner "your choices" link is testing none of these three things.

GPC Requirements Beyond California

California isn't the only state that requires businesses to honor universal opt-out signals like GPC. If your traffic isn't California-only, your GPC obligations aren't either:

The practical takeaway: if your GPC compliance program is scoped to "California visitors only," you likely have gaps for Colorado, Connecticut, and Texas traffic too, since all three states now fold universal opt-out signal recognition into their own statutes. A network-level GPC scanner should be tested against a site regardless of which state's law technically governs the visitor, because the technical failure mode (trackers ignoring the header) is identical everywhere.

Header-Only Checkers vs. Network-Level Verification

Not all tools that call themselves a "GPC checker" test the same thing. Most browser extensions and free online checkers only confirm that the Sec-GPC header left your browser. That's a necessary first step, but it's not evidence that the destination site did anything with it. Here's how the two approaches compare:

CapabilityHeader-only checkerNetwork-level scanner (Privisy)
Confirms your browser sends Sec-GPCYesYes
Confirms the destination site received itSometimesYes
Verifies trackers actually stop firingNoYes, per-request evidence
Tests navigator.globalPrivacyControl (JS path)NoYes
Catches shadow trackers outside the CMPNoYes
Crawls beyond the homepageNoYes
Produces audit-grade evidenceNoYes, exportable network trace

If you only need a quick sanity check on one page, a header-only checker is fine. If you're trying to answer the question a regulator would actually ask, "did the tracker stop," you need network-level verification.

Run a Free GPC Check on Your Site Now

Privisy is the privacy scanner that gives you network-level GPC compliance results in minutes, not a theoretical assessment of your CMP configuration. Enter your domain and get a full audit report including GPC validation, tracker detection, UI compliance, and privacy policy analysis.

The first audit is free. No credit card required.

Free GPC Checker: Test Your Site Now

Get a network-level GPC scan plus full CCPA compliance audit. Or test your site instantly using our free GPC checker.

Run Your Free GPC Check