GPC Checker: How to Test Global Privacy Control Compliance on Any Website

Your site has a cookie banner. Your privacy policy says all the right things. But when a user visits with Global Privacy Control enabled — which tens of millions of privacy-conscious users do — your trackers are probably still firing.

That's not a hypothetical risk. It's an active legal exposure under California law. And the only way to know for certain is to run a real GPC checker against your own domain.

What Is Global Privacy Control (GPC)?

Global Privacy Control is an open browser signal that consumers use to communicate a single, universal opt-out from the sale or sharing of their personal data. When enabled, it attaches a Sec-GPC: 1 header to every HTTP request and sets navigator.globalPrivacyControl = true in the browser JavaScript context.

Under AB 3048 (effective January 1, 2026), California businesses are legally required to honor this signal as a valid opt-out — the same as clicking "Do Not Sell or Share My Personal Information." There is no opt-in required from the user. There is no grace period. If your site is loading advertising trackers for a GPC-enabled visitor, you are out of compliance right now.

Why You Need a GPC Scanner, Not Just a Policy Review

Most companies address GPC compliance by reviewing their Consent Management Platform (CMP) settings and assuming the job is done. It isn't. Here's why a real GPC scanner is the only reliable verification:

• CMPs often claim GPC support without fully implementing it. The configuration may exist, but the actual tracker-blocking behavior has gaps — particularly for third-party scripts loaded outside the CMP's tag manager scope.
• Header detection ≠ compliance. A basic global privacy control check confirms your server reads the Sec-GPC header. It does not confirm that your marketing pixels, analytics scripts, and ad-tech calls actually stop. Only network-level inspection can verify that.
• JavaScript-side detection is also required. Client-side scripts (like inline ad loaders) need to read navigator.globalPrivacyControl and suppress themselves. Most privacy scanners don't test both the HTTP header path and the JS path simultaneously.
• Shadow trackers fall through CMP coverage. Chat widgets, embedded maps, review badges, and social share buttons often load tracking code that no CMP controls. A GPC checker that operates at the network layer catches all of them.

How to Do a Manual Global Privacy Control Check

If you want to perform a quick manual GPC check before running a full privacy scanner, here are the steps:

1. Install a GPC browser extension. Extensions like Privacy Badger or dedicated GPC signal tools (available for Chrome and Firefox) let you enable the signal with one click.
2. Open DevTools → Network tab before navigating to your site.
3. Visit your homepage with GPC active. Filter the Network tab for requests to known ad-tech and analytics domains:doubleclick.net, googlesyndication.com, connect.facebook.net, pixel.advertising.com, and similar.
4. Repeat without GPC enabled and compare. If the same third-party requests appear in both sessions, your site is not honoring GPC.

This manual approach works for spot-checking one page. It doesn't scale to your full site, doesn't catch subtler partial-block failures, and doesn't produce audit-grade evidence for a regulator. For that, you need an automated GPC scanner.

What a Proper GPC Scanner Tests

A comprehensive GPC scanner — not just a header checker — should verify all of the following:

• Network-level tracker suppression: Does the site stop making requests to marketing, advertising, and social media tracker endpoints when GPC is active?
• JavaScript signal availability: Is navigator.globalPrivacyControl set to true and accessible to client scripts?
• Pre-consent tracker firing: Are any trackers loading before the consent banner even appears?
• Category-specific blocking: Marketing and advertising trackers must be blocked under GPC. Analytics and functional cookies may have more nuanced treatment. A good privacy scanner distinguishes between these categories.
• Multi-page coverage: GPC compliance failures often appear only on specific pages — checkout flows, blog posts, or pages with embedded widgets. A GPC scanner should crawl beyond the homepage.

How Privisy's GPC Scanner Works

Privisy was built specifically to solve the GPC verification problem that manual testing and CMP dashboards can't adequately address. The GPC validation stage of the Privisy privacy scanner:

1. Runs a full Playwright headless browser session with both Sec-GPC: 1 request headers and navigator.globalPrivacyControl = true injected at the browser context level — simultaneously, exactly as a real user's browser would.
2. Intercepts all outbound network requests in real time, comparing them against a categorized tracker database (marketing, social media, analytics, functional, ad networks).
3. Flags any tracker in the "requires opt-out" categories that fires despite GPC being active — with the specific request URL as evidence, not just a domain match.
4. Produces a pass/fail GPC compliance result with a severity rating and the full network trace as exportable audit evidence.

This is the difference between a basic global privacy control check and a production-grade GPC scanner. Privisy doesn't just look for the signal — it verifies the behavioral outcome that the law requires.

Common GPC Failures We Find (And What to Do About Them)

Running Privisy's GPC checker against real sites, these are the failure patterns that appear most often:

• Google Tag Manager bypass: GTM fires before the CMP initializes, loading advertising tags regardless of GPC. Fix: Configure GTM to pause all triggers until CMP consent is resolved, including GPC detection.
• Meta Pixel persistence: The Meta Pixel ("connect.facebook.net") loads even with GPC active because it's hardcoded in a theme template, not managed by the CMP. Fix: Move the pixel into a CMP-controlled tag.
• Analytics miscategorization: Google Analytics 4 is configured as "strictly necessary" in the CMP, exempting it from GPC suppression. Fix: GA4 is analytics, not functional — it must be blocked when GPC is active unless you have a legitimate interest justification documented in your policy.
• Chat widget tracking: Intercom, Drift, and similar tools load a tracking layer independent of their chat function. Fix: Contact the vendor about GPC-compliant loading or proxy the widget behind your own CMP decision.

Run a Free GPC Check on Your Site Now

Privisy is the privacy scanner that gives you network-level GPC compliance results in minutes — not a theoretical assessment of your CMP configuration. Enter your domain and get a full audit report including GPC validation, tracker detection, UI compliance, and privacy policy analysis.

The first audit is free. No credit card required.