Your site has a cookie banner. Your privacy policy says all the right things. But when a user visits with Global Privacy Control enabled, which tens of millions of privacy-conscious users do, your trackers are probably still firing.
That's not a hypothetical risk. It's an active legal exposure under California law. And the only way to know for certain is to run a real GPC checker against your own domain. If you want the fastest path to an answer, our free GPC checker tool runs a live network-level test against any URL in under a minute.
What Is Global Privacy Control (GPC)?
Global Privacy Control is an open browser signal that consumers use to communicate a single, universal opt-out from the sale or sharing of their personal data. When enabled, it attaches a Sec-GPC: 1 header to every HTTP request and sets navigator.globalPrivacyControl = true in the browser JavaScript context.
Under AB 3048 (effective January 1, 2026), California businesses are legally required to honor this signal as a valid opt-out, the same as clicking "Do Not Sell or Share My Personal Information." There is no opt-in required from the user. There is no grace period. If your site is loading advertising trackers for a GPC-enabled visitor, you are out of compliance right now.
Why You Need a GPC Scanner, Not Just a Policy Review
Most companies address GPC compliance by reviewing their Consent Management Platform (CMP) settings and assuming the job is done. It isn't. Here's why a real GPC scanner is the only reliable verification:
- CMPs often claim GPC support without fully implementing it. The configuration may exist, but the actual tracker-blocking behavior has gaps, particularly for third-party scripts loaded outside the CMP's tag manager scope.
- Header detection ≠ compliance. A basic global privacy control check confirms your server reads the
Sec-GPCheader. It does not confirm that your marketing pixels, analytics scripts, and ad-tech calls actually stop. Only network-level inspection can verify that. - JavaScript-side detection is also required. Client-side scripts (like inline ad loaders) need to read
navigator.globalPrivacyControland suppress themselves. Most privacy scanners don't test both the HTTP header path and the JS path simultaneously. - Shadow trackers fall through CMP coverage. Chat widgets, embedded maps, review badges, and social share buttons often load tracking code that no CMP controls. A GPC checker that operates at the network layer catches all of them.
How to Do a Manual Global Privacy Control Check
If you want to perform a quick manual GPC check before running a full privacy scanner, here are the steps:
- Install a GPC browser extension. Extensions like Privacy Badger or dedicated GPC signal tools (available for Chrome and Firefox) let you enable the signal with one click.
- Open DevTools → Network tab before navigating to your site.
- Visit your homepage with GPC active. Filter the Network tab for requests to known ad-tech and analytics domains:
doubleclick.net,googlesyndication.com,connect.facebook.net,pixel.advertising.com, and similar. - Repeat without GPC enabled and compare. If the same third-party requests appear in both sessions, your site is not honoring GPC.
This manual approach works for spot-checking one page. It doesn't scale to your full site, doesn't catch subtler partial-block failures, and doesn't produce audit-grade evidence for a regulator. For that, you need an automated GPC scanner.
What a Proper GPC Scanner Tests
A comprehensive GPC scanner (not just a header checker) should verify all of the following:
- Network-level tracker suppression: Does the site stop making requests to marketing, advertising, and social media tracker endpoints when GPC is active?
- JavaScript signal availability: Is
navigator.globalPrivacyControlset totrueand accessible to client scripts? - Pre-consent tracker firing: Are any trackers loading before the consent banner even appears?
- Category-specific blocking: Marketing and advertising trackers must be blocked under GPC. Analytics and functional cookies may have more nuanced treatment. A good privacy scanner distinguishes between these categories.
- Multi-page coverage: GPC compliance failures often appear only on specific pages: checkout flows, blog posts, or pages with embedded widgets. A GPC scanner should crawl beyond the homepage.
How Privisy's GPC Scanner Works
Privisy was built specifically to solve the GPC verification problem that manual testing and CMP dashboards can't adequately address. The GPC validation stage of the Privisy privacy scanner:
- Runs a full Playwright headless browser session with both
Sec-GPC: 1request headers andnavigator.globalPrivacyControl = trueinjected at the browser context level: simultaneously, exactly as a real user's browser would. - Intercepts all outbound network requests in real time, comparing them against a categorized tracker database (marketing, social media, analytics, functional, ad networks).
- Flags any tracker in the "requires opt-out" categories that fires despite GPC being active: with the specific request URL as evidence, not just a domain match.
- Produces a pass/fail GPC compliance result with a severity rating and the full network trace as exportable audit evidence.
This is the difference between a basic global privacy control check and a production-grade GPC scanner. Privisy doesn't just look for the signal: it verifies the behavioral outcome that the law requires.
Common GPC Failures We Find (And What to Do About Them)
Running Privisy's GPC checker against real sites, these are the failure patterns that appear most often:
- Google Tag Manager bypass: GTM fires before the CMP initializes, loading advertising tags regardless of GPC. Fix: Configure GTM to pause all triggers until CMP consent is resolved, including GPC detection.
- Meta Pixel persistence: The Meta Pixel ("connect.facebook.net") loads even with GPC active because it's hardcoded in a theme template, not managed by the CMP. Fix: Move the pixel into a CMP-controlled tag.
- Analytics miscategorization: Google Analytics 4 is configured as "strictly necessary" in the CMP, exempting it from GPC suppression. Fix: GA4 is analytics, not functional: it must be blocked when GPC is active unless you have a legitimate interest justification documented in your policy.
- Chat widget tracking: Intercom, Drift, and similar tools load a tracking layer independent of their chat function. Fix: Contact the vendor about GPC-compliant loading or proxy the widget behind your own CMP decision.
How to Enable GPC in Your Browser
Before you can test whether a site honors GPC, you need a browser that actually sends the signal. Support varies by browser, and the toggle isn't always where you'd expect. Here's what's current as of this writing, though browser settings menus do change over time so it's worth double-checking your browser's own privacy documentation if something doesn't match:
- Firefox (desktop, version 120+): Open Settings, select Privacy & Security from the left sidebar, scroll to the Website Privacy Preferences section, and check the box labeled "Tell websites not to sell or share my data." That's GPC. Firefox removed the older "Do Not Track" setting in version 135 and now treats GPC as the supported successor.
- Brave: GPC is on by default for every user, every tab, with no configuration required. Brave was one of the earliest browsers to ship the signal natively.
- DuckDuckGo (browser app or browser extension): GPC is enabled by default the moment you install DuckDuckGo's browser or its "Privacy Essentials" extension for Chrome, Firefox, or Edge. There's no separate switch to find.
- Chrome, Edge, and Safari: These browsers don't ship a native GPC toggle, so you'll need an extension. The Electronic Frontier Foundation's Privacy Badger extension sends the GPC signal automatically once installed, as does the DuckDuckGo extension mentioned above.
Once enabled, you can confirm the signal is live by visiting globalprivacycontrol.org: the page reads your browser's signal directly and displays a "GPC signal detected" confirmation at the top if it's working. That confirms your browser is sending the signal. It says nothing about whether the site you actually care about is honoring it, which is the harder problem this whole post is about.
Manual GPC Test: DevTools Walkthrough
You don't need special tools to run a basic GPC test yourself. Chrome, Firefox, and Edge all ship the DevTools panel you need built in. Here's the walkthrough:
- Enable GPC using one of the methods above, then open DevTools (F12 or Cmd+Option+I on Mac) and switch to the Network tab. Check "Preserve log" so requests survive page navigation.
- Navigate to the target site's homepage. Click the first document request in the Network panel (usually the top-most entry, the HTML document itself) and inspect the Request Headers section. You should see
Sec-GPC: 1listed among the headers your browser sent. If it's missing, GPC isn't actually enabled and nothing past this point is a valid test. - Filter the Network panel by typing fragments of known tracker domains into the filter box:
doubleclick,facebook.net,google-analytics,googlesyndication,criteo,taboola. A pass looks like an empty result list, or only requests to categories that don't require opt-out (like strictly necessary functional cookies). A fail looks likeconnect.facebook.net/tr?id=...or adoubleclick.netad-serving call showing up in the list despite the GPC header being present on the page request. - Open the console and run
navigator.globalPrivacyControl. It should returntrue. If it returnsundefinedorfalse, the site's own JavaScript (or your browser) isn't exposing the signal at the API level, which matters because some client-side ad loaders check this property directly instead of relying on the server to read the header. - Disable GPC and repeat the same page load. Compare the two Network panel captures side by side. If the same third-party requests fire in both the GPC-on and GPC-off sessions, the site is not differentiating behavior based on the signal at all, regardless of what its cookie banner claims.
This walkthrough is exactly what our free GPC checker automates, minus the manual clicking, and it runs the comparison across your whole crawlable site instead of one page at a time.
What the Law Actually Requires
The GPC obligation in California isn't a single sentence. It's a regulatory framework spread across several subsections of 11 CCR § 7025, and the details matter because they define exactly what "pass" and "fail" mean for a compliance test:
- § 7025 (the core rule): A business must treat a qualifying opt-out preference signal as a valid request to opt out of sale and sharing for that browser or device, and for any consumer profile (including pseudonymous profiles) associated with it. This is the baseline: if GPC is on, sale and sharing must stop, full stop.
- § 7025(c)(3), conflicting privacy settings: If a consumer previously opted back in to sale or sharing through a business-specific setting, and then GPC signals a fresh opt-out, the business must still honor the opt-out first. It may notify the consumer of the conflict and offer a way to re-consent, but it cannot simply keep the old setting and ignore the new signal.
- § 7025(c)(6), the status display requirement: When GPC is active, the business must show, somewhere on the site, whether it processed the signal, for example an "Opt-Out Request Honored" message or a toggle reflecting opted-out status. Silence is not compliant even if the trackers are correctly blocked.
- § 7025(f)(3), frictionless processing: This is the "no forced login, no dark patterns" clause. A business processing GPC in frictionless mode cannot show a pop-up, banner, animation, sound, or any interstitial content in response to the signal. The only permitted exceptions are displaying opt-out status and providing a link to a privacy settings page. In other words, a site cannot require an account, a login, or a click-through modal before it will honor GPC.
Put together, these subsections mean a compliant site must (1) actually stop the sale/sharing-category trackers, (2) do it automatically without requiring the visitor to log in or click anything, and (3) tell the visitor it did so. A scanner that only checks for the presence of a cookie-banner "your choices" link is testing none of these three things.
GPC Requirements Beyond California
California isn't the only state that requires businesses to honor universal opt-out signals like GPC. If your traffic isn't California-only, your GPC obligations aren't either:
- Colorado (Colorado Privacy Act): Colorado's law is a comprehensive privacy statute that grants consumer rights and mandates recognition of universal opt-out mechanisms, backed by a required data protection assessment process for high-risk processing.
- Connecticut (Connecticut Data Privacy Act): Connecticut requires businesses to honor opt-out signals as part of its broader consumer-rights framework, and the requirement was reinforced by Public Act No. 25-113, which strengthened the state's enforcement posture.
- Texas (Texas Data Privacy and Security Act): Texas applies its privacy law to any business conducting business in the state and requires recognition of universal opt-out signals, alongside general consumer data rights.
The practical takeaway: if your GPC compliance program is scoped to "California visitors only," you likely have gaps for Colorado, Connecticut, and Texas traffic too, since all three states now fold universal opt-out signal recognition into their own statutes. A network-level GPC scanner should be tested against a site regardless of which state's law technically governs the visitor, because the technical failure mode (trackers ignoring the header) is identical everywhere.
Header-Only Checkers vs. Network-Level Verification
Not all tools that call themselves a "GPC checker" test the same thing. Most browser extensions and free online checkers only confirm that the Sec-GPC header left your browser. That's a necessary first step, but it's not evidence that the destination site did anything with it. Here's how the two approaches compare:
| Capability | Header-only checker | Network-level scanner (Privisy) |
|---|---|---|
| Confirms your browser sends Sec-GPC | Yes | Yes |
| Confirms the destination site received it | Sometimes | Yes |
| Verifies trackers actually stop firing | No | Yes, per-request evidence |
| Tests navigator.globalPrivacyControl (JS path) | No | Yes |
| Catches shadow trackers outside the CMP | No | Yes |
| Crawls beyond the homepage | No | Yes |
| Produces audit-grade evidence | No | Yes, exportable network trace |
If you only need a quick sanity check on one page, a header-only checker is fine. If you're trying to answer the question a regulator would actually ask, "did the tracker stop," you need network-level verification.
Run a Free GPC Check on Your Site Now
Privisy is the privacy scanner that gives you network-level GPC compliance results in minutes, not a theoretical assessment of your CMP configuration. Enter your domain and get a full audit report including GPC validation, tracker detection, UI compliance, and privacy policy analysis.
The first audit is free. No credit card required.
Free GPC Checker: Test Your Site Now
Get a network-level GPC scan plus full CCPA compliance audit. Or test your site instantly using our free GPC checker.
Run Your Free GPC Check