You have a cookie banner. Your privacy policy mentions CCPA. You think you're good.
But if someone visits your site with GPC (Global Privacy Control) enabled, and millions of privacy-conscious users do, your site is probably still tracking them. That's a violation.
What Is GPC?
Global Privacy Control is a browser signal that tells websites "I don't want to be tracked." When enabled, it sends a header (Sec-GPC: 1) with every request.
Under AB 3048 (effective 2026), you must respect this signal. It's not optional. It's the law.
The Problem: Most Sites Don't Actually Test It
Here's why this compliance gap exists:
- Most CMPs claim to support GPC, but the implementation is often incomplete
- Companies test their cookie banner, not whether it actually blocks when GPC is on
- GPC testing requires technical setup: it is not a checkbox in your consent manager
How to Test If Your Site Respects GPC
Method 1: Browser Extension
Install a GPC testing extension (several exist for Chrome and Firefox). Visit your site with GPC enabled. Check the extension to see if it detects tracking.
Method 2: Manual Header Check
Use a tool like curl to send a request with the Sec-GPC header and see what response you get:
curl -H "Sec-GPC: 1" https://yourdomain.com
Then compare the response to one without the header. If you see the same tracking pixels loading, you're not in compliance.
Method 3: Network Inspection
Open your browser's DevTools → Network tab. Visit your site with GPC enabled (you can toggle this in some browsers' settings or use an extension). Watch for requests to known trackers: Facebook, Google Analytics, Adobe, etc.
Common Failure Points
When we test sites, these are the most common issues:
- Pre-banner firing: Trackers load before the consent check, even with GPC
- GPC ignored for "functional" cookies: Sites convince themselves analytics are "essential"
- CMP configuration gaps: The CMP supports GPC, but the rules aren't set up correctly
- Third-party widgets: Chat widgets, chat buttons, and embedded content still load tracking
What To Do If You Fail
First, don't panic. The issue is fixable. But you need to:
- Identify every tracker that's firing despite GPC
- Configure your CMP to block these when GPC is detected
- Test again, this time properly
- Consider an independent audit to verify you're actually in compliance
Verify Your GPC Compliance
Our audit includes full GPC signal testing at the network layer. You can also test your site instantly with our free GPC checker.
Get Your Audit