How-To Guide

GPC Signal Testing: The Compliance Check Most Companies Skip

February 23, 2026

You have a cookie banner. Your privacy policy mentions CCPA. You think you're good.

But if someone visits your site with GPC (Global Privacy Control) enabled—and millions of privacy-conscious users do—your site is probably still tracking them. That's a violation.

What Is GPC?

Global Privacy Control is a browser signal that tells websites "I don't want to be tracked." When enabled, it sends a header (Sec-GPC: 1) with every request.

Under AB 3048 (effective 2026), you must respect this signal. It's not optional. It's the law.

The Problem: Most Sites Don't Actually Test It

Here's why this compliance gap exists:

Most CMPs claim to support GPC, but the implementation is often incomplete
Companies test their cookie banner, not whether it actually blocks when GPC is on
GPC testing requires technical setup—it's not a checkbox in your consent manager

How to Test If Your Site Respects GPC

Method 1: Browser Extension

Install a GPC testing extension (several exist for Chrome and Firefox). Visit your site with GPC enabled. Check the extension to see if it detects tracking.

Method 2: Manual Header Check

Use a tool like curl to send a request with the Sec-GPC header and see what response you get:

curl -H "Sec-GPC: 1" https://yourdomain.com

Then compare the response to one without the header. If you see the same tracking pixels loading, you're not in compliance.

Method 3: Network Inspection

Open your browser's DevTools → Network tab. Visit your site with GPC enabled (you can toggle this in some browsers' settings or use an extension). Watch for requests to known trackers: Facebook, Google Analytics, Adobe, etc.

Common Failure Points

When we test sites, these are the most common issues:

Pre-banner firing: Trackers load before the consent check, even with GPC
GPC ignored for "functional" cookies: Sites convince themselves analytics are "essential"
CMP configuration gaps: The CMP supports GPC, but the rules aren't set up correctly
Third-party widgets: Chat widgets, chat buttons, and embedded content still load tracking

What To Do If You Fail

First, don't panic. The issue is fixable. But you need to:

Identify every tracker that's firing despite GPC
Configure your CMP to block these when GPC is detected
Test again—this time properly
Consider an independent audit to verify you're actually in compliance

Verify Your GPC Compliance

Our audit includes full GPC signal testing at the network layer.

Get Your Audit