Test whether your website actually honors the Global Privacy Control signal — not just whether it reads the header.
We revisit your pages with Sec-GPC: 1 set, exactly like a Firefox or Brave user with GPC enabled.
We intercept every outbound request and compare tracker activity with and without the signal — the only way to prove opt-out is enforced.
Failures map to the specific California regulation text, ready to hand to legal.
Most basic GPC check tools only verify whether your server reads the incoming Sec-GPCheader. However, reading the header is just the first step. True compliance means that your website's client-side tag managers, advertising pixels, and analytics scripts must actively suppress data collection when the signal is detected.
Many consent management platforms (CMPs) claim out-of-the-box GPC support, but misconfigurations or custom hardcoded marketing pixels frequently bypass these controls. To verify compliance, you must intercept the real outbound network requests. Check out our full guide to GPC testing for an in-depth breakdown.
Global Privacy Control (GPC) is a user-configurable browser setting or extension that automatically notifies websites of the user's privacy preferences, signaling an opt-out from the sale or sharing of their personal information.
Yes. Under California's CCPA/CPRA regulations (§ 7025), businesses must recognize universal opt-out signals like GPC as valid requests to opt-out of data sale or sharing. Colorado, Connecticut, Texas, Oregon, and other states also mandate Universal Opt-Out Mechanism (UOOM) recognition.
Browser extensions send the GPC header, but they cannot verify if your backend server or tag managers actually block third-party trackers at the network layer. Privisy intercepts outbound traffic in a headless browser to prove compliance or identify leaks.
Go beyond GPC. Scan for UI violations, shadow trackers, and policy gaps in under 3 minutes.
Run full free scan