Is My Website Responding to GPC Signals?

Do you want to know if your website will respond to GPC signals and allow a user who doesn’t want to be tracked across the internet? The California Consumer Privacy Act (CCPA) and pending legislation in other US states, as well as the European Union’s Global Data Protection Regulation (GDPR), have all imposed rules on Internet tracking in recent years. Companies must comply with privacy policies to meet the requirements of these laws. Understanding these regulations and being able to handle end-user data privacy demands might greatly assist you if clients, organizations, or users approach you with a request to implement GPC functions. This article will address many of the concerns surrounding GPC and will help you better prepare for such situations.

What is a GPC signal?

A GPC signal is a tiny piece of code sent to any website that a user visits, informing the site that the user has chosen not to sell or share their data. Previously, if a user had the choice, they would have to manually select it on each website they visited. Now that the GPC standard has been implemented, users can broadcast their privacy preference to any site they visit, so knowing how to handle this GPC signal is critical.

Who created GPC?

GPC was designed by a large collaboration of technology and civil rights organisations with the shared goal of giving internet users worldwide control over their personal data rather than being forced to manage it on each individual website they visit. This campaign was established by Ashkan Soltani (Georgetown University), Sebastian Zimmeck (Wesleyan University), The New York Times, The Washington Post, Financial Times, Automattic ( & Tumblr), Glitch, DuckDuckGo, Brave, Mozilla, and other organisations.


How do users send a GPC signal to a website?

To transmit a user’s privacy settings to each website they visit, a browser or a browser extension is required. These browsers and add-ons have configurations that enable users to whitelist/blacklist specific websites as well as customise their desired level of privacy. A GPC signal can be sent out by any browser or extension that has a working implementation of the Web Performance API. A list of all browsers and extensions that may send out a GPC signal can be found on the Founding Organizations page of GPC. If your firm plans to utilize code to handle GPC signals, it’s critical that your developer


Do I need to comply with GPC signals?

GPC is not a requirement for all firms unless they meet one of the two aforementioned privacy laws. A firm will qualify under the GDPR if the following requirements are met:

  1. The company sells its goods or services to people in the EU.
  2. The firm keeps track of EU citizens’ activities.

There are, however, additional criteria to satisfy before being compelled to comply with the CCPA. This is determined by whether your firm is considered a ‘business’ under CCPA rules. The criteria to be considered a ‘business’ is as follows:

  1. The company is a for-profit, private entity
  2. The company collects personal information
  3. The company determines the means of processing that personal information
  4. The company does business in California
  5. The company meets at least one of the following criteria:
  6. The company annual gross revenues exceeding $25 million
  7. The company annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers
  8. The company derives 50% or more of its annual revenue from selling personal information.

Even if your firm isn’t compelled to comply with either statute based on the above criteria, it is still advised that you get familiar with GPC. Other US states are following in the footsteps of California and adopting more privacy-related legislation that might impose similar, if not more stringent, standards for the use and processing of personal information. Virginia is the second state to pass a consumer privacy law, following Washington in May. Other states including New York, Connecticut, Oklahoma, Minnesota, Mississippi, New Jersey, and Utah are expected to have consumer privacy legislation in place by the end of 2021. While a federal privacy law isn’t expected until several years from now, staying up to speed with the new rules and regulations surrounding personal data on a state level may help your business avoid legal problems in the future. 

When does this go into effect?

In May 2018, the GDPR was implemented throughout the European Union, while the CCPA became effective and enforceable in California in January 2020. This implies that if your firm qualifies as a ‘business’ under the CCPA or targets EU residents, understanding how to deal with GPC signals correctly is a must.

What should I do?

To comply with this legislation, you must change how you store user-specific data such as IP addresses, user agent strings, and cookie data so that they don’t get tracked across the website when individuals visit. By checking for the unique ‘Sec-GPC’ request header via an HTTP request on the site’s back end or a script that runs. When data tracking is shut off, it’s important to choose how to do it based on which CMS, CRM, and tech stack your firm use. Also, if you offer website users the option to opt-out of being tracked on your site, it is a best practice that they are given a manual option to opt-out of being tracked on.


Where do I get more information?

There are several resources available to assist website owners in complying with these regulations and standards. The California Attorney General’s website offers detailed information on the CCPA, as well as frequently asked questions about GDPR. Information and FAQs for GDPR may be found on its own site. GPC is a little different. On the GPC website, you can learn more about it, have your queries addressed, explore compliant browsers and extensions, as well as get source code to implement your own GPC signal check.

GPC is unquestionably an excellent answer for global privacy settings for end-users, but it also has corporate ramifications if implemented. If your client requests data privacy features or if the government requires them as part of their compliance standards, you should consider including this feature. There are numerous regulations that businesses must follow when it comes to handling personal information on a state level, so you’ll need to be aware of these changing guidelines in order to avoid potential legal problems.