As we near 2025, technology continues to seep ever deeper into daily life, and our digital activities leave an increasingly detailed breadcrumb trail behind us. Tracking technologies, data brokers, and a swirl of complex privacy policies can make it all but impossible to know who’s gathering your personal information—and for what ends. Enter the Global Privacy Control (GPC), an emerging standard that promises to give internet users a louder, clearer voice in how their data is handled online.
The death of Do Not Track
The concept of signalling a desire for privacy isn’t new. About a decade ago, the ill-fated Do Not Track (DNT) signal attempted something similar. It was a way for users to signal to websites they don’t want to be tracked, typically by enabling a setting in their web browser (like Firefox or Chrome). Sadly, it never received the regulatory muscle or uniform adoption it needed to become truly effective, and support in web browsers was lacklustre. Even Firefox, an early champion of DNT, announced in December it will be dropping support for DNT.
Most websites simply ignored the DNT signal from users.
The GPC, by contrast, arrives at a time when the winds have shifted. With global data protection regulations on the rise, especially in the United States and European Union, the appetite for respecting global opt-out requests is stronger than ever.
Introduced in 2020, GPC was developed by a coalition of privacy advocates, legal scholars, and tech companies, looking for a straightforward way to express a user’s preference not to have their personal information sold or shared. It takes the form of a simple signal, sent automatically by a browser or extension, that informs every website you visit of your stance on data collection. Think of it as a universal do-not-sell/do-not-share sticker plastered on your digital self, visible to any site you tap into.
Changing legal landscape
What sets GPC apart from its predecessors is its explicit legal recognition. Under California’s privacy regulations—first the California Consumer Privacy Act (CCPA), now strengthened by the California Privacy Rights Act (CPRA)—businesses must honour certain consumer signals that indicate a refusal to have personal data sold. The California Attorney General’s office have openly endorsed GPC as a valid mechanism for communicating such preferences.
This means that sites serving visitors subject to California’s privacy laws may find ignoring GPC risky. With enforcement powers strengthening and other US states considering similar statutes, industry observers suggest that the momentum towards respecting GPC will only grow. Meanwhile, the EU’s General Data Protection Regulation (GDPR) and related laws in other parts of the world already enshrine principles of data minimisation and user consent. GPC looks like a natural fit for the evolving global compliance puzzle.
Which browsers support GPC?
It’s true that GPC isn’t yet a household name, but it’s rapidly gaining traction. Privacy-first browser makers and extensions have been the early champions. Brave, with its avowed mission to shield users from trackers, supports GPC out of the box, so you can broadcast your preferences without lifting a finger. DuckDuckGo, best known for its privacy-friendly search engine, similarly integrates GPC into its mobile browser and desktop add-ons.
Mozilla Firefox—a long-time advocate for user choice and transparency—announced its support for GPC in Firefox 120, released in November 2023.
As of December 2024, GCP isn’t supported by Google Chrome or the Chromium-based Microsoft Edge. Industry watchers are waiting to see if these major players will align themselves with a more privacy-centric web. A range of browser extensions (also known as add-ons) can already add GPC functionality if your preferred browser has yet to embrace it, like the Privacy Badger extension from the Electronic Frontier Foundation.
Will websites listen?
The signal GPC replaces, DNT, was widely ignored by websites. After all, there was no penalty for ignoring it.
The question remains whether GPC can succeed where DNT struggled. But GPC undoubtedly stands on firmer ground. Unlike DNT, which lacked legal heft, GPC operates in an environment where ignoring consumers’ clearly-stated preferences can lead to regulatory scrutiny and hefty fines. For businesses, aligning with GPC is an opportunity to display transparency and build trust, and more importantly to streamline compliance with a patchwork of emerging privacy laws.
Still, we’re at an early stage. Some websites (like the New York Times) have begun to recognise and respect GPC signals. The Washington Post, too, is listed as a backer on the Global Privacy Control website, and notes its respect for GPC in its Privacy Policy:
If you have enabled a legally recognized browser-based opt out preference signal (such as Global Privacy Control) on your browser, we recognize such preference in accordance and to the extent required by applicable law.
It will likely take time (and a number of public enforcement actions) before GPC becomes a universal fixture of online life.
Already in 2022, Sephora was fined $1.2 million by California for failing to process users’ “do not sell my data” opt-out requests made via the GPC.
Digital rights in 2025
No matter how rapidly GPC spreads, the underlying principle is difficult to ignore: people deserve a straightforward way to assert their privacy preferences online. If GPC succeeds, it might finally give users a genuine seat at the negotiating table, one where their personal data isn’t just a commodity to be traded, but an asset they control, limit, or deny access to as they wish.
The regulatory tide is turning towards greater user sovereignty, and GPC is no silver bullet. But it may well herald a future where the murky world of data collection is cast in a clearer light. Hopefully the individual, rather than the advertiser, emerges at the centre of the digital ecosystem.
Hopefully 2025 is a positive year for digital rights.
