HTTP/2 200 age: 0 cache-control: public, max-age=0, must-revalidate content-encoding: gzip content-type: text/html; charset=utf-8 date: Sun, 05 Oct 2025 11:32:56 GMT etag: W/"58a7-guHNX2q29lR2chBbMNqVCaHeMfg" server: Vercel strict-transport-security: max-age=63072000; includeSubDomains; preload x-powered-by: Express x-vercel-cache: MISS x-vercel-id: bom1::iad1::hdrc9-1759663976065-e6f0251d0874

Interacting with Global Privacy Control

Server-side detection

A user agent's Global Privacy Control setting is attached to HTTP requests as the Sec-GPC request header. This header's value will be "1" if enabled, and not present otherwise. Interacting with this will vary depending on the application back-end. Example code is Node.js/Express.

Header not present

            
app.get("/", function(req, res) {
  const gpcValue = req.header('Sec-GPC')
  if (gpcValue === "1") {
    // signal detected, do something
  }
})
            
          

Client-side detection

The navigator.globalPrivacyControl property enables client-side script to determine a user agent's Global Privacy Control setting. This value mirrors the value sent in the Sec-GPC header: it will equal true if the Sec-GPC header sent is equal to "1", and false otherwise.

DOM signal present

navigator.globalPrivacyControl:

DOM signal not present

            
const gpcValue = navigator.globalPrivacyControl
if (gpcValue) {
  // signal detected, do something
}
            
          

.well-known

Businesses may host a .well-known/gpc.json resource that indicates to clients how they respond to a Global Privacy Control signal. This is a JSON file hosted at the .well-known/gpc.json endpoint.

.well-known/gpc.json present .well-known/gpc.json not present

Proposed specification View page source