GPC (Global Privacy Control)

Overview

Global Privacy Control (GPC) is an open technical specification that lets users communicate a universal opt-out preference through their browser or extension. When enabled, the browser sends a Sec-GPC: 1 HTTP header with every request. Websites that recognize this signal must treat it as a valid opt-out of sale or sharing of personal information under CCPA/CPRA.

Legal Status

• California (CCPA/CPRA): The California AG and CPPA have confirmed GPC is a legally binding opt-out signal under Cal. Civ. Code §1798.120. The CPPA's 2023 enforcement actions have specifically cited failure to honor GPC.
• Colorado (CPA): GPC is a valid universal opt-out under C.R.S. §6-1-1313(5).
• Connecticut (CTDPA): GPC-equivalent signals must be honored.
• Oregon: GPC is recognized under the Oregon Consumer Privacy Act.

How to Enable GPC

• Brave Browser: Enabled by default.
• Firefox: Enable via privacy.globalprivacycontrol.enabled in about:config.
• Chrome: Install Privacy Badger or the GPC extension.
• Safari: Third-party extensions available.

How Inori Honors GPC

When Inori detects Sec-GPC: 1:

1. A inori_gpc=1 cookie is set with a 12-month expiry.
2. The user's gpc_opt_out column in the database is marked true.
3. PostHog analytics capture is disabled for that session (posthog.opt_out_capturing()).
4. Sentry error capture is disabled (beforeSend: null).
5. The response includes an X-GPC-Honored: true header for browser verification.

This behavior is persistent — you don't need to send the header on every visit. Once set, the preference is remembered.

Relationship to the Analytics Opt-Out Toggle

GPC and the Settings → Privacy analytics toggle are independent signals that produce the same outcome. GPC is a browser-level signal; the toggle is an explicit in-app preference. Either one disables PostHog and Sentry for your account.