← Back to Blog
Privacy·5 min read

Is Do Not Track Dead? Understanding GPC and Modern Privacy Laws

In 2009, privacy researchers proposed Do Not Track (DNT) — a simple HTTP request header that users could toggle in browser settings. The concept was straightforward: if a browser sent the header DNT: 1, websites were requested to disable tracking cookies, behavioral profiles, and data sharing.

While DNT was adopted by major browsers, it is now considered dead. Today, its successor — Global Privacy Control (GPC) — is taking its place with one massive advantage: it is legally enforceable.

Why Do Not Track Failed

The fatal flaw of Do Not Track was its voluntary nature. DNT was a polite request, not a legal mandate.

When the header was finalized, major ad tech companies and data brokers openly ignored it. There was no regulatory penalty for tracking users who had DNT enabled. In 2012, Internet Explorer enabled DNT by default, prompting the advertising lobby to argue that the signal did not represent active user choice, rendering it invalid.

Standardization groups reached a deadlock, and the W3C tracking protection working group officially disbanded in 2019.

In fact, DNT became counterproductive: because DNT was rarely enabled by default, having the header active actually added entropy to your browser profile, making your browser *more* unique and easier to fingerprint.

The Rise of Global Privacy Control (GPC)

Global Privacy Control (GPC) was created by a coalition of privacy organizations, browser vendors, and legal experts to succeed DNT.

GPC works under the hood via two methods:

  1. An HTTP Header: Your browser sends Sec-GPC: 1 with every web request.
  2. A JavaScript Property: The browser exposes the property navigator.globalPrivacyControl set to true.
code
[Browser (Sec-GPC: 1)] ---> [Website Server] ---> Read GPC, Opt-Out User

The crucial difference: GPC has legal teeth.

Under modern privacy regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), websites are legally required to treat a GPC signal as a valid, user-initiated request to opt out of the sale or sharing of their personal information.

In 2022, the California Attorney General fined a major beauty brand $1.2 million for failing to honor GPC signals, setting a clear legal precedent: ignoring GPC is a violation of consumer privacy law.

How to Check and Enable GPC

To verify if your browser is actively protecting your legal rights:

  1. Visit BrowserProbe's Do Not Track Test.
  2. Look at the Global Privacy Control row.
  3. If it displays "Enabled," your browser is correctly broadcasting your opt-out preferences.

To turn GPC on, use a browser that supports GPC natively:

  • Brave Browser: GPC is enabled by default.
  • Mozilla Firefox: Go to Settings -> Privacy & Security -> and check the box for "Tell websites not to sell or share my data".
  • Browser Extensions: If you use Chrome or Edge, you can enable GPC by installing the Privacy Badger or Opt-Out Easy extension.

By switching to GPC, your request is no longer a polite ask — it is a legal command that websites ignore at their own financial risk.