Understanding GPC Signals

Global Privacy Control (GPC) is a pioneering initiative that significantly enhances online privacy, allowing users to set their privacy preferences across multiple platforms with a single command. This straightforward yet effective tool communicates a user's intent to restrict the sale or sharing of their personal information, ensuring compliance with regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

The Legal Significance of GPC

The GPC signal exemplifies the changing landscape of privacy laws, reflecting the CCPA's requirement for businesses to honor a user's choice to opt-out of the sale of their personal information. Similarly, under the GDPR, the GPC signal empowers users to limit the transfer of their data to other controllers, in accordance with their rights under Articles 7 and 21. As global privacy regulations continue to develop, GPC signals are set to become a crucial component of legal compliance.

Who supports the GPC Signal

The GPC was crafted by a collaborative group consisting of publishers, tech firms, browser and extension creators, and civil rights organizations. The project is spearheaded by Ashkan Soltani from Georgetown Law and Sebastian Zimmeck from Wesleyan University.

While the standard is still in the works, it's already backed by major browsers and extensions like Abine, Brave, Disconnect, DuckDuckGo, OptMeowt, and Privacy Badger. Prominent websites such as The New York Times and Financial Times also honor this signal.

Pandectes is a staunch supporter of this movement, championing compliance solutions that uphold consumer preferences and rights.

This feature helps publishers easily respect a California consumer opt-out of sale request. However, this signal is relevant for any website operating in a jurisdiction with an opt-out model.

How it works with Shopify & Pandectes

The Location of the visitor must be a CCPA location (California, Virginia, etc)

When the previous two apply, then window.Shopify.trackingConsent.getRegulation() returns the string "CCPA". This is the first check I do.


Merchant must have obviously activated the GPC Integration under integrations of our app.


In the browser we check whether globalPrivacyControl has been enabled by the visitor


This was done using the Shopify flag. We used to get the window.Shopify.trackingConsent.currentVisitorConsent()


This is now done via the navigator.globalPrivacyControl flag which is not Shopify specific. This is true when the user has turned the option on (https://global-privacy-control.glitch.me/).


If the browser flag is set (navigator.globalPrivacyControl === true or 1 (chrome)), then we set the sale_of_data property of the currentVisitorConsent to "no".


The whole process only affects the sale_of_data property and not the other properties (marketing, analytics, preferences).

To test it, call the window.Shopify.trackingConsent.currentVisitorConsent() method and see the object.

Note: If the store has enabled the CCPA page, then the user may select to opt-in the sale of data. If the sale_of_data is already "yes" it is not affected by the GPC flag.

Updated on: 05/06/2024