global-privacy-control
Installation
SKILL.md
Implementing Global Privacy Control (GPC)
Overview
Global Privacy Control (GPC) is a browser-level signal that communicates a user's privacy preference to opt out of the sale or sharing of their personal information. The GPC specification defines both an HTTP header (Sec-GPC: 1) and a JavaScript API (navigator.globalPrivacyControl) for transmitting this signal.
Under California Privacy Rights Act (CPRA) Section 1798.135(e), businesses must treat GPC signals as valid opt-out requests. The California Attorney General confirmed this enforcement position in the Sephora settlement (August 2022, $1.2 million fine), which was the first enforcement action involving GPC signals.
Legal Requirements by State
California — CPRA (effective January 1, 2023)
- Section 1798.135(e): A business that collects consumers' personal information shall treat the consumer's use of an opt-out preference signal as a valid request to opt out of sale/sharing under Section 1798.120.
- AG Regulation 11 CCR 7025(b): If a business collects personal information from consumers online, the business shall treat an opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or device and any consumer profile associated with that browser or device.
- Sephora Settlement (August 2022): California AG fined Sephora $1.2 million for failing to honor GPC signals, among other violations.