In your web server or middleware layer, read the Sec-GPC request header on every incoming HTTP request; a value of '1' indicates the user has enabled GPC.
Map the GPC signal to your data-sale/share opt-out flag in your user-session or cookie store: set a do_not_sell flag to true without requiring additional user action, as states including California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Montana, New Jersey, New Hampshire, and Texas require GPC to be honored as a valid opt-out.
Suppress any server-side data-sharing events (ad auction bids, third-party enrichment calls) for that request when do_not_sell is true.
Serve a .well-known/gpc.json file at the root of your domain to declare your GPC support: {"gpc": true, "lastUpdate": "YYYY-MM-DD"}.
On the client side, also check navigator.globalPrivacyControl === true in JavaScript and disable client-side tracking tags for states requiring GPC compliance, as the header and JS property must both be respected.
Log each GPC-triggered opt-out event with a timestamp and session identifier for enforcement audit purposes.
Known gotchas
GPC is only legally required to be honored in states that have explicitly adopted it (California, Colorado, Connecticut, Montana, New Jersey, New Hampshire, Texas as of mid-2025; verify your target state list for the latest); it is not a universal federal requirement.
The Sec-GPC header is set by the browser; your server must not strip or override it at a CDN or reverse-proxy layer, or you will lose the signal before it reaches application code.
A GPC opt-out applies to sale and sharing for cross-context behavioral advertising; it does not automatically extend to all data processing — you must map it precisely to the covered use cases under each applicable state law.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp