Skip to main content
Zenovay
Free5 minutesBeginner

Global Privacy Control (GPC)

How Zenovay honors the Sec-GPC: 1 browser signal end-to-end, what it means for your visitors, and what you need to do as a site owner.

gpcglobal-privacy-controlprivacyconsentccpa
Last updated:

Global Privacy Control (GPC) is a browser-level privacy signal that lets visitors broadcast a "do not sell or share my personal information" preference to every website they visit. Zenovay honors GPC end-to-end — automatically, with no configuration on your side.

What GPC is

GPC is supported by Brave, Firefox, DuckDuckGo, and a growing list of privacy-focused browsers and extensions. When a visitor turns it on, every HTTP request from that browser carries the header:

Sec-GPC: 1

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Sec-GPC: 1 is recognized as a valid opt-out signal. Many EU regulators treat it as a clear expression of intent to refuse non-essential processing.

How Zenovay honors GPC

Zenovay's ingestion pipeline checks the Sec-GPC header on every request. When the value is 1, the visitor is opted out of behavioural processing for that visit:

  • B2B company identification is skipped — Zenovay does not look up the company behind the visitor's IP.
  • Demographic inference is skipped — language and locale are not parsed from the browser, and no timezone is inferred or stored.
  • No marketing or behavioural cookies are written for that visit.
  • The visitor record is flagged gpc_opted_out, so the suppression travels with the row and is auditable.

The decision is made server-side, so the opt-out applies even if your client-side consent script is delayed or fails to load. GPC is a stronger signal than a stored consent choice — a Sec-GPC: 1 request is treated as an opt-out even if a cookie from a previous session says "accept all".

The basic, privacy-preserving pageview still counts. GPC is about not doing behavioural enrichment, profiling, and cross-context processing on that visit — it is not a request to be invisible to the site's own aggregate analytics.

What this means for your visitors

A visitor with GPC enabled who lands on a Zenovay-tracked site:

  • Still appears in your aggregate counts (pageviews, sessions, top pages)
  • Is not enriched with B2B company data
  • Has no demographic signals (language, locale, timezone) inferred or stored
  • Has no marketing or behavioural cookies set in their browser
  • Has the opt-out recorded so you can audit your own honoring behaviour

This applies whether or not your site shows a consent banner.

What you need to do as a site owner

Nothing. GPC honoring is on by default for every Zenovay-tracked website. There's no toggle to flip and no setting to configure.

If you build your own consent layer on top of Zenovay (for example using data-cookieless="true" or a custom CMP integration), GPC still wins — even if a visitor's stored cookie says "accept all", a Sec-GPC: 1 request is still treated as an opt-out from behavioural processing.

How to verify it's working

  1. Install a GPC-enabled browser (Brave is the easiest) or enable GPC in Firefox via about:configprivacy.globalprivacycontrol.enabledtrue.
  2. Open a private/incognito window and visit a page on a site you own that has the Zenovay tracker installed.
  3. Open your browser's DevTools network panel, filter for api.zenovay.com, and confirm the tracking request carries Sec-GPC: 1 in its headers.

On the Zenovay side, the visit is recorded with the GPC opt-out flag set, and Zenovay never sets a marketing or behavioural cookie in the visitor's browser for that visit — you can confirm the absence of those cookies in the same DevTools session.

How GPC interacts with the rest of your privacy stack

SurfaceBehaviour
Cookie consent bannerGPC wins — a Sec-GPC: 1 visitor is opted out of behavioural processing even if a stored cookie says "accept all"
Cookieless mode (data-cookieless="true")GPC still honored — no marketing/behavioural cookies are written and no enrichment runs
B2B company identificationSkipped — Zenovay does not enrich a GPC visitor's IP with company data
Demographic signalsLanguage, locale, and timezone are not inferred or stored for a GPC visitor
Server-side events APIServer-side custom events sent for a Sec-GPC: 1 request are rejected at the ingest endpoint

Audit trail

GPC-driven decisions are recorded so you can evidence your honoring behaviour. The visitor record carries the gpc_opted_out flag, and the consent provenance log notes a gpc_opt_out collection basis for that visit. Visitor IPs are never stored in plaintext — only a daily-rotating, non-reversible hash of the IP is kept.

What GPC does not do

  • It is not the same as Do Not Track (DNT). DNT was deprecated by most browsers; Zenovay does not act on DNT.
  • It does not stop the basic, privacy-preserving pageview from counting — GPC suppresses behavioural enrichment and profiling, not your own aggregate analytics.
  • It does not replace your obligation to publish a privacy policy describing what you collect.

Related articles

  1. Consent & privacy metrics: see how your cookie banner performs

    View your own cookie-banner accept/reject/dismiss rate over time, an identified-vs-anonymized split, and a data-provenance audit — fed by one line of code from your banner. Zenovay stays cookieless.

  2. Cookieless Tracking Mode

    Run Zenovay analytics without any browser-side cookies or storage. Learn how cookieless mode works, what it changes, and when to use it.

  3. CCPA Compliance

    Comply with California Consumer Privacy Act requirements for website analytics and visitor data. Learn about ccpa in this privacy compliance guide.

Was this article helpful?