CCPA/CPRA Requirement
California regulation requires businesses to recognize universal opt-out signals such as GPC as a valid objection to sale or sharing. This goes beyond merely offering an on-site link.
GPC & DNT • AUTOMATIC COMPLIANCE
Honoring GPC and DNT Signals
Global Privacy Control (GPC) and Do Not Track (DNT) are privacy preference signals a user sets once at the browser level. cerez.io detects and honors these signals automatically, with no extra setup. This content is not legal advice.
What Are GPC and DNT?
Global Privacy Control (GPC) is a standard privacy signal a user sends through their browser or an extension, meaning do not sell or share my personal information. The user sets the preference in one place (a browser setting), and the signal is sent automatically to every site they visit.
Do Not Track (DNT) is an older browser signal with a similar purpose: it states that the user does not want to be tracked. Its legal force is less clear than GPC's, but it is still considered for a privacy-friendly default. Both rest on one idea: a user should express their preference once instead of dealing with each site separately.
In short: GPC and DNT are not a replacement for the cookie banner but browser-level signals that complement it. If the user has sent a signal, the site is expected to treat it as a clear decision by the visitor.
Context
Why It Matters
Honoring browser privacy signals is becoming increasingly critical, both legally and for user trust.
Universal Opt-Out
The user sets the preference once in the browser; it then applies across all sites. This is a far stronger privacy guarantee than dealing with a banner on every site.
Regulatory Direction
Discussions in the EU and other jurisdictions are moving toward machine-readable, browser-level preferences. Honoring signals today is forward-looking preparation.
cerez.io
cerez.io Honors GPC and DNT Automatically
When a page loads, the cerez.io SDK checks whether the visitor's browser is sending a GPC (or DNT) signal. No extra code or configuration is needed; the behavior is built into the SDK.
- The SDK detects the GPC/DNT signal sent by the browser (for example navigator.globalPrivacyControl).
- If GPC honoring is enabled in your domain settings and the visitor has no prior decision, non-essential cookies are rejected without showing the banner.
- Google Consent Mode v2 signals (analytics_storage, ad_storage and so on) are updated to denied.
- The decision is recorded for audit like any other; the visitor can change it from the preference center if they wish.
Zero setup: Once you add the single-line embed code to your site, GPC/DNT honoring needs no extra configuration. You can toggle it from your domain settings.
The Difference Between GPC and DNT
Both signals convey a privacy preference, but their legal weight and scope differ.
Global Privacy Control (GPC)
Newer and on stronger legal footing. Regulations such as CCPA/CPRA explicitly recognize GPC as a valid opt-out signal. Its meaning is clear: object to sale or sharing.
- Status: In active use
- Legal weight: High (CCPA/CPRA)
- Meaning: Do not sell/share
Do Not Track (DNT)
Older, with debated legal force. Many sites ignore it; however, cerez.io can also consider it for a privacy-friendly default. Its meaning is more general: I do not want to be tracked.
- Status: Common but non-binding
- Legal weight: Low/uncertain
- Meaning: Do not track me
cerez.io primarily honors the GPC signal; DNT can be treated as an additional privacy-friendly layer. Neither overrides the visitor's existing explicit decision.
Frequently Asked Questions
Short answer: If you fall under regulations such as California's (CCPA/CPRA), you are expected to recognize GPC as a valid sale/sharing opt-out request. In other jurisdictions it is recommended as a privacy-friendly default. Consult your legal advisor for your exact obligation.
Short answer: No. Once the single-line embed code is installed, the behavior is built into the SDK. You can toggle GPC honoring from your domain settings; the default behavior is privacy-friendly.
Short answer: If the visitor has no prior decision and GPC is enabled in your domain settings, non-essential cookies are rejected without showing the banner and Consent Mode is set to denied. The visitor can change their decision from the preference center.
Short answer: GPC is newer and legally stronger (CCPA/CPRA recognizes it); its meaning is do not sell/share. DNT is older, with debated force, and a more general meaning (do not track me). cerez.io primarily honors GPC.
Short answer: No. GPC/DNT honoring is an important part that helps address the universal opt-out expectation in technical terms; but no single feature alone guarantees legal compliance. Full compliance is achieved together with legal advice and proper process design.
Privacy signals,
Automatic GPC/DNT honoring, Google Consent Mode v2 and a multilingual banner. One-line embed, set up in 5 minutes.