Global Privacy Control (GPC): Detection

Q: What is the difference between the GPC file and honoring GPC?

The /.well-known/gpc.json file is a public declaration that your site participates. Honoring GPC means your server reads the Sec-GPC signal and stops selling or sharing that user's data. LaunchTrust can detect the file; it cannot see your runtime behavior, so the published file is only half the picture.

Global Privacy Control (GPC) is a browser-level signal that lets a visitor broadcast a single "do not sell or share my personal information" preference to every site they touch — instead of clicking opt-out links one site at a time. For sites under California's privacy laws this is not a nice-to-have: regulators have treated a user's GPC signal as a valid opt-out request that businesses are expected to honor. Part of supporting it is publishing a small well-known file that declares your site participates. This page explains what that file is, what LaunchTrust looks for, and how to add it.

For an indie developer or store owner with any US traffic, the file is a low-effort signal that is easy to miss. The harder half — actually acting on opt-out requests — happens in your code, and no external scanner can confirm that.

What LaunchTrust checks

The gpc detector performs one focused, read-only check. It derives the origin of the page you submit, then makes a single GET request to:

https://your-domain.example/.well-known/gpc.json

It then inspects the response:

Detected (severity: info): the file returned successfully and parses as JSON that self-declares "gpc": true. The finding notes this confirms the published file only — it does not verify your backend honors GPC requests at runtime.
Not detected (severity: low): no valid /.well-known/gpc.json was found. A 200 response that is not valid JSON, or JSON without gpc: true, is treated as not detected — a generic 200 for any path is almost always a single-page-app or catch-all fallback, not a real GPC document.
Unable to determine: LaunchTrust could not derive a usable origin from the URL you provided, so it could not run the check.

This detector has a positive polarity: "detected" is the signal you want present. That is the opposite of risk-style checks like third-party trackers, where a match is something to review. Here, finding the file is good news; not finding it is the gap to close.

One boundary matters: the check only reads the static, published declaration file. It cannot see whether your server actually changes behavior when a browser sends the Sec-GPC: 1 request header. Publishing the file is the visible half; honoring the signal lives in your code.

Why it matters

Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), consumers have a right to opt out of the "sale" or "sharing" of their personal information. California's implementing rules direct businesses to treat an opt-out preference signal sent through a user's browser or device — GPC being the leading example — as a valid request to opt out for that browser or device. In effect, a visitor with GPC enabled is, in many cases, treated as having already exercised their opt-out right before they read your page.

The gpc.json file is the public, discoverable way to indicate your site recognizes this mechanism. It signals to users, privacy tools, and reviewers that GPC is part of your setup. Several other US state privacy laws have introduced comparable universal opt-out requirements, so this signal's relevance tends to grow with your US footprint.

The file alone is not the obligation. The obligation is to actually stop selling or sharing data for users who signal a preference. The published file makes your participation visible; your data flows have to back it up.

A concrete example

A valid GPC well-known file is short. Served at /.well-known/gpc.json with a JSON content type, it looks like this:

{
  "gpc": true,
  "lastUpdate": "2026-01-15"
}

The gpc: true field is the part LaunchTrust keys on; lastUpdate is optional context. If your server instead returns your app's HTML shell with a 200 status (common catch-all behavior), the detector will not parse a valid GPC document and reports "not detected" — the correct result, because no real declaration is published.

How to address it

Create the file. Make a gpc.json containing { "gpc": true }, with an optional lastUpdate date in YYYY-MM-DD format.
Serve it at the well-known path. Make it reachable at exactly /.well-known/gpc.json. On static hosts this means a .well-known directory at your web root; on a framework, add an explicit route or static-file mapping.
Return real JSON, not your SPA shell. Confirm the response has a JSON content type and is not your catch-all index.html. An app that answers every path with HTML fails this check even though the URL "works" in a browser.
Honor the signal. Read the incoming Sec-GPC: 1 request header (or navigator.globalPrivacyControl in client code) and treat it as an opt-out of sale/sharing for that user. Without this step the file is a declaration you are not keeping.
Reflect it in your privacy policy. State that you recognize GPC and what it controls, so file, policy, and behavior all agree.
Re-scan to confirm the file is detected at the well-known path.

Check this in 30 seconds

Run your URL through LaunchTrust's free scanner and the gpc check will tell you whether a valid /.well-known/gpc.json is published at your origin — alongside related checks like your privacy policy and third-party trackers. It is the fastest way to catch the common failure mode where a single-page app returns a 200 for every path and quietly hides the fact that no real GPC file exists. You will know in seconds whether the file is genuinely there.

FAQ

What is the difference between the GPC file and honoring GPC? The /.well-known/gpc.json file is a public declaration that your site participates. Honoring GPC means your server reads the Sec-GPC signal and stops selling or sharing that user's data. LaunchTrust can detect the file; it cannot see your runtime behavior, so the published file is only half the picture.

I do not have any California or US users — do I still need this? The signal is most relevant when you have US, and especially California, visitors. If you genuinely have none, it is lower priority. But web traffic is hard to fence by geography, and other US states are adopting similar universal opt-out rules, so many sites add it pre-emptively.

My gpc.json URL opens fine in a browser but the scan says "not detected." Why? Most likely your host returns your app's HTML for unknown paths with a 200 status. The detector requires JSON that declares gpc: true, so an HTML catch-all reads as not detected. Serve the file as real JSON at the exact well-known path.

Does detecting the file mean I'm done? No — it surfaces signals, not a verdict. Detecting the file confirms only that the file is published; it does not certify your site, guarantee you meet CCPA/CPRA, or constitute legal advice. Use the finding as a prompt to also confirm you honor the signal, and consult a qualified advisor where the stakes warrant it.

Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.