Global Privacy Control (GPC) is a browser-level privacy signal that lets visitors broadcast a "do not sell or share my personal information" preference to every website they visit. Zenovay honors GPC end-to-end — automatically, with no configuration on your side.
What GPC is
GPC is supported by Brave, Firefox, DuckDuckGo, and a growing list of privacy-focused browsers and extensions. When a visitor turns it on, every HTTP request from that browser carries the header:
Sec-GPC: 1
Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Sec-GPC: 1 is recognized as a valid opt-out signal. Many EU regulators treat it as a clear expression of intent to refuse non-essential processing.
How Zenovay honors GPC
Zenovay's tracker and ingestion pipeline check the Sec-GPC header on every request:
- If the value is
1, the visitor is excluded from analytics ingestion. No event, pageview, session, replay, or heatmap data is recorded for that browser. - If the value is missing or
0, normal tracking continues subject to your consent banner configuration.
The decision is made server-side, so a savvy visitor can't be tracked by accident if your client-side consent script is delayed or fails to load.
What this means for your visitors
A visitor with GPC enabled who lands on a Zenovay-tracked site:
- Is not counted as a visitor or pageview
- Does not appear in the live globe, heatmaps, or session replay
- Their consent record (if any) is annotated with the
Sec-GPC: 1signal so you can audit your own honoring behaviour
This applies whether or not your site shows a consent banner. GPC is a stronger signal — it overrides "accept all" if a visitor has it on.
What you need to do as a site owner
Nothing. GPC honoring is on by default for every Zenovay-tracked website. There's no toggle to flip and no setting to configure.
If you build your own consent layer on top of Zenovay (for example using data-cookieless="true" or a custom CMP integration), GPC still wins — even if a visitor's stored cookie says "accept all", a Sec-GPC: 1 request is still excluded.
How to verify it's working
- Install a GPC-enabled browser (Brave is the easiest) or enable GPC in Firefox via
about:config→privacy.globalprivacycontrol.enabled→true. - Open a private/incognito window and visit a page on a site you own that has the Zenovay tracker installed.
- Wait one minute, then check your Zenovay dashboard's Visitors → Live view — your test visit should not appear.
You can also verify the request-side behaviour in the browser's DevTools network panel: filter for api.zenovay.com and confirm the request includes Sec-GPC: 1 in its headers.
How GPC interacts with the rest of your privacy stack
| Surface | Behaviour |
|---|---|
| Cookie consent banner | GPC overrides — a Sec-GPC: 1 visitor is excluded even if a stored cookie says "accept all" |
Cookieless mode (data-cookieless="true") | GPC still honored — exclusion is stricter than cookieless mode's defaults |
| Server-side tracking | GPC is checked at the ingestion endpoint — same behaviour |
| Session replay | A GPC visitor never has a session recorded |
| Heatmaps | A GPC visitor never contributes to heatmap data |
| Identified-users API | A GPC visitor is never identified or appears in the identified-users list |
Audit trail
Every consent decision Zenovay makes — including GPC-driven exclusions — is logged in your team's audit log. The log entry includes:
- The decision (
gpc_excluded) - The page URL
- A hashed visitor identifier (per the cookieless-tracking work shipped Apr 12, 2026 — raw IPs and User-Agents are never stored)
- UTC timestamp
You can query or export the log via the Audit Log Export article.
What GPC does not do
- It is not the same as Do Not Track (
DNT). DNT was deprecated by most browsers; Zenovay does not act onDNT. - It does not replace your obligation to publish a privacy policy describing what you collect when GPC is not present.
- It does not affect your billing — GPC-excluded visits don't count against your monthly event quota.