Do you publish a Global Privacy Control file declaring you honor browser-sent privacy preferences?
Checks for the small JSON file at /.well-known/gpc.json declaring your site respects the Sec-GPC signal.
What this signal tests
Global Privacy Control, or GPC, is a browser-sent header (Sec-GPC: 1) that signals a visitor's general opt-out preference for selling or sharing personal data. To declare publicly that your site respects this signal, you publish a small JSON file at /.well-known/gpc.json containing two fields: gpc set to true, and lastUpdate as an RFC 3339 timestamp. We fetch the file, parse it, and confirm both fields are present and well-formed.
Why it matters for your visibility in AI
GPC is the closest the web has to a do-not-sell-or-share signal that machines can act on automatically. California's CCPA and similar privacy regimes increasingly recognise GPC as a legally valid opt-out. Privacy-aware AI agents, including some shopping and research tools, also read the published gpc.json to know which sites can be trusted to honor user preferences. A site that publishes the file and follows through enjoys a small but accumulating credibility advantage with privacy-conscious automated systems. The consequence of missing GPC is mostly a missed opportunity. AI systems will not refuse to cite you, but they may downgrade their trust in any pages that handle personal data. In regulated jurisdictions, missing GPC also means you may be technically failing to honor a legal opt-out signal that visitors are already sending, which carries its own compliance risk separate from the AI question.
Pass criteria at a glance
| Criterion | Passes when |
|---|---|
| Document parses; gpc true; lastUpdate valid. |
How we test it
We make a single HTTP GET request to /.well-known/gpc.json on your domain. We confirm it returns a 200 status and parses as valid JSON. We then check that the gpc field equals boolean true and that the lastUpdate field is a valid RFC 3339 date string (for example, 2026-05-22 or a full ISO timestamp). Both conditions must hold for the signal to pass; an absent file, malformed JSON, or gpc=false all count as a fail.
Show technical detection method
GET /.well-known/gpc.json; parse JSON; gpc===true; lastUpdate valid RFC 3339.
If your site fails: how to fix it
- Confirm your backend actually honors Sec-GPC: 1. Publishing the JSON file without changing behavior is misleading and potentially a legal liability. Audit how your data flows to ad-tech partners, analytics, and CRM systems when a visitor sends the header.
- Create a JSON file with these contents: `{"gpc": true, "lastUpdate": "2026-05-22"}` using today's date. The file must be UTF-8 plain JSON.
- Host the file at https://yourdomain.com/.well-known/gpc.json. If your CMS does not write files at well-known paths, use a static-file route, a rewrite rule, or your hosting platform's redirect rules.
- Update lastUpdate whenever your privacy practices materially change. The file is meant to advertise a current commitment, not a one-time promise.
- Validate by fetching the URL in a browser and confirming the JSON renders correctly. Re-run the AI Ready Test scan.
Quick facts
| Maturity | EMERGING |
|---|---|
| Weight | low |
| Category | Trust & Provenance |
Primary sources
Related signals
No related signals listed.
Frequently asked questions
Will I need IT help to fix this?
Publishing the file is a small task most webmasters can handle. Honoring the underlying signal is a much larger project involving your ad-tech, analytics, and CRM integrations. The harder work is the backend compliance, not the file.
Is this required by law?
It depends on jurisdiction. California (CCPA), Colorado (CPA), Connecticut (CTDPA), and several other US states recognise GPC as a valid opt-out for sale or sharing of personal data. The EU's GDPR does not specify GPC but the principle of honoring opt-outs is well established.
Will declaring GPC support hurt my advertising revenue?
Modestly, for sites that depend on personalised advertising. Visitors sending Sec-GPC: 1 will be served less targeted ads. Many sites find the credibility and compliance benefits outweigh the revenue impact, especially since the share of GPC-sending visitors is still small.
How long until the change takes effect?
Immediately, as soon as the file is uploaded. There is no DNS, no propagation. Test by fetching the URL with curl or a browser. The signal will pass on the next scan.
Run your own scan
Run a free scan and see how your site grades across all 155 AI-readiness signals.