Your cookie consent platform can detect and honor Global Privacy Control (GPC) signals automatically — but that alone is not enough to pass a full GPC compliance check. Tools like the GPC Inspector browser extension, automated privacy scanners, and regulatory audits evaluate three separate indicators: whether GPC is enabled in the visitor's browser, whether the server detects the signal, and whether the website itself formally declares that it supports GPC. That third indicator is entirely on the website owner's side, and it requires one specific action: publishing a machine-readable JSON declaration file at a fixed path on your domain.
Without this file, the "supported by website" indicator stays inactive — even if your cookie consent solution is correctly installed and blocking non-essential cookies in response to GPC signals exactly as it should. It is the digital equivalent of honoring an opt-out request without ever publishing your opt-out policy: the practice is right, but the declaration is missing.
The good news is that Secure Privacy handles the detection and enforcement side of GPC out of the box — no script changes, no custom logic, no ongoing maintenance. The only task remaining for you as the website owner is publishing this one small file. This article explains what it is, where it goes, and how to deploy it across the most common hosting environments.
Who Is This For?
Website owners and developers who have installed Secure Privacy and want to achieve a fully passing GPC compliance check
Privacy and compliance teams whose GPC Inspector or compliance scanner shows the third indicator ("supported by website") as inactive
Technical teams responsible for deploying the
/.well-known/gpc.jsonfile across static, WordPress, Shopify, Nginx, or Apache hosting environments
What Is the GPC Well-Known File?
The GPC well-known file is a small, publicly accessible JSON document that a website publishes to formally declare that it recognizes and honors the Global Privacy Control signal. It is part of the GPC specification, which follows the IETF Well-Known URIs standard — a common pattern used across the web for machine-readable site-level declarations (the same pattern used by robots.txt, security.txt, and Apple Pay domain verification files).
The file must be served at a fixed, predictable path so that browsers, privacy extensions, and compliance scanners can find it without any prior knowledge of your site's structure, for example this file path would look like this for secureprivacy.ai - on your domain the path should be exactly the same (just replace secureprivacy.ai below with your base domain DNS name):
https://secureprivacy.ai/.well-known/gpc.jsonWhen the GPC Inspector extension or an automated scanner fetches this URL and receives a valid response, it marks your site as actively declaring GPC support — completing the third indicator in a full GPC compliance check.
What Secure Privacy Handles Automatically
Before covering the file itself, it is worth being clear about what Secure Privacy already does for you out of the box — so you know exactly how much (or how little) is left to do.
From the moment the Secure Privacy script is installed on your website and the Global Privacy Control toggle is enabled in your Browser Signals settings, Secure Privacy will:
Detect the
Sec-GPC: 1HTTP header andnavigator.globalPrivacyControlJavaScript property sent by GPC-enabled browsersAutomatically restrict all cookies to essential-only for any visitor whose browser has GPC active — no banner interaction required on their part
Log GPC-triggered consent interactions alongside standard banner interactions in your consent dashboard
Display detected GPC and Do Not Track signal status to visitors through the configurable browser signals indicator on your consent banner
None of this requires you to write code or configure anything beyond the initial script installation. The /.well-known/gpc.json file is the one remaining step — a public declaration that your site's behavior already reflects.
The GPC Well-Known File: Template
Create a plain text file named gpc.json with the following content:
{
"gpc": true,
"lastUpdate": "YYYY-MM-DD"
}"gpc": true— the required field. Declares that this website supports and will honor the Global Privacy Control signal. Setting this tofalseis a valid declaration that the site does not honor GPC — which is the opposite of what you want."lastUpdate"— an ISO 8601 date inYYYY-MM-DDformat recording when this declaration was last reviewed. Replace with today's date. Update it whenever your GPC policy or implementation changes. This field helps regulators and auditors assess how current your declaration is.
That is the complete file. No additional fields are required by the current GPC specification.
Where and How to Deploy the File
Again, the file must be reachable at exactly this path - /.well-known/gpc.json from your domain root — for example, for secureprivacy.ai it would be - https://secureprivacy.ai/.well-known/gpc.json. The exact deployment method depends on your hosting environment.
Required Serving Conditions (All Environments)
Regardless of how you deploy the file, it must meet the following conditions to be recognized by GPC Inspector and compliance scanners:
Returns HTTP status 200 OK — not a redirect (301/302) and not a 404
Served with
Content-Type: application/jsonAccessible without authentication — the file is fetched as an unauthenticated GET request
If your site operates across multiple subdomains that process personal data, each subdomain should host its own
/.well-known/gpc.jsonfile
Static Sites and File Hosting
Create a folder named .well-known at the root of your web server's public directory (e.g., /public_html/.well-known/ or /var/www/html/.well-known/) and place gpc.json inside it. Ensure both the folder and file are publicly readable. On most static hosting platforms (Netlify, Vercel, GitHub Pages), simply committing the file at /.well-known/gpc.json in your repository root is sufficient.
WordPress
Upload the file via FTP, SFTP, or your hosting file manager to /public_html/.well-known/gpc.json (or the equivalent public root for your hosting provider). Alternatively, use a plugin that manages /.well-known/ routes, or add a rewrite rule to your .htaccess to serve the file. Confirm the file is reachable by opening its URL directly in a browser tab before testing with the GPC Inspector.
Shopify and Other Hosted Platforms
Fully hosted platforms like Shopify restrict direct file system access, which means you cannot simply upload a file to a .well-known/ directory. Options include creating a URL redirect to an externally hosted copy of the JSON file, or using a custom app or middleware layer to serve the response at the required path. Check your platform's documentation for the recommended approach to hosting well-known URIs.
Nginx
Add a location block to your server configuration to serve the .well-known directory from your document root:
location /.well-known/ {
root /var/www/html;
default_type application/json;
}Reload Nginx after making the change: sudo nginx -s reload.
Apache
Place the file in your document root under .well-known/gpc.json. If your .htaccess configuration blocks access to dotfiles or dotfolders, add an explicit exception:
<Files ~ "^\.well-known">
Require all granted
</Files>You can also force the correct Content-Type header for the file:
<Files "gpc.json">
Header set Content-Type "application/json"
</Files>How to Verify the File Is Working
Once the file is deployed, verification takes under a minute:
Paste your file URL directly into a browser tab —
https://<<your-domain-DNS-name>>/.well-known/gpc.json— and confirm it returns the JSON content with no redirect and no error.Open your website with the Global Privacy Control Inspector extension active and GPC enabled in your browser. The third indicator — "supported by website" — should now display as active.
Check the HTTP response headers using browser DevTools (Network tab) to confirm the response status is 200 and
Content-Typeisapplication/json.
If the third indicator remains inactive after deployment, the most common causes are: the file path is not exactly /.well-known/gpc.json, the server is returning a redirect instead of a direct 200, or the file is blocked by an authentication layer or .htaccess rule.
Frequently Asked Questions
Do I need the gpc.json file if Secure Privacy is already installed?
Yes. Secure Privacy handles GPC signal detection and cookie blocking automatically, but the gpc.json well-known file is a separate, website-owner responsibility defined by the GPC specification. Without it, your site will not pass the third indicator in a GPC compliance check — even if Secure Privacy is correctly installed and functioning. The file is a public declaration that complements the enforcement Secure Privacy already provides.
Is publishing the gpc.json file legally required under CCPA?
The California Privacy Protection Agency (CPPA) guidance and the GPC specification strongly recommend publishing the well-known file as part of a complete GPC implementation. While enforcement actions to date have focused on honoring the GPC signal rather than on file publication specifically, publishing the file is considered best practice and is required for your site to pass automated GPC compliance checks and third-party audits.
Does the gpc.json file need to be updated regularly?
The file itself only needs to change if your GPC policy changes. However, it is good practice to update the lastUpdate date whenever you review your privacy implementation — for example, after a platform update, a change in your cookie categories, or a regulatory update. This keeps your declaration current and demonstrates active compliance maintenance to auditors.
What happens if my site has multiple subdomains?
Each subdomain that independently processes personal data should host its own /.well-known/gpc.json file. The GPC specification does not allow a root domain declaration to cover subdomains automatically. If your subdomains share a common infrastructure, you can configure your web server to serve the same file content across all of them.
Can I test my gpc.json file without the GPC Inspector extension?
Yes. Open your browser's developer tools, navigate to the Network tab, and fetch the file URL directly — https://yourdomain.com/.well-known/gpc.json. Confirm the response status is 200, the Content-Type header is application/json, and the response body contains valid JSON with "gpc": true. This confirms the file is correctly deployed regardless of which GPC-aware tool you use to check it.
You Are Now Fully GPC-Compliant
With the /.well-known/gpc.json file published and Secure Privacy installed, your website meets the full requirements of a GPC-compliant implementation: browser signal detection, automatic cookie restriction for GPC-enabled visitors, and a public machine-readable declaration. All three GPC Inspector indicators should now show as active — giving you a defensible, auditable record of your site's compliance with CCPA/CPRA opt-out signal obligations.
Secure Privacy continues to handle the enforcement layer automatically as visitor behavior, browser GPC support, and regulatory expectations evolve — with no ongoing changes required on your end.
Need Help?
Contact Secure Privacy support at [email protected] if you have questions about deploying the GPC well-known file or verifying your GPC compliance setup.