I work as a Data Protection Officer, which is a legal role under GDPR, and am rather unimpressed by GPC. I could whine for a day, but among the most problematic issues: It's not clear if "Sec-GPC: 0" should be interpreted as:

1. "no" to collect personal data under GDPR consent; or 2. "objection" to collect personal data under GDPR legitimate interest or; 3. "no" to retrieving and storing data on a user device (e.g. cookies, localStorage); or 4. A linear combination of the above.

Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button. No need for browser vendors to propose standard which at least one browser vendor can't be bothered to implement.

"Sec-GPC: 0" is invalid. The value can only be 1, and that explicitly cannot be changed in the future according to the spec.

This makes GPC a flag that means "unknown" or "opt-out". There is no "please share my data with your newsletter company" value, there can only be "do whatever the default is for sharing my data with any company you partner with".

> Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button.

Personally I’m tired of cookie pop-ups on websites, a reject all button does nothing to solve the actual problem. If a users browser can somehow communicate the preference so we don’t need to click on pointless stuff then wouldn’t that be optimal?