pith. sign in

arxiv: 2512.08856 · v3 · submitted 2025-12-09 · 💻 cs.CY · cs.CR

Can the GPC standard eliminate consent banners in the EU?

Sebastian Zimmeck , Harshvardhan J. Pandit , Frederik Zuiderveen Borgesius , Cristiana Teixeira Santos , Konrad Kollnig , Robin Berjon This is my paper

Pith reviewed 2026-05-16 23:33 UTC · model grok-4.3

classification 💻 cs.CY cs.CR
keywords Global Privacy ControlGPCGDPRconsent bannersbehavioral advertisingdata protectionprivacy signalsePrivacy Directive
0
0 comments X

The pith

Sending a GPC signal lets EU users refuse or withdraw consent for cross-context ad targeting under GDPR and could reduce consent banners if sites honor it.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines whether the Global Privacy Control standard, already used in the US, can be adapted to express data subject choices under GDPR and the ePrivacy Directive. It concludes that a GPC signal can convey refusal or withdrawal of consent for behavioral advertising and, in limited cases, an objection to processing. Current law creates friction because the signal is not explicitly recognized as a valid legal mechanism, yet the authors note that sites can voluntarily honor it today. Longer term, amendments proposed in the Digital Omnibus would let automated signals replace many consent banners and ease consent fatigue. The evaluation shows that technical standardization at the W3C already provides the necessary format for these expressions.

Core claim

By sending a GPC signal, data subjects can express their refusal or withdrawal of consent under the GDPR to the use of their personal data for cross-context ad targeting and, in some cases, to express their objection under the GDPR against the use of their data for such purposes. The evaluation identifies friction between the GPC specification and current EU data protection law. In the longer term, it would be possible for the EU legislator to amend EU laws, as proposed in the current Digital Omnibus, in such a way that internet users can use automated signals to express choices about personal data use and online tracking. In the shorter term, websites and companies who conduct online t

What carries the argument

The Global Privacy Control (GPC) signal, a W3C-standardized technical header that automatically broadcasts a user's opt-out preference to visited sites for cross-context behavioral advertising.

If this is right

  • Websites conducting online tracking can already honor GPC signals to meet some GDPR consent requirements without waiting for legislative change.
  • Widespread site support for GPC would let users set their preference once and avoid repeated consent banners for behavioral advertising.
  • EU legislators could codify automated signals like GPC in the Digital Omnibus to make them legally sufficient for consent and objection expressions.
  • Reduced consent fatigue would follow if users no longer need to interact with banners for each site when their GPC preference is respected.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If major browsers and ad platforms default to sending GPC, regulators might face pressure to clarify its legal status sooner than the Omnibus timeline.
  • Sites that ignore GPC could face increased complaints or enforcement actions once users become aware they can send the signal from EU locations.
  • Adoption of GPC might extend beyond advertising to other processing purposes if the technical signal is later mapped to additional GDPR rights.
  • A measurable test would be the percentage of top EU-facing sites that stop showing banners or adjust tracking when a GPC signal is detected.

Load-bearing premise

That websites will voluntarily honor GPC signals at scale and that courts or regulators will treat the signal as a valid, binding expression of consent withdrawal or objection under existing GDPR without new legislation.

What would settle it

A court ruling or regulatory decision that GPC signals do not constitute valid consent withdrawal under GDPR, or widespread non-compliance by major ad-tech and publisher sites when EU users send the signal.

read the original abstract

In the EU, the General Data Protection Regulation and the ePrivacy Directive mandate consent for the use of personal data for the purpose of behavioural advertising and tracking technologies. However, the ubiquity of consent banners has led to widespread consent fatigue and questions about the effectiveness of these mechanisms in protecting data subjects' data. To simplify digital laws and make the EU more competitive, the EU Commission recently proposed the Digital Omnibus, introducing a new Article 88b GDPR to express data subjects' choices in a technical way. While the Digital Omnibus is under legislative negotiation, California residents and residents of other US states can already exercise their rights via Global Privacy Control (GPC), a privacy signal to automatically broadcast a legally binding opt-out request to websites. In light of the Digital Omnibus, we evaluate to which extent GPC can be adapted to the EU legal framework to reduce consent banners, mitigate consent fatigue, and improve data protection for EU users. GPC is based on a technical specification, currently being standardised at the World Wide Web Consortium. By sending a GPC signal, data subjects can express their refusal or withdrawal of consent under the GDPR to the use of their personal data for cross-context ad targeting and, in some cases, to express their objection under the GDPR against the use of their data for such purposes. Our evaluation identifies friction between the GPC specification and current EU data protection law. In the longer term, it would be possible for the EU legislator to amend EU laws, as proposed in the current Digital Omnibus, in such a way that internet users can use automated signals to express choices about personal data use and online tracking. In the shorter term, websites and companies who conduct online tracking can already honour GPC.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper evaluates whether the Global Privacy Control (GPC) standard can be adapted to the EU GDPR and ePrivacy Directive framework to reduce consent banners for behavioral advertising. It maps GPC signals to GDPR consent withdrawal (Art. 7) and objection (Art. 21) provisions for cross-context ad targeting, identifies technical-legal frictions, and distinguishes short-term voluntary website honoring from longer-term legislative changes proposed in the Digital Omnibus (new Art. 88b GDPR).

Significance. If the mapping holds, the work provides a timely, balanced analysis of how an existing W3C-standardized technical signal could interact with EU simplification efforts to address consent fatigue. The explicit friction identification and separation of voluntary versus legislative paths are strengths that could usefully inform both policy debates and industry implementation without relying on fitted data or circular derivations.

major comments (2)
  1. [Abstract and short-term voluntary honoring discussion] Abstract and the evaluation of GPC-to-GDPR mapping: the central claim that a GPC signal lets data subjects 'express their refusal or withdrawal of consent under the GDPR' for cross-context ad targeting assumes the technical signal satisfies Art. 4(11) and Art. 7 requirements for specific, informed, and unambiguous consent (plus Art. 21 objection). The manuscript notes friction but does not demonstrate how voluntary honoring would produce per-controller records meeting supervisory authority expectations for demonstrable withdrawal 'as easy as giving consent'.
  2. [Short-term voluntary honoring discussion] Short-term voluntary adoption section: the assertion that 'websites and companies who conduct online tracking can already honour GPC' to reduce banners is load-bearing for the title question, yet the analysis does not address whether such voluntary adoption would be treated as legally valid consent withdrawal by DPAs or eliminate the need for banners under current enforcement practice.
minor comments (2)
  1. Add explicit cross-references to specific GDPR articles (e.g., Art. 7(3) on withdrawal) and the ePrivacy Directive in the mapping to improve precision.
  2. The distinction between short-term voluntary and long-term legislative scenarios would benefit from a dedicated summary table or subsection to enhance readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed comments, which highlight important nuances in the legal mapping of GPC signals to GDPR and ePrivacy requirements. We address each major comment below, clarifying the scope of our claims while agreeing to strengthen certain discussions in a revised version.

read point-by-point responses

  1. Referee: [Abstract and short-term voluntary honoring discussion] Abstract and the evaluation of GPC-to-GDPR mapping: the central claim that a GPC signal lets data subjects 'express their refusal or withdrawal of consent under the GDPR' for cross-context ad targeting assumes the technical signal satisfies Art. 4(11) and Art. 7 requirements for specific, informed, and unambiguous consent (plus Art. 21 objection). The manuscript notes friction but does not demonstrate how voluntary honoring would produce per-controller records meeting supervisory authority expectations for demonstrable withdrawal 'as easy as giving consent'.

    Authors: We agree that the manuscript could more explicitly distinguish between the expressive function of the GPC signal and the full validity requirements under Art. 4(11) and Art. 7. The central claim is limited to the signal serving as an expression of refusal or withdrawal (with noted frictions around specificity, informed nature, and record-keeping), not that it automatically constitutes valid consent or withdrawal in isolation. Voluntary honoring by controllers would require internal logging to create demonstrable records, but we did not fully elaborate on alignment with 'as easy as giving consent' standards. We will revise the abstract and mapping evaluation to clarify these boundaries and note that additional controller-side measures would be needed for full supervisory compliance. revision: yes

  2. Referee: [Short-term voluntary honoring discussion] Short-term voluntary adoption section: the assertion that 'websites and companies who conduct online tracking can already honour GPC' to reduce banners is load-bearing for the title question, yet the analysis does not address whether such voluntary adoption would be treated as legally valid consent withdrawal by DPAs or eliminate the need for banners under current enforcement practice.

    Authors: The short-term section presents voluntary honoring as a permissible option under existing law (sites may respect user signals without violating GDPR or ePrivacy), which can practically reduce banners for participating users, but we accept that the analysis does not sufficiently address DPA treatment or enforcement realities. We will expand this section to discuss that voluntary adoption could be viewed as a good-faith measure aligning with user preferences, yet it may not eliminate banners universally due to other consent triggers or enforcement variations. This will better contextualize the title question without overstating current legal effects. revision: partial

Circularity Check

0 steps flagged

Direct legal comparison with minor self-citation; no load-bearing circularity

full rationale

The paper conducts a comparative legal analysis of the GPC technical specification against GDPR Articles 4(11), 7, 21, the ePrivacy Directive, and the proposed Digital Omnibus Article 88b. It identifies specific frictions (e.g., consent must be specific/informed/unambiguous and withdrawal as easy as giving consent) and distinguishes short-term voluntary honoring from longer-term legislative recognition. No equations, fitted parameters, or predictions reduce to inputs by construction. One minor self-citation appears in the GPC background but is not load-bearing for the central claims, which rest on explicit statutory text and the published GPC spec rather than author-derived uniqueness theorems or ansatzes. The derivation chain is self-contained against external legal benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on the assumption that GPC signals can be mapped to GDPR legal bases without new legislation and that voluntary compliance is feasible; no free parameters, invented entities, or ad-hoc axioms are introduced beyond standard legal interpretation of existing texts.

axioms (2)
  • domain assumption GPC specification accurately reflects current W3C draft and US state laws
    Invoked when stating that GPC already provides legally binding opt-outs in California and other states.
  • standard math Current GDPR text requires opt-in consent for behavioral advertising
    Standard reading of Articles 6 and 7 GDPR and ePrivacy Directive as summarized in the abstract.

pith-pipeline@v0.9.0 · 5632 in / 1372 out tokens · 27211 ms · 2026-05-16T23:33:09.280339+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

5 extracted references · 5 canonical work pages

  1. [1]

    a dedicated guide document. However, the examples in the specification and in the guide are non-normative, i.e., not legally binding, as those documents do not have the authority to declare whether GPC is applicable in a particular jurisdiction and, if so, what a GPC signal means under applicable law there. How GPC Improves Over DNT. Unlike a DNT signal, ...

    work page arXiv 2004

  2. [2]

    Additionally, any websites visited must also support GPC to interpret and apply it

    54 Individuals usually activate GPC through the settings of their web browser or by installing a privacy-friendly browser or browser extension that comes with GPC enabled by default. Additionally, any websites visited must also support GPC to interpret and apply it. As of 6 December 2025, over 380.000 sites support GPC, 55 among which are Amazon, the Nati...

    work page 2025

  3. [3]

    Mainstream browsers, such as Google Chrome and Apple’s Safari, do not yet implement GPC

    GPC can be enabled from the settings of many privacy-friendly browsers, including Firefox (top) and DuckDuckGo (bottom). Mainstream browsers, such as Google Chrome and Apple’s Safari, do not yet implement GPC. Even though GPC can be implemented on any platform that uses the web as its underlying communication protocol, it is so far only adopted in web bro...

    work page arXiv 2025

  4. [4]

    and Case C-604/22 ( IAB TCF, 2024). 73 The GPC specification does mention ‘processors’ in an informative context as 'instances where third party sharing may be permitted such as sharing to service providers/processors'. §5.2 GPC specification. 72 Article 4(8) GDPR. 71 §2 definitions in GPC specification. 70 Article 4(10) GDPR. 69 Article 26(1) GDPR. Furth...

    work page 2024

  5. [5]

    77 Article 4(2) GDPR

    https://html.spec.whatwg.org/multipage/ . 77 Article 4(2) GDPR. 76 The GPC specification alludes to such a mechanism in §2 under 'do-not-sell-or-share preference.' Draft shared for feedback. Please check with authors for new versions & corrections. In the following subsections, we examine the use of GPC through illustrative scenarios reflecting common exp...

    work page arXiv 2014