A peer-reviewed study published on 5 May 2026 in Computer Law & Security Review concludes that the Global Privacy Control standard can reduce consent banners in the European Union, but only partially - and only if EU regulators and legislators take deliberate steps to clarify how the signal maps to existing data protection law.

The paper, authored by Sebastian Zimmeck of Wesleyan University, Harshvardhan J. Pandit of Trinity College Dublin's AI Accountability Lab, Frederik Zuiderveen Borgesius of Radboud University, Cristiana Teixeira Santos of Utrecht University, Konrad Kollnig of Maastricht University, and Robin Berjon of the IPFS Foundation and Supramundane Agency, evaluates Global Privacy Control (GPC) as a candidate mechanism for implementing automated privacy signals within the EU's regulatory framework. The study arrives at a moment when that framework is itself under active revision through the European Commission's Digital Omnibus package, proposed on 19 November 2025.

What is GPC and why does it matter now

GPC is a technical signal, currently being standardised at the World Wide Web Consortium (W3C) under its Privacy Working Group. According to the study, GPC enables users to automatically broadcast an opt-out request to websites, expressing a preference that "their data not be sold to or shared with any party other than the one the person intends to interact with, or to have their data used for cross-context ad targeting."

The signal operates at the browser level. When activated, the browser communicates a single binary value with each web request. Unlike its predecessor, Do Not Track (DNT), which was standardised at the W3C from 2009 but never carried legal enforceability, GPC is already legally binding in five US states. Compliance with GPC has been required in California since January 2021, in Colorado since July 2024, in Connecticut since January 2025, in New Jersey since July 2025, and in Oregon since January 2026. The offices of the California, Colorado, and Connecticut attorneys general have already begun enforcement. The California Attorney General's settlement with Healthline.com in 2025 for $1.55 million - the largest monetary penalty under the California Consumer Privacy Act to date - cited that company's continued sharing of personal data after users had exercised opt-out rights through GPC signals.

As of 5 April 2026, approximately 388,000 sites support GPC, among them Amazon, the National Football League, and Spotify. The study also notes that a recent amendment to the California Consumer Privacy Act, California Assembly Bill 566 - known as the California Opt Me Out Act - requires any browser developed for California residents to include functionality to send an opt-out preference signal by 1 January 2027. That deadline will significantly expand GPC's footprint among browser vendors.

PPC Land has tracked Google's progressive implementation of GPC-triggered Restricted Data Processing across US states, as the advertising platform automatically activates data handling restrictions when users transmit GPC signals from covered states. The expansion to Delaware and Oregon on 17 November 2025 followed similar rollouts across Colorado, Connecticut, Montana, Nebraska, New Hampshire, Texas, Minnesota, New Jersey, and Maryland. Google's ad-tech system integrates GPC at the request level, processing signals without requiring publisher intervention.

The study's central motivation is the widespread failure of consent banners as a mechanism for protecting data subjects. According to the authors, banners implementing the GDPR and ePrivacy Directive requirements often rely on deceptive patterns - also called dark patterns - that nudge or trick users into consenting. Even when sites do not implement such practices, users experience what the authors describe as consent fatigue from repetitive decision-making on nearly every site they visit.

A 2025 study cited in the paper found that among users who were required to make active choices, 83% accepted functional or preference cookies, while only 7% consented to ad selection, delivery, and reporting. The paper suggests this gap reflects actual user preferences rather than genuine consent to tracking. Participants in a separate interview study cited by the authors preferred not to share data for personalised advertising, while expressing comfort sharing data for strictly necessary, performance and functionality, and statistics and analytics purposes.

The Digital Omnibus - a legislative package from the European Commission - proposes a new Article 88b GDPR to make machine-readable privacy signals legally enforceable in the EU. According to the study, this is the first explicit use of automated technical signals to manage consent and privacy choices within the EU legal framework. The proposal is still under legislative negotiation. PPC Land has covered the Digital Omnibus extensively, including Brussels' sweeping GDPR changes proposed in November 2025, the European Commission's formal presentation of the package, and the joint opinion by the EDPB and EDPS adopted on 10 February 2026, which pushed back against several provisions.

Technical architecture of GPC

GPC differs from DNT not only legally but technically. Unlike DNT, which could carry two values - permitting tracking or prohibiting it - GPC carries only a single value, indicating a preference to prevent data selling or sharing and cross-context ad targeting. If GPC is activated, the browser communicates this value with each request. If it is deactivated, no GPC signal is sent. This single-bit design minimises fingerprinting risk, because a user could only be identified as a GPC user versus a non-GPC user rather than being profiled through fine-grained preference combinations.

The specification allows user agents to send GPC signals through two mechanisms. The browser can include a GPC header field in each HTTP request, or a website can query the user's GPC status through a client-side script via the GPC Document Object Model (DOM) property. According to the study, many websites prefer the second option because it allows them to retrieve the GPC status faster than waiting for the header, which is particularly relevant for online advertising auctions where time to determine data handling permissions is critical.

GPC also provides an optional Support Resource: a website can publicly declare that it respects GPC by hosting a /.well-known/gpc.json file at its origin server. The New York Times, for instance, publishes such a declaration. The study notes, however, that this resource constitutes a declaration, not proof of compliance, and creates no additional legal obligations.

One compliance gap identified in the study concerns server-side data flows. Personal data collected by a first party during a site visit may be shared server-side with third parties - the study cites Meta's Conversions API as an example - without any GPC signal being communicated to those downstream recipients. GPC signals from the browser must be translated into server-side mechanisms by the first party to prevent this. If that translation does not occur, downstream recipients may process data in violation of the user's rights without any awareness of the conflict.

How GPC maps - and does not map - to EU law

The core challenge identified by the study is terminological. GPC's specification was developed against the background of US state privacy laws, particularly the California Consumer Privacy Act, and its terms do not neatly map to the concepts of the GDPR or the ePrivacy Directive.

The GPC specification refers to "selling or sharing" of personal information and to "cross-context ad targeting." Under the GDPR, neither "selling" nor "sharing" is explicitly enumerated in the definition of processing, though the study's authors conclude these activities constitute forms of "making available" and therefore fall within the GDPR's broad processing definition. The term "context" also lacks a defined meaning in the GDPR, though case law - the study cites the Court of Justice of the European Union ruling in FashionID (C-40/17) - provides some interpretive guidance.

The study works through four concrete scenarios to illustrate GPC's legal effects under current EU law.

In the first scenario - third-party ad tracking relying on consent as the legal basis - the study finds GPC can serve as a mechanism for refusing or withdrawing consent under the GDPR and for refusing consent for cookie placement under Article 5(3) of the ePrivacy Directive. However, the analysis also shows a critical limitation. A website honouring GPC for third-party ad cookies may still need to show a consent banner for its own first-party tracking cookies, because GPC does not restrict processing within a single context.

In the second scenario - a website using analytics services from a third party - the study finds GPC can prevent sharing data with the analytics provider but only insofar as that sharing constitutes data "selling" or cross-context targeting under the applicable legal interpretation. First-party analytics, conducted within the same context as the user's website visit, fall outside GPC's scope.

The third scenario involves a data broker relying on legitimate interest rather than consent as the legal basis. Here, GPC can serve as an objection mechanism under Article 21(1) GDPR. However, a controller can refuse that objection if it demonstrates compelling legitimate grounds overriding the data subject's interests. The GPC specification provides no mechanism for the controller to communicate such a refusal back to the user's browser - meaning the controller may resort to a banner explaining the refusal, which partially undermines GPC's goal of reducing banner interactions.

The fourth scenario examines the ePrivacy Directive specifically. The study finds that GPC has limited effect on banner reduction under the ePD, because Article 5(3) ePD requires consent for the storing or accessing of information on a user's device even when no data will be sold or shared with third parties. A website enabling a third party to place a cookie must obtain consent under the ePD, even if that third party subsequently chooses not to collect data through the cookie. This means the ePD's requirements continue to necessitate banners for purposes outside GPC's scope, regardless of whether a user sends a GPC signal.

The standardisation gap and future path

The study also examines GPC's relationship with the proposed Article 88b GDPR under the Digital Omnibus. The proposed provision defines a technical signal capable of giving and refusing consent and of objecting to processing based on legitimate interests. According to the authors, a GPC signal cannot indicate a data subject's unambiguous consent - it can only signal consent rejection, withdrawal, and objection. This means GPC does not cover the full scope of what Article 88b GDPR would require, particularly regarding the granularity of purposes and the ability to give consent.

An additional complication concerns standardisation governance. The study raises the question of whether GPC can qualify as an acceptable implementation under Article 88b(4) GDPR, given that GPC is being developed at the W3C, which is not a recognised European standardisation body. The provision's reference to "standards" in the plural suggests multiple complementary implementations could coexist, which the authors interpret as a possible pathway.

The article 88b(3) GDPR as proposed would exempt media service providers from the automated consent signal requirements. The study notes this creates risks, because the provision does not clarify whether the exemption covers third-party behavioural advertising used by media providers or only first-party advertising. From a privacy perspective, exempting media publishers could undermine the privacy of online newspaper readers.

GPC adoption on mobile and other platforms

One gap the study highlights is GPC's absence from mobile platforms. GPC can currently be activated in Firefox, Brave, and DuckDuckGo. All browsers for California residents will be required to implement GPC by 1 January 2027 under AB-566. But GPC is not yet supported on mobile app platforms. According to the study, some platforms implement their own privacy choice mechanisms - Apple's App Tracking Transparency for iOS is cited - but these are based on contractual agreements between developers and platform companies rather than statutory mandates. The study argues there should be one consistent statutory mechanism that ensures the intended privacy effects, is directly controlled by users, and is binding on all actors.

A 2025 study cited in the paper found that enabling a GPC signal initially reduces the number of intractable cookies by 30% on average, with a further 32% reduction possible on subsequent visits when consent banners are also rejected. That data point illustrates GPC's effect in practice - meaningful but incomplete.

The Adform DSP announced GPC support in July 2024, an early sign of broader adoption in advertising technology infrastructure. The W3C specification version reviewed by the study's authors is the Editor's Draft dated 3 April 2026. GPC currently meets the W3C's criteria for ratification and is maintained as a Working Draft while editorial work is completed.

What the study recommends

The authors offer a set of recommendations for EU lawmakers and regulators. The proposed Article 88b GDPR should explicitly provide for existing standards such as GPC to be enforceable for restricting the processing of personal data in specific situations. EU regulators should clarify how websites should interpret GPC signals in the short term, even before full legislative revision. The GPC specification itself should be updated to better reflect EU legal terminology, particularly around the concepts of selling, sharing, and cross-context targeting as they relate to GDPR definitions.

According to the study, GPC should be viewed "not as a rigid standard, but as an 'empty canvas' with infrastructure in browsers and on websites already in place that is ready for legislators and regulators to use to improve data protection in the EU." The law governs how the signal must be honoured, not the reverse. This means EU authorities have the capacity to define what a GPC "Do Not Process" signal means in the EU legal context without waiting for the W3C process to address EU-specific requirements.

One economic dimension noted by the authors is the potential asymmetric effect of GPC on first versus third parties. Because GPC leaves most first-party processing intact while preventing third-party processing, it could create a structural advantage for existing larger platforms and popular websites. Consent banner mechanisms themselves may already advantage incumbents - the study cites research suggesting users are more likely to accept consent banners on popular websites. GPC could therefore be analysed through the lens of competition law, the Digital Services Act, and the Digital Markets Act.

The study was accessed on 21 April 2026, as noted in its footnotes. The authors declare no competing financial interests. Sebastian Zimmeck is a current editor of the GPC specification, and Robin Berjon is a former editor.

Timeline

Summary

Who: Sebastian Zimmeck (Wesleyan University), Harshvardhan J. Pandit (Trinity College Dublin), Frederik Zuiderveen Borgesius (Radboud University), Cristiana Teixeira Santos (Utrecht University), Konrad Kollnig (Maastricht University), and Robin Berjon (IPFS Foundation and Supramundane Agency).

What: A peer-reviewed academic study evaluating whether the Global Privacy Control browser signal can reduce consent banners in the EU under the GDPR and ePrivacy Directive, and how it relates to the proposed Article 88b GDPR in the Digital Omnibus.

When: Published 5 May 2026 in Computer Law & Security Review, Volume 61 (2026), article 106332, based on the GPC W3C Editor's Draft dated 3 April 2026.

Where: The study's analysis covers the EU legal framework - principally the GDPR and ePrivacy Directive - alongside the W3C standardisation process and the US state legal landscape where GPC already has binding legal effect in California, Colorado, Connecticut, New Jersey, and Oregon.

Why: Consent banners have proliferated to the point where users experience systematic consent fatigue, and many banners employ dark patterns that do not accurately reflect user preferences. The Digital Omnibus proposes machine-readable consent signals as a solution, and GPC is the most mature candidate standard with existing browser adoption and legal enforceability. The study finds GPC is a partial fit for the EU framework, able to reduce but not eliminate banners, and calls on EU regulators and the W3C to address remaining misalignments.

Share this article
The link has been copied!