Can the GPC standard eliminate consent banners in the EU?
- URL: http://arxiv.org/abs/2512.08856v1
- Date: Tue, 09 Dec 2025 17:49:48 GMT
- Title: Can the GPC standard eliminate consent banners in the EU?
- Authors: Sebastian Zimmeck, Harshvardhan J. Pandit, Frederik Zuiderveen Borgesius, Cristiana Teixeira Santos, Konrad Kollnig, Robin Berjon,
- Abstract summary: In the EU, the General Data Protection Regulation and the ePrivacy Directive mandate informed consent for behavioural advertising.<n>Users in California and other US jurisdictions can utilize Global Privacy Control (GPC), a browser-based privacy signal.<n>GPC automatically broadcasts a legally binding opt-out request to websites.
- Score: 4.4576895372317376
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: In the EU, the General Data Protection Regulation and the ePrivacy Directive mandate informed consent for behavioural advertising and use of tracking technologies. However, the ubiquity of consent banners and popups has led to widespread consent fatigue and questions regarding the effectiveness of these mechanisms in protecting users' data. In contrast, users in California and other US jurisdictions can utilize Global Privacy Control (GPC), a browser-based privacy signal that automatically broadcasts a legally binding opt-out request to websites. In this paper we explore whether, and to what extent, GPC can be adapted to the EU legal framework to mitigate consent fatigue and improve privacy protections for EU residents. We analyse GPC as a technical specification standardized at the World Wide Web Consortium and examine its standing under current EU data protection law. Generally, GPC can be mapped to the various legal bases for processing under the GDPR. However, our evaluation also identifies friction between the GPC specification and EU data protection law as it stands. These discrepancies are resolvable and present an opportunity for EU legislators and regulators to interpret GPC in alignment with EU data protection requirements, particularly, considering the European Commission's recent Digital Omnibus proposal. We conclude that while GPC is not a silver bullet, its adoption -- supported by clear authoritative guidance and specification updates -- can offer a pragmatic path toward more automated and effective data protection in the EU.
Related papers
- EU-Agent-Bench: Measuring Illegal Behavior of LLM Agents Under EU Law [39.146761527401424]
EU-Agent-Bench is a verifiable benchmark that evaluates an agent's alignment with EU legal norms.<n>Our benchmark spans scenarios across several categories, including data protection, bias/discrimination, and scientific integrity.<n>We release a public preview set for the research community, while holding out a private test set to prevent data contamination.
arXiv Detail & Related papers (2025-10-24T14:48:10Z) - Regulating Online Algorithmic Pricing: A Comparative Study of Privacy and Data Protection Laws in the EU and US [7.184784497153388]
Big data, AI and machine learning has allowed sellers and online platforms to tailor pricing for customers in real-time.<n>Online algorithmic pricing poses a threat to the fundamental values of privacy, digital autonomy, and non-discrimination.<n>On both sides of the Atlantic, legislators have endeavoured to regulate online algorithmic pricing in different ways.
arXiv Detail & Related papers (2025-09-29T06:46:56Z) - Adtech and Real-Time Bidding under European Data Protection Law [0.3634093556454098]
This article analyzes the extent to which practices of realtime bidding (RTB) are compatible with European data protection law.<n>We show that it is difficult - and perhaps impossible - for website publishers and RTB companies to meet the insecure European data protection law requirements.<n>We conclude that RTB is structurally difficult to reconcile with European data protection law.
arXiv Detail & Related papers (2025-09-01T15:35:28Z) - Towards an Enforceable GDPR Specification [49.1574468325115]
Privacy by Design (PbD) is prescribed by modern privacy regulations such as the EU's.
One emerging technique to realize PbD is enforcement (RE)
We present a set of requirements and an iterative methodology for creating formal specifications of legal provisions.
arXiv Detail & Related papers (2024-02-27T09:38:51Z) - SoK: The Gap Between Data Rights Ideals and Reality [42.769107967436945]
Do rights-based privacy laws effectively empower individuals over their data?<n>This paper scrutinizes these approaches by reviewing empirical studies, news articles, and blog posts.
arXiv Detail & Related papers (2023-12-03T21:52:51Z) - The risks of risk-based AI regulation: taking liability seriously [46.90451304069951]
The development and regulation of AI seems to have reached a critical stage.
Some experts are calling for a moratorium on the training of AI systems more powerful than GPT-4.
This paper analyses the most advanced legal proposal, the European Union's AI Act.
arXiv Detail & Related papers (2023-11-03T12:51:37Z) - Pile of Law: Learning Responsible Data Filtering from the Law and a
256GB Open-Source Legal Dataset [46.156169284961045]
We offer an approach to filtering grounded in law, which has directly addressed the tradeoffs in filtering material.
First, we gather and make available the Pile of Law, a 256GB dataset of open-source English-language legal and administrative data.
Second, we distill the legal norms that governments have developed to constrain the inclusion of toxic or private content into actionable lessons.
Third, we show how the Pile of Law offers researchers the opportunity to learn such filtering rules directly from the data.
arXiv Detail & Related papers (2022-07-01T06:25:15Z) - Distributed Machine Learning and the Semblance of Trust [66.1227776348216]
Federated Learning (FL) allows the data owner to maintain data governance and perform model training locally without having to share their data.
FL and related techniques are often described as privacy-preserving.
We explain why this term is not appropriate and outline the risks associated with over-reliance on protocols that were not designed with formal definitions of privacy in mind.
arXiv Detail & Related papers (2021-12-21T08:44:05Z) - Consent Management Platforms under the GDPR: processors and/or
controllers? [11.514573594428352]
Consent Management Providers (CMPs) provide consent pop-ups embedded in more websites.
CMPs enable compliance with legal requirements for consent mandated by the General Data Protection Regulation (ePrivacy Directive)
Although IAB's TCF specifications characterize CMPs as data processors CMPs factual activities often qualifies them as data controllers instead.
arXiv Detail & Related papers (2021-04-14T13:54:02Z) - Detecting Compliance of Privacy Policies with Data Protection Laws [0.0]
Privacy policies are often written in extensive legal jargon that is difficult to understand.
We aim to bridge that gap by providing a framework that analyzes privacy policies in light of various data protection laws.
By using such a tool, users would be better equipped to understand how their personal data is managed.
arXiv Detail & Related papers (2021-02-21T09:15:15Z) - Second layer data governance for permissioned blockchains: the privacy
management challenge [58.720142291102135]
In pandemic situations, such as the COVID-19 and Ebola outbreak, the action related to sharing health data is crucial to avoid the massive infection and decrease the number of deaths.
In this sense, permissioned blockchain technology emerges to empower users to get their rights providing data ownership, transparency, and security through an immutable, unified, and distributed database ruled by smart contracts.
arXiv Detail & Related papers (2020-10-22T13:19:38Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.