The EU’s GDPR and ePrivacy Directive mandate explicit user consent for behavioral advertising; however, pervasive cookie banners induce widespread consent fatigue, undermining effective privacy protection. Method: This paper conducts the first systematic legal-technical analysis of the Global Privacy Control (GPC)—a W3C-standardized, browser-level opt-out signal—assessing its compatibility with EU law. It maps GPC against GDPR’s lawful bases for processing (particularly consent, legitimate interests, and the right to object), identifies regulatory tensions, and integrates insights from emerging legislation such as the Digital Omnibus Act. Contribution/Results: The study demonstrates that GPC possesses viable interpretive space and practical implementation foundations under EU law. It can serve as an automated, user-centric compliance mechanism, substantively replacing redundant consent banners, alleviating consent fatigue, and strengthening data subjects’ control over personal data processing. The paper further proposes concrete pathways for updating authoritative guidance and harmonizing technical standards to support GPC adoption.

In the EU, the General Data Protection Regulation and the ePrivacy Directive mandate informed consent for behavioural advertising and use of tracking technologies. However, the ubiquity of consent banners and popups has led to widespread consent fatigue and questions regarding the effectiveness of these mechanisms in protecting users'data. In contrast, users in California and other US jurisdictions can utilize Global Privacy Control (GPC), a browser-based privacy signal that automatically broadcasts a legally binding opt-out request to websites. In this paper we explore whether, and to what extent, GPC can be adapted to the EU legal framework to mitigate consent fatigue and improve privacy protections for EU residents. We analyse GPC as a technical specification standardized at the World Wide Web Consortium and examine its standing under current EU data protection law. Generally, GPC can be mapped to the various legal bases for processing under the GDPR. However, our evaluation also identifies friction between the GPC specification and EU data protection law as it stands. These discrepancies are resolvable and present an opportunity for EU legislators and regulators to interpret GPC in alignment with EU data protection requirements, particularly, considering the European Commission's recent Digital Omnibus proposal. We conclude that while GPC is not a silver bullet, its adoption -- supported by clear authoritative guidance and specification updates -- can offer a pragmatic path toward more automated and effective data protection in the EU.