I don't see how you would end up in a GDPR violation scenario for doing it. I suppose the more likely scenario would be Company X wanting people to agree to give up data, and make it hard to access site without giving up data, but browsh makes it easy. So then the company complains that browsh is essentially enabling theft of their resources, I don't think that will work very well though.