Data Protection and Consenting Communication Mechanisms: Current Open Proposals and Challenges

Human, Soheil; Pandit, Harshvardhan J.; Morel, Victor; Santos, Cristiana; Degeling, Martin; Rossi, Arianna; Botes, Wilhelmina; Jesus, Vitor; Kamara, Irene

doi:10.1109/eurospw55150.2022.00029

Cited by 14 publications

(11 citation statements)

References 32 publications

(36 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It also provided an alternative, frictionless, browser-based preference signal (e.g. Global Privacy Control or GPC) that websites could implement instead of implementing the opt-out link [20,53,60]. Furthermore, the CPRA dierentiates sensitive personal information from general personal data, requiring businesses that collect and process sensitive information to post an additional link titled "Limit the Use of My Sensitive Personal Information".…”

Section: The California Consumer Privacy Actmentioning

confidence: 99%

Measuring Compliance with the California Consumer Privacy Act Over Space and Time

Tran,

Mehrotra,

Chetty

et al. 2024

Proceedings of the CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

The widespread sharing of consumers' personal information with third parties raises signicant privacy concerns. The California Consumer Privacy Act (CCPA) mandates that online businesses oer consumers the option to opt out of the sale and sharing of personal information. Our study automatically tracks the presence of the opt-out link longitudinally across multiple states after the California Privacy Rights Act (CPRA) went into eect. We categorize websites based on whether they are subject to CCPA and investigate cases of potential non-compliance. We nd a number of websites that implement the opt-out link early and across all examined states but also nd a signicant number of CCPA-subject websites that fail to oer any opt-out methods even when CCPA is in eect. Our ndings can shed light on how websites are reacting to the CCPA and identify potential gaps in compliance and optout method designs that hinder consumers from exercising CCPA opt-out rights.

show abstract

Section: The California Consumer Privacy Actmentioning

confidence: 99%

Measuring Compliance with the California Consumer Privacy Act Over Space and Time

Tran,

Mehrotra,

Chetty

et al. 2024

Proceedings of the CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…For freely configurable GPC settings the fingerprinting risk depends on the extent to which people turn GPC on and off for different sites and how many of those sites an attacker can observe. However, overall GPC represents minor risks given its binary states [36].…”

Section: Browser Fingerprintingmentioning

confidence: 99%

“…The Advanced Data Protection Control (ADPC) -similar to P3P and focused on enabling cookie consent and other privacy choices under the GDPR and ePrivacy Directive -establishes bidirectional communication between websites and users [1,36]. ADPC is discussed in the W3C Consent Community Group [80].…”

Section: Adpc and Drpmentioning

confidence: 99%

Usability and Enforceability of Global Privacy Control

Zimmeck

Wang

Alicki

et al. 2023

PoPETs

View full text Add to dashboard Cite

Web tracking by ad networks and other data-driven businesses is often privacy-invasive. Privacy laws, such as the California Consumer Privacy Act, aim to give people more control over their data. In particular, they provide a right to opt out from web tracking via privacy preference signals, notably Global Privacy Control (GPC). GPC holds the promise of enabling people to exercise their opt out rights on the web. Broad adoption of GPC hinges on its usability. In a usability survey we find that 94% of the participants would turn on GPC indicating a need for such efficient and effective opt out mechanism. 81% of the participants in our survey also have a correct understanding of what GPC does ensuring that their intent is accurately represented by their choice. The effectiveness of GPC is dependent on whether websites' GPC compliance can be enforced. A site's GPC compliance can be analyzed based on privacy flags, such as the US Privacy String, which is used on many sites to indicate the opt out status of a web user. Leveraging the US Privacy String for GPC purposes we implement a proof-of-concept browser extension that successfully and correctly analyzes sites' GPC compliance at a rate of 89%. We further implement a web crawler for our browser extension demonstrating that our analysis approach is scalable. We find that many sites do not respect GPC opt out signals despite being legally obligated to do so. Only 54/464 (12%) sites with a US Privacy String opt out users after having received a GPC signal.

show abstract

“…Privacy signals are digital representations that allow users to communicate their preferences [1] [2][3] [4] of how users want their personal data to be processed, e.g. Do Not Track [5] [6] for opting out of tracking, Global Privacy Control (GPC) [7] for opting out of third party sharing, IAB's Transparency and Consent (TCF) signal [8] for communicating decisions), or exercise rights (e.g.…”

mentioning

confidence: 99%

“…Privacy signals must be adopted by both sides of the communication, i.e., controllers and data subjects along with support from device or software providers. Signals have the advantage to create a level playing field between all actors (users, websites, third parties), and to avoid user consent to be exploited through deceptive interfaces (dark patterns) [4][9] that nudge users to accept tracking though ubiquitous consent banners where consent where consent cannot be 'informed' or 'freely given'.…”

mentioning

confidence: 99%

How could the upcoming ePrivacy Regulation recognise enforceable privacy signals in the EU?

Santos¹,

Pandit²

2023

Preprint

View full text Add to dashboard Cite

Privacy signals are digital representations that allow users to communicate their preferences [1] [2][3][4] of how users want their personal data to be processed, e.g. Do Not Track [5][6] for opting out of tracking, Global Privacy Control (GPC) [7] for opting out of third party sharing, IAB’s Transparency and Consent (TCF) signal [8] for communicating decisions), or exercise rights (e.g. Art.21(5) GDPR), and can be automated and customised for the websites they visit. In this paper we discuss requirements that privacy signals must satisfy to be enforceable under the ePrivacy Regulation and enable its real-world application.

show abstract

Data Protection and Consenting Communication Mechanisms: Current Open Proposals and Challenges

Cited by 14 publications

References 32 publications

Measuring Compliance with the California Consumer Privacy Act Over Space and Time

Measuring Compliance with the California Consumer Privacy Act Over Space and Time

Usability and Enforceability of Global Privacy Control

How could the upcoming ePrivacy Regulation recognise enforceable privacy signals in the EU?

Contact Info

Product

Resources

About