Usability and Enforceability of Global Privacy Control

Sebastian Zimmeck; Oliver Wang; Kuba Alicki; Jocelyn Wang; Sophie Eng

Usability and Enforceability of Global Privacy Control

Authors: Sebastian Zimmeck (Wesleyan University), Oliver Wang (Wesleyan University), Kuba Alicki (Princeton University), Jocelyn Wang (Wesleyan University), Sophie Eng (Wesleyan University)

Volume: 2023
Issue: 2
Pages: 265–281
DOI: https://doi.org/10.56553/popets-2023-0052

Download PDF

Abstract: Web tracking by ad networks and other data-driven businesses is often privacy-invasive. Privacy laws, such as the California Consumer Privacy Act, aim to give people more control over their data. In particular, they provide a right to opt out from web tracking via privacy preference signals, notably Global Privacy Control (GPC). GPC holds the promise of enabling people to exercise their opt out rights on the web. Broad adoption of GPC hinges on its usability. In a usability survey we find that 94% of the participants would turn on GPC indicating a need for such efficient and effective opt out mechanism. 81% of the participants in our survey also have a correct understanding of what GPC does ensuring that their intent is accurately represented by their choice. The effectiveness of GPC is dependent on whether websites' GPC compliance can be enforced. A site's GPC compliance can be analyzed based on privacy flags, such as the US Privacy String, which is used on many sites to indicate the opt out status of a web user. Leveraging the US Privacy String for GPC purposes we implement a proof-of-concept browser extension that successfully and correctly analyzes sites' GPC compliance at a rate of 89%. We further implement a web crawler for our browser extension demonstrating that our analysis approach is scalable. We find that many sites do not respect GPC opt out signals despite being legally obligated to do so. Only 54/464 (12%) sites with a US Privacy String opt out users after having received a GPC signal.

Keywords: Global Privacy Control, GPC, Do Not Sell, Do Not Share, Do Not Track, DNT, Opt Out, Privacy Preference Signals, Privacy Choice, Privacy Rights, CCPA, CPRA, Privacy Law, Usability, Web Privacy

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.