Generalizable Active Privacy Choice: Designing a Graphical User Interface for Global Privacy Control

The California Consumer Privacy Act and other privacy laws give people a right to opt out of the sale and sharing of personal information. In combination with privacy preference signals, especially, Global Privacy Control (GPC), such rights have the potential to empower people to assert control over their data. However, many laws prohibit opt out settings being turned on by default. The resulting usability challenges for people to exercise their rights motivate generalizable active privacy choice — an interface design principle to make opt out settings usable without defaults. It is based on the idea of generalizing one individual opt out choice towards a larger set of choices. For example, people may apply an opt out choice on one site towards a larger set of sites. We explore generalizable active privacy choice in the context of GPC. We design and implement nine privacy choice schemes in a browser extension and explore them in a usability study with 410 participants. We find that generalizability features tend to decrease opt out utility slightly. However, at the same time, they increase opt out efficiency and make opting out less disruptive, which was more important to most participants. For the least disruptive scheme, selecting website categories to opt out from, 98% of participants expressed not feeling disrupted, a 40% point increase over the base-line schemes. 83% of participants understood the meaning of GPC. They also made their opt out choices with intent and, thus, in a legally relevant manner. To help people exercise their opt out rights via GPC our results support the adoption of a generalizable active privacy choice interface in web browsers.


INTRODUCTION
Data collection and sharing are central to many companies' business models.People pay with their data for news, videos, and other content on the web.This trade -data for content -has fueled the development of an extensive web tracking ecosystem [46].A study on the frequency and reach of trackers on over 21 million pages of 350,000 unique websites found that 95% contain third party requests to potential trackers and 78% attempt to transfer data elements that are either user identifiers or can be used as such [78].Common tracking techniques include third party cookies [20], browser fingerprinting [55], and tracking pixels [32].Web tracking is generally non-transparent, and people have no effective way of preventing it.New privacy laws aim to change this situation.The General Data Protection Regulation (GDPR) [21] sparked a flurry of privacy lawmaking activity around the world.Stateside, California enacted the California Consumer Privacy Act (CCPA) [9], which was extended by the California Privacy Rights Act (CPRA).Various other states, e.g., Colorado [22], Connecticut [70], Montana [43], Oregon [58], and Texas [44], recently enacted privacy laws as well.
Per the CCPA, California consumers have a right to opt out from the sale and sharing of personal information.In order for an opt out choice to be valid it has to "[c]learly represent a consumer's intent and be free of defaults constraining or presupposing that intent." 1 Similarly, Colorado law prohibits to "adopt a mechanism that is a default setting" but rather requires a mechanism that "clearly represents the consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data." 2Per Connecticut law, consumers need "to make an affirmative, freely given and unambiguous choice." 3 In order to bring opt out rights to life under these and similar laws we need usable privacy choice interfaces that are not reliant on default settings. 4efault settings became a major obstacle for the adoption of Do Not Track (DNT) [75].DNT could be set to one of two statesenabled or disabled -and whichever was set by default resulted in a choice for an individual [19].However, arguably such choice can be at odds with an individual's autonomy and, thus, be irrelevant from a legal perspective.While default settings are based on the premises that there is a choice that fits the majority of people and that real choice is practically infeasible [19], we make the assumptions here that people make their own choices and that the usability problem can be resolved.Thus, we transform the problem of default settings into the problem of designing usable choice interfaces.
Legal compliance and usability are the two main requirements for enabling people to effectively and efficiently opt out.To satisfy the former a privacy choice interface must enable an individual to show their intent by making an active choice, e.g., by clicking on an opt out link.To make an active choice usable in the context of browsing the web, we can generalize an individual's choice.Notably, California, Colorado, Connecticut, Montana, Oregon, and Texas explicitly recognize universal opt outs.Such universal settings aid usability and prevent the plight of cookie banners, which many people just click away without caring about their choices [25].
The principle of generalizable active privacy choice may be applied to different types of privacy choices.Use cases are opting out from web tracking, cookie consent, or app privacy settings.In this paper we focus on opting out from web tracking using Global Privacy Control (GPC) [23].GPC is a privacy preference signal by which web users can transmit an opt out choice to a website mediated by their browser.We see GPC as an important use case as the signal is increasingly adopted in the web ecosystem and enforced by the Office of the California Attorney General [69].We use generalizable active privacy choice to explore the design of graphical user interfaces for opting out with GPC.We make the following contributions: (1) We introduce the principle of generalizable active privacy choice to make privacy choice interfaces usable without default settings.We design and implement nine privacy choice schemes exploring various generalizability dimensions.( §3) (2) Evaluating our schemes in a usability study with 410 participants we observe that generalizability features decrease the perceived level of browsing disruption.98% of the participants of the least disruptive scheme expressed that they did not feel disrupted.( §4 and §5) (3) We provide recommendations for regulators, browser vendors, and publishers.Our results support the integration of a generalizable active privacy choice interface for GPC in the web browser.( §6)

BACKGROUND AND RELATED WORK
Generalizable active privacy choice is based on notice and choice.

Notifying People of their Privacy Choices
Notice and choice is a fundamental building block of many privacy laws around the world.We focus on notice and choice for opting out.If people are not aware of their opt out rights, they would be deprived of exercising them [34,63,65].Notices can be categorized according to various dimensions, e.g., when they are shown or through which channel [62].Short-form notices, which we explore here, are particularly useful when shown in context, e.g., when a website requests location access.Similarly, icons can concisely convey privacy-related information [14,28].Apple and Google now require apps in their app stores to display privacy labels.Such labels have the potential to improve people's understanding and control of apps' privacy practices [79].While some labels were shown to be inaccurate and misleading, especially in less popular apps [39,40], concise privacy notices are a promising approach to raise awareness when displayed in a salient way [18].

Designing Usable Privacy Choice Interfaces
Without usable privacy choice interfaces people's privacy rights would not amount to much.For the usability evaluation of our privacy choice schemes we consider a broad spectrum of factors [25]: user needs and sentiment ( §5.1), effort and ability ( §5.2), awareness, comprehension, and intent ( §5.3), and nudging patterns and decision reversal ( §5.4).With generalizable active privacy choice, we aim to avoid two types of effectively unusable privacy settings, which are at the opposite extremes of the user awareness dimension: (1) hidden privacy settings and (2) excessively shown privacy settings.Hiding privacy settings makes exercising privacy choices akin to a scavenger hunt [14].A recent study demonstrated this difficulty for Do Not Sell links on data broker sites [48].Surfacing a standardized opt out banner in addition to a link would increase user awareness [57,63] However, banners may also negatively impact usability.Cookie banners serve as a cautionary tale [24,25,42]. 5hus, we are interested in evaluating the extent to which banner choices can be generalized to achieve better usability.
People are generally less concerned about tracking on first party sites compared to tracking on third party sites [11].Recent results further suggest that there is value in privacy choice settings distinguishing between website categories [65].Learning people's privacy preferences seems also a good way to reduce the complexity of privacy choices [36,53,64].These findings motivate the design of our privacy choice schemes ( §3.3).Generally, control, or at least the feeling of having control, was shown to increase satisfaction with privacy interfaces [11,35,38,52].On the other hand, inconsistent privacy interface implementations make it confusing and difficult for people to make informed privacy choices [27,45].Thus, it is important to design the schemes based on the mental models of the audience.As people rely on folk models in their comprehension of web tracking [77] and experience expectational mismatches [61], our designs are based on the former and try to avoid the latter.

Avoiding Behavioral Nudges
People should make their choices.Thus, we want to avoid behavioral nudges.The design and architecture of choice interfaces heavily influence people's decisions [71,73].Thus, publishers hold considerable power over access to the data of their users.For example, with simple design changes they can affect the choices of a substantial share of people to consent to the use of cookies [3].Other design changes, such as displaying notifications in the lower left part of the screen, can nudge people towards more interaction [73].Designs with negative framing (e.g., "Deny cookies and degrade your experience on this site") result in significantly lower cookie opt out rates compared to positive framing (e.g., "Accept cookies to improve your experience on this site") [47].A comparison of interface designs showed that people prefer neutral and text-based communications with visual iconography over purely visual designs [29].

Eliminating Dark Patterns
Dark patterns are user interface designs that obstruct an individual's autonomy in the decision-making process.The use of dark patterns and default settings could nudge people away from selecting privacy-protective options [26].Dark patterns can be considered a weaponization of behavioral research to serve the aims of the surveillance economy [54].By exploiting people's cognitive biases [49], online services influence people to purchase goods and subscriptions, spend more time on-site, or accept the harvesting of their data [4,56].While one study found an inverse correlation between dark pattern recognition and likelihood to be influenced, interestingly, study participants' level of awareness did not play a significant role in predicting their ability to resist manipulative designs implying that active interventions are needed to combat dark patterns [4].Thus, regulation should not only require consent but also clarify how this consent has to be obtained to ensure that people can make free and informed choices [74].Helping people to make such choices is the broader goal that we hope to further with generalizable active privacy choice.

Choosing the Right Layer of Abstraction
Participants in our study interacted with a median of 78 unique sites per week.This large number of sites makes site-by-site opt outs generally challenging [48,57].Site-by-site opt outs naturally beget some level of interruption to user activity.Thus, the preferable layer of abstraction for privacy choice interfaces appears to be the platform (e.g., the web browser) and not their individual applications (e.g., the websites) ( §5.1.2).Standardizing privacy choice interfaces in the browser rather than being left to individual sites would also have the advantage of providing a uniform interface to support notification, control, and could help mitigate dark patterns [65].Different from websites, individual mobile app opt outs are more usable due to the lower number of apps people use. 6

The Return of Privacy Preference Signals
Privacy preference signals are digital representations to express if and how people agree to their data being processed [31].As they must be adopted by both senders and recipients, adoption remains an unsolved coordination problem [31].The first major privacy preference signal, the Platform for Privacy Preferences Project (P3P) [15,16], enabled people to delegate privacy choices to user agents that could automatically react to websites' privacy practices bases on the sites' machine-readable privacy policies.Then, DNT [75] was developed as a binary signal for people to express their opt out from tracking per the California Online Privacy Protection Act (CalOPPA) [8].DNT adoption remains low as CalOPPA does not require DNT signal recipients to actually comply with received DNT signals but only to disclose whether they comply. 7ow, an increasing number of new privacy laws makes privacy preference signals a corner stone of their opt out regimes [80].
We focus here on GPC, which is a privacy preference signal developed by a coalition of privacy organizations, publishers, browser vendors, extension developers, and academics for helping people to exercise their Do Not Sell and Do Not Share rights [23,81].The CCPA and various other new privacy laws require certain recipients of GPC signals to respect those as valid opt out expressions. 8hile the privacy choice schemes we implement are evaluated in the context of GPC, they also inform choice implementation for other privacy preference signals and settings more broadly.Privacy preference signals work well in conjunction with the platform-layer abstraction that is preferred for privacy choices.Advanced Data Protection Control (ADPC) is a privacy preference signal similar to P3P and focused on enabling cookie consent and other privacy choices under the GDPR and ePrivacy Directive [1,33].The future will tell if the coexistence of multiple privacy preference signals creates ambiguity as people may transmit more than one signal [30].

Reframing the Default Problem
We start our inquiry with the default problem.Privacy-friendly default settings protect individuals' privacy and personal data more effectively [2].On the other hand, privacy-invasive default settings have a bias towards data sharing [76].Managing privacy online can be complex and often people do not change defaults or use granular privacy settings [76].Thus, default settings -whether privacy-protective or privacy-invasive -may not be representative of a person's intention.A person may not even know of a default setting.This argument forms the basis for why DNT signals are ignored by most sites receiving them, especially, after Microsoft turned on DNT by default on its Internet Explorer 10 [19].Turning on DNT by default had the effect that sites and ad networks were given a reason for ignoring DNT signals, further eroding the already weak legal basis of DNT.However, any solution that does not rely on defaults has to contend with the resulting usability challenges.The default problem becomes a usability problem.

ACTIVITY AND GENERALIZABILITY
Various privacy laws require people to make their privacy choices generally without relying on default settings. 9People must actively engage in a choice ( §3.1).This requirement creates usability challenges, especially, when it comes to site-by-site opt outs [48,57].Thus, a choice for one site should be generalizable towards a larger set of sites ( §3.2).

Making Active Choices
Making an active privacy choice indicates people's intent to change their privacy settings.While the activity does not necessarily need to express their intent explicitly, it must allow for its inference.For example, if people turn on universal opt out controls in their browsers instead of setting opt out choices for each individual site they visit, it can be inferred that they want to opt out from all sites they visit.Similarly, if people are aware of a particular privacy feature in a browser and how to change it, it can be inferred that they want to use it when they use the browser, even if the feature is turned on by default.This idea of an implicit act that allows the inference of intent towards a particular privacy choice is expressed in the CCPA [68]: "The consumer exercises their choice by affirmatively choosing the privacy control [...] including when utilizing privacy-by-design products or services."It is a further dimension of active choice whether people make a prompted or an unprompted choice: • Install Time Prompts: People can make a choice at install time, for example, during the setup of a new browser indicating their general choice for all websites they visit in the future.
• Run Time Prompts: People can make a choice at run time, for example, in a browser at the time of visiting an individual website and being prompted for their choice on that site.• Unprompted Settings: People can access their privacy settings at any time and make their choices.

Generalizability of Choices
Once a user has made a privacy choice, it can be generalized along multiple dimensions.
3.2.1 Vertical and Horizontal Generalizability.Vertical generalizability refers to the layer of abstraction in terms of its depth.For example, a privacy choice can be generalized from the operating system layer to the application layer so that one choice covers multiple applications.On the other hand, horizontal generalizability refers to the breadth of a privacy choice within a layer of abstraction.For example, a privacy choice can be generalized in a web browser from one site to a larger set of sites.Settings based on horizontal generalizability can have breadth across browsers on different devices.Cookie consent fatigue, as a consequence of the deluge of cookie banners on websites [12], could be addressed with horizontal generalizability.We focus our inquiry here on horizontal generalizability.
3.2.2Direct and Indirect Generalizability.Direct generalizability means that people can generalize privacy choices explicitly.For example, a browser could ask people to make their privacy choices for one site with an option to apply their choices towards all future sites they visit.Indirect generalizability, on the other hand, refers to privacy choices that are not directly generalized from people's choices.For example, a browser could ask people to select categories of websites from which they want to opt out.Then, if a visited site belongs to one of the selected categories, people would be opted out from tracking on that site.Another example of indirect generalizability would be the use of an automated agent that makes privacy choices for an individual based on learned preferences from the individual's previous choices.

Generalizability and Individualizability
. Generalizability of a privacy choice is based on the idea of deepening or broadening the initial scope of a choice towards a larger set of choices.The opposite of a generalizable privacy choice is an individualizable privacy choice.Individualizability means to establish a general rule first and later add exceptions to it for a smaller set of privacy choices.For example, people could universally opt out from all sites they visit and then refine their opt out to exclude certain sites, in other words, individualize certain sites on which they want to remain opted in.They could also do the opposite: opt in generally and opt out for certain sites.
3.2.4Usability beyond Generalizability.We find that generalizability can improve usability ( §5).However, generalizability of a privacy choice is not a sufficient condition to achieve maximum usability.Additional usability considerations may be required.There may be also counteracting factors that reduce the effectiveness of a generalizable privacy choice design.Generalizability is not a comprehensive solution that, once implemented, solves all usability problems.Rather, it is one design principle that can be applied together with others.

Privacy Choice Schemes
We study how various dimensions of active choice and generalizability impact the usability of GPC.To that end, we designed a set of privacy choice schemes (schemes), which implement various active choice and generalizability features, in a browser extension that sends GPC signals based on people's choices. 10Our set of schemes is not meant to be comprehensive but rather representative of core dimensions of generalizable active privacy choice.The user interface for each of our schemes is shown in Appendix A. 3.
The schemes we designed and evaluated are the following: • SB-Base: Baseline scheme with opt out banner.Participants are prompted for a choice via an opt out banner on each new site they visit.SB-Base requires from participants the highest level of activity among all our schemes.It does not have any generalizability feature and, thus, serves as the base treatment in our evaluation. 11• S0-Snooze: Extended baseline scheme with opt out banner and snooze feature.Participants are prompted for a choice via an opt out banner on each new site they visit.They can snooze the banner for 12 hours a time, during which no GPC signals are sent to newly visited sites.The snooze feature is not a generalizability feature.Rather, it is used here to study the extent to which participants intentionally made an opt out choice as opposed to just clicking away the opt out banners they were presented without caring about their choices ( §5.3). 12• S1-Apply-all: Banner scheme with apply-all feature.Participants are prompted for a choice via an opt out banner on each new site they visit with the addition of an apply-all feature.This feature allows participants to generalize their choice for the current site at any time towards all future sites they visit.The apply-all feature in S1-Apply-all is one possible implementation of direct, horizontal generalizability.• S2-Snooze+Apply-all: Banner scheme with apply-all and snooze features.This scheme is a combination of S0-Snooze and S1-Applyall.The opt out banner contains both the apply-all as well as snooze features to compare the relative effect of each as well as participants' intent to opt out.• S3-Profile: Privacy profile category scheme.Participants are prompted at install time to choose a privacy profile: high, medium, or low privacy-sensitivity.For the high and low privacy-sensitivity profiles the extension opted participants out of data sharing on all and no sites, respectively.Medium privacy-sensitivity opted participants out on sites whose domain was included in the Disconnect Tracker Protection lists [17].S3-Profile is a form of indirect, horizontal generalizability utilizing profiles as abstraction layer for determining opt out choices.• S4-Website: Website category scheme.Participants are prompted at install time to select website categories that they would like to opt out from.Their choices will determine from which sites they will be opted out.S4-Website also makes use of indirect, horizontal generalizability, although, in a more granular form than S3-Profile.Website categories are based on Disconnect's Tracker Protection lists [17].• S5-Learn: Learning scheme.Participants are prompted for a choice via an opt out banner on the first ten new sites they visit.
Their choices are then used to learn the privacy profile per S3-Profile that best matches their choices, which they were then told.
Participants were assigned profiles depending on their number of opt outs on the initial ten sites: eight or more opt outs lead to high privacy-sensitivity, four to seven opt outs to medium privacysensitivity, three or fewer opt outs to low privacy-sensitivity.The learning feature of S5-Learn allowed us to investigate indirect, horizontal generalizability in the form of an agent.Setting the learning threshold at ten sites is intended to balance accuracy, dependent on the number of choices to extrapolate from, and keeping the learning period short.Higher thresholds run the risk that participants visiting only a small set of sites would leave the learning period only late in the study.• S6-Universal: Universal category scheme.S6-Universal is the simplest of all schemes we study.Participants are prompted at install time whether they would like to opt out from all sites they visit or not.They may change this universal preference through the settings page.S6-Universal represents the most extreme form of indirect, horizontal generalizability.It also allows us to explore individualizability in that participants can exempt individual sites from their general choice if they wish to do so.• S7-Data: Data category scheme.Participants are prompted at install time to select the categories of data that should not be shared or sold.S7-Data is distinct from S3-Profile and S4-Website in that it lets us evaluate indirect, horizontal generalizability as it occurs along the dimension of disclosed data categories.
For all schemes except S7-Data participants could also adjust their opt out settings for each domain individually via a domain list (Appendix A.3, Figure 19).As participants browsed, each visited first party domain was appended to the domain list, on which participants could change whether it should receive GPC signals.For S5-Learn, the domain list feature became available after the learning period was finished.Schemes SB-Base, S0-Snooze, S1-Apply-all, and S2-Snooze+Apply-all required participants to make at least one of their privacy choices on an individual site via a choice banner (banner schemes, as shown in Appendix A.3, Figure 13).Schemes S3-Profile, S4-Website, S6-Universal, and S7-Data immediately generalized privacy choices based on categories (category schemes, as shown in Appendix A. 3,Figures 14,15,17,and 18).S5-Learn is a mixed banner-category scheme as participants were shown opt out banners during the learning period and assigned a privacy profile afterwards (Appendix A.3, Figure 16).
The design space for the set of privacy choice schemes we cover here is motivated by existing real-world challenges.Currently, GPC is only available in browsers' and extensions' settings menus rather than being surfaced via choice prompts upon site visits or at installation time.GPC is further only available for a limited set of browsers and extensions.There, consequently, exists an imperative to find usable choice interfaces.SB-Base and S6-Universal are extensions of current opt out interfaces on websites with opt out links and browsers that support DNT, respectively.S3-Profile, S4-Website, and S7-Data are motivated by the notion that opt out interfaces should not be all-or-nothing choices but rather allow for more nuanced choices.As people may not want to make lots of individual choices, S1-Apply-all and S5-Learn provide an exploration into reducing choices made by directly asking people and, in case of S5-Learn, supplementing people's choices with choices by an automated agent.S0-Snooze and S2-Snooze+Apply-all are motivated by banner fatigue and used here to evaluate participants' intent to opt out.

Use Cases
We are evaluating generalizable active privacy choice in the context of opting out from web tracking via GPC.However, many other use cases exist.First, other privacy preference signals could make use of generalizable active privacy choice.Given the prevailing cookie banner fatigue, it could also be used for cookie consent interfaces.Cookie banner opt outs do not allow people to generalize their choices beyond the site on which they make their choices.Another use case could be to withdraw consent or object to processing of personal data per the GDPR.For example, the objection to processing of personal data for direct marketing purposes could be generalized. 13Setting browser permissions, for example, whether to allow sites access to an individual's location, use of the microphone, or video could be another use case.

EXPERIMENTAL SETUP
We evaluated generalizable active privacy choice in a usability study with 410 participants.To that end, we implemented the nine schemes -SB-Base to S7-Data -in a browser extension for Google Chrome and other Chromium-based browsers. 14

GPC Privacy Choice Browser Extension
We used our extension to inject opt out banners, settings, and other scheme features into the browsers and websites that our study participants used and visited.In conjunction with a backend database our extension collected participants' browsing history as well as the following extension interaction data: • Site Interaction History covers privacy choices made via GPC privacy choice banners on SB-Base, S0-Snooze, S1-Apply-all, S2-Snooze+Apply-all, and S5-Learn.It also covers any individual site choices made using the domain list, which was available for all schemes except for S7-Data.
• Privacy Configuration Interaction History covers the privacy choices participants made in S3-Profile to S7-Data, e.g., for S3-Profile, the initial privacy profile and any later modifications.• Snooze Interaction History covers schemes with a snooze button, i.e., S0-Snooze and S2-Snooze+Apply-all.It recorded when participants chose to use the snooze button. 15n order to evaluate the usability of the different schemes in a uniform manner we kept the language and user interface design uniform unless a scheme inherently required a deviation, e.g., S0-Snooze and S2-Snooze+Apply-all required a snooze button while the remaining schemes did not.We also aimed to keep the language in all schemes uniform and neutral to avoid nudging participants to make a particular privacy choice.For example, the choice banner uses "Opt in" and "Opt out" instead of "Yes" and "No" with regard to allowing tracking because the latter tends to elicit "Yes" answers as most people prefer to agree [41].

Study Procedure and Eligibility Criteria
We recruited participants for our study on the crowd-working platform Prolific [60].Our study consisted of three parts: (1) a signup survey, (2) browser extension use, and (3) an exit survey.Upon sign-up we informed participants of who we are and how they could contact us.We explained that the purpose of our study is to find out whether people understand what GPC is and how they would use it.We provided participants a complete list of data categories we would collect from them.We explained that the data would be stored at our institution and its service providers using current best practices, that it would not be disclosed except in aggregate form, and that we would retain a copy after the study for recordkeeping purposes.We informed participants that they could have a particular piece of data deleted at any time and withdraw from our study at any time for any reason.We received approval for our study from our institution's IRB.Prolific also confirmed that our planned study complied with their policies.
The eligibility criteria to participate in our study were: (1) use of a Chromium browser as default browser on a laptop or desktop computer, (2) US residency, (3) fluency in English, (4) 100% approval rate for previous tasks on Prolific, (5) completion of at least 30 previous tasks on Prolific, and (6) a minimum age of 18 years.To ensure that criteria (2) -( 6) were met we relied on the information provided by Prolific.For each participant, Prolific also provided demographic data.We initially signed up around 65 participants per scheme.We later excluded participants from our dataset if they did not follow our instructions, including if they did not install our browser extension, we did not receive sufficient browsing data, or they did not participate in our exit survey.
We asked participants to install our browser extension citing our purpose as studying the usability of a new privacy feature in web browsers called Global Privacy Control (GPC).Participants installed our extension via the Chrome Web Store using an activation password we provided during sign-up, which we used to prevent non-participants from interfering with the study.Upon installation, participants received an explanation of GPC.Participants were also prompted for their Prolific IDs, which are pseudonyms by which we identified participants.We used the Prolific ID to associate each participant's browsing data with their answers to the exit survey, where we also asked for this ID.For schemes with an initial privacy choice configuration, e.g., S3-Profile, participants were prompted to set their configuration.Once we started receiving data, we informed each participant via a message on Prolific that the extension was properly configured and that they should browse the web as usual for a week.
Our extension sent the interaction data from each participant to a Firestore database.The inflow of data was monitored daily.We inquired with participants who had insufficient browsing activity and prompted them, as necessary, to make normal use of their browser.If a participant had less than thirty browsing entries within the first three days of the study, we contacted the participant on the fourth day via a Prolific message.If we did not receive a response or the lack of activity continued, we did not include the participant's data in the dataset.Participants whose data we included in the dataset had our extension running for a median of 7.1 days with a standard deviation of 2.2 days.
We collected data one scheme at a time.After finishing the data collection for a scheme, we gave participants of that scheme a week to fill out an exit survey in which we asked them for their opinions on web privacy and the usability of their opt out experience.The survey questions were the same for participants across all nine schemes. 17Participants spent a median of eight minutes completing the exit survey.We included an attention-check question that was correctly answered by 410 participants.We excluded from our dataset the data of one participant who answered the attention-check question incorrectly.Each participant could only participate once.For their participation we paid each participant $10, the amount recommended by Prolific for our study.

Sample Representativeness
Our participant sample is partially representative of the US population as to participant demographics and technologies used. 1) to the 2020 American Community Survey and Census data [5,7], we find our sample to be largely representative of the US population in terms of student status and sex.Regarding ethnicity, however, we observe differences: Black participants (sample 9%; population Table 2: Schemes and their features.Study participants who were assigned the baseline scheme -SB-Base -were prompted for their GPC choice via a banner on every new website they visited.S0-Snooze is our extended baseline scheme that allowed participants to snooze banners for 12 hours a time.All other schemes tested various types of active choices ( §3.1) and their generalizability ( §3.2).All schemes, except S7-Data, allowed participants to make GPC choices for individual sites via a domain list on the settings page.For S1-Apply-all and S2-Snooze+Apply-all the domain list also had an apply-all feature.Features not available for a scheme are denoted by an x.

Technologies.
Comparing our participant sample to data provided by Statcounter [66,67]), an online analytics resource, we note that our sample skews towards a larger share of Windows participants (sample 75%; population 66% [67]) and a smaller share of macOS participants (sample 19%; population 25% [67]).Further, as participation in our study was restricted to participants running a Chromium-based browser on a laptop or desktop computer as their default browser ( §4.2) most participants were using the Chrome browser.In fact, the percentage was even higher than Chrome's market share among Chromium-based browsers (sample 90%; population 81% [66]), in particular, at the expense of the underrepresented Edge browser (sample 5%; population 19% [66]). 18 Interestingly, the share of participants using Brave (5%) significantly exceeded the browser's market share, for which Statcounter does not provide a figure due to its small user base.We note a high degree of diversity in each participant's browsing history.Overall, participants visited a median of 78 unique sites per week, and 90% visited at least 20 unique sites.Participant activity along this metric did not differ substantially across schemes. 19

Limitations
Our study is subject to various limitations.While we believe that our findings provide an indicator for how people would perceive the different schemes we discuss here, our participant sample is relatively small and not fully representative of the US population in terms of demographics and technology use.Further, the participants in our sample may be less privacy-conscious than the average person on the web as it was a condition for participating in our study to allow the collection of browsing history and other data.On the other hand, the outsized prevalence of Brave, as a privacy-protective 18 The percentages for each browser are adjusted in relation to its market share among Chromium-based browsers. 19A detailed breakdown of participant browsing statistics can be found in Appendix A.4.
browser, may be an indicator that at least 5% participants in our sample care about online privacy.In any case, the privacy leanings of our participants one way or the other could have influenced the study results.It should also be noted that our usability study is focused on the user interface interactions with the schemes and not on the effects of opting out, such as seeing generic vs personalized as.As GPC is not yet broadly adopted by sites and its enforcement is in its initial stages, participants' choices did not affect their browsing experience in a major way.Our explanation of GPC upon extension installation also noted that whether or not a site respects GPC depends on local law.While we do not have any evidence that participants' behavior could have been influenced by residing in a state that has not yet adopted GPC, we cannot exclude it.If residency affected participants' behavior, we would expect such behavior to be distributed equally across schemes.
Finally, our implementation of S7-Data does not send GPC signals because it would require detecting which data categories sites are sharing.Such detection goes beyond our work here.20S7-Data were made aware that their extension would not send GPC signals.However, since the sending of GPC signals is not transparent, the user interface is the same independently of whether GPC signals are sent or not.Indeed, when asked in the exit survey about the confidence with which participants felt that their opt out choices were honored, there was no statistically significant difference between the answer distribution of S7-Data participants and those of all other schemes.This result suggests that cases of GPC being non-functional impacted neither participants' perception of GPC nor their browsing behavior to a meaningful extent.

USABILITY EVALUATION
At the core of our inquiry stands the development of a usable GPC privacy choice interface for the web that does not rely on default settings.Thus, we evaluate how active choices on one site can be generalized towards larger sets of sites in a usable way.Our evaluation is based on (1) browsing history and extension interaction data collected from our study participants' use of our browser extension and (2) their responses in our exit survey. 21Table 2 shows the schemes and their features that we implemented in our browser extension.For our usability evaluation we consider a broad spectrum of factors [25]: user needs and sentiment ( §5.1), effort and ability ( §5.2), awareness, comprehension, and intent ( §5.3), and nudging patterns and decision reversal ( §5.4).

User Needs and Sentiment
Many people would like to have more control over what marketers can learn about them online [72].Indeed, 74% of participants in our study agreed or strongly agreed that they do not have control over their data when they browse the web (Figure 1).The perceived lack of and desire for more control motivate the need for an efficient and effective privacy choice interface.To that end, our results suggest that generalizability slightly decreases opt out utility ( §5.1.1)but increases opt out efficiency ( §5.1.2) and makes opting out less disruptive ( §5.1.3),which is more important to many participants than opt out utility ( §5.1.4).

Generalizability Decreased
Opt out Utility Slightly.Overall, participants across schemes expressed that they could make their opt out choices the way they wanted (Figure 2).However, we do observe statistical variation between schemes overall (Kruskal-Wallis test, p≈.00033).In particular, there are significant differences (Corrected Dunn test, p<.05) for individual pairwise comparisons between the distributions of our baseline schemes, which do not include any generalizability features, and schemes that include such. 22Most notably, there are significant differences between SB-Base, and, individually, S2-Snooze+Apply-all and S6-Universal as well as between S0-Snooze and, individually, S2-Snooze+Apply-all, S3-Profile, S4-Website, S5-Learn, and S6-Universal. 23Participants who were assigned a baseline scheme have a higher rate of strong agreement on being able to making their choices the way they wanted.This finding is plausible as these schemes leave less room for mental and temporal disconnect.They required participants to 21 A detailed list of all data categories collected from participants is shown in Appendix A.1.The complete set of survey questions is shown in Appendix A. 2.  22 For all pairwise comparisons between the nine schemes in this paper, we use the post-hoc Dunn test and apply the Benjamini-Hochberg correction for multiple testing.The Benjamini-Hochberg correction was designed to reduce the high false discovery rate, that is, the chance of a rejected null hypothesis being a false positive, associated with doing many comparisons in sequence [51].Applying the Benjamini-Hochberg correction generally produces more stringent p-values and fewer null hypothesis rejections. 23The full set of p-values, corrected and uncorrected, is shown in Appendix A.5, Table 3.
Figure 2: SB-Base, S0-Snooze and S1-Apply-all have relatively higher rates of participants who strongly agreed that they could make their choices the way they wanted.However, the differences are a matter of degree as most participants across schemes agreed or strongly agreed that they could make their opt out choices the way they wanted.
Figure 3: Participants' GPC privacy choices in schemes with direct generalizability compared to the baseline schemes.The latter required participants to make choices for individual sites.S0-Snooze participants could also snooze banners for 12 hours a time.Sites without privacy choices being made are sites for which participants snoozed the banner or sites they were visiting for the first time without the apply-all or universal choice enabled, in which case we had not yet recorded their choice.make their privacy choices for the individual sites they visited at the time they visited them.
Comparable to our baseline schemes -SB-Base and S0-Snooze -S1-Apply-all also exhibits a higher rate of strong agreement among participants on being able to make their opt out choices the way they wanted.While this higher rate is not statistically significant, the trend towards strong agreement in all three schemes is noticeable.A possible explanation could be that all three schemes are perceived similarly due to their nature as banner schemes.All of them require an individual choice unless the snooze (S0-Snooze) or apply-all (S1-Apply-all) features are used.Interestingly, the fourth banner scheme -S2-Snooze+Apply-all -does not exhibit the trend of  strong agreement.Perhaps, the combined impact of the snooze and apply-all features aligns S2-Snooze+Apply-all with the trend we see for the other schemes with generalizability features.The perceived level of disruption is lower for schemes with generalizability features than for baseline schemes and, in a less pronounced trend, for banner schemes overall.For the least disruptive scheme -S4-Website -98% participants reported that they did not feel disrupted, a 40% point increase over the baseline schemes.
5.1.2Generalizability Increased Opt out Efficiency.When given the option to generalize their privacy choices directly, S1-Apply-all participants made use of it for 67% of their choices, S2-Snooze+Apply-all participants for 75% of their choices, and S6-Universal participants for 70% of their choices (Figure 3).Despite the lack of generalizability features, we observe the same opt out trend for SB-Base.The majority of SB-Base participants opted out on most sites they visited.Specifically, 77% of SB-Base participants chose to enable GPC on 80% or more sites they visited (Figure 4).Thus, instead of requiring them to opt out on every new site individually, a scheme with generalizable choices would have been more efficient for most SB-Base participants.Medians of 6 banner interactions for S1-Applyall participants and 5 for S2-Snooze+Apply-all participants compare favorably to the 76 for SB-Base participants (Figure 5).
Providing generalizability features does not mean that there is no room for fine-grained privacy choices -quite the contrary.A domain list to fine-tune privacy choices was of value to a significant minority of participants and complemented their use of generalizability features.Depending on the scheme, between 2% and 33% of participants made privacy choices for a median of 1 to 10 individual sites using the domain list.While participants rarely used individual choice features broadly unless they had to, such features can prove useful to add nuance to the overall choice configuration.Providing individualizability features in addition to generalizability features does not increase the level of browsing disruption as people can also choose to not use them.

Generalizability Made
Opting Out Less Disruptive.The degree of agreement on the disruption of normal browser use is scheme-dependent and statistically significant (Kruskal-Wallis test, p<.001).Overall, participants perceived schemes with generalizability features as less disruptive when compared to baseline schemes.Figure 6 shows participants' exit survey responses when asked about the level of disruption they experienced.In particular, participants found schemes with indirect generalizability -S3-Profile, S4-Website, and S7-Data -to be the least disruptive.This result is plausible because participants assigned those schemes only needed to make an initial choice while further interactions, for example, privacy profile changes or manual fine-grained choices at the site-level via the domain list, were entirely optional.
Interestingly S5-Learn, a scheme that features indirect generalizability, differs significantly from each of the other schemes that feature indirect generalizability (Corrected Dunn test, p<.05). 24This result is especially noteworthy as the only difference between the S3-Profile and S5-Learn schemes is the learning period.This period is the only time when S5-Learn participants could not generalize their choices.It lasted a scant median of 7.85 hours per participant out of the week-long study period.However, it could be that requiring participants to interact with choice banners for this period led to an increase in perceived browsing disruption and superseded the non-disruptive nature of indirect generalizability.
Participants experienced schemes without generalizability -SB-Base and S0-Snooze -as the most disruptive.A statistically significant difference (Corrected Dunn test, p<.05) exists between the distributions of each of SB-Base and S0-Snooze and, individually, S2-Snooze+Apply-all, S3-Profile, S4-Website, S6-Universal, and S7-Data.The S1-Apply-all scheme was also perceived as relatively disruptive.A statistically significant difference (Corrected Dunn test, p<.05) exists between the distributions of S1-Apply-all and, individually, S2-Snooze+Apply-all, S3-Profile, S4-Website, and S7-Data.Thus, banner schemes are generally perceived as more disruptive than category schemes.Despite being a banner scheme, S2-Snooze+Apply-all was 24 The full set of p-values, corrected and uncorrected, is shown in Appendix A.5, Table 4. perceived as less disruptive when compared to S1-Apply-all.A reason could be the increased disruption-reducing feature usage.While usage rates for the apply-all feature in both schemes did not differ with 79% each (Figure 5), 91% of participants in S2-Snooze+Apply-all made use of either the snooze or apply-all feature.

Less Disruption Was More Important than Opt out Utility.
While participants assigned to schemes with generalizability features were less likely to strongly agree with the statement "I was able to make my opt out choices the way I wanted" (Figure 2), they were more likely to strongly disagree with the statement "My normal use of the browser was disrupted by the opt out interface" (Figure 6).These diverging relationships can be illustrated through linear regression models (Figure 7).The presence of a generalizability feature in a scheme significantly decreased the expected browsing disruption experienced by the participants of the scheme.At the same time, these schemes had lower predicted responses as to their utility.However, the presence of generalizability features decreased the likelihood that participants would suggest improvements.Thus, it appears that participants found it generally more important to have less browsing disruption than engaging more deeply with the opt out choices.
The preference for making use of generalizability features instead of accepting browsing disruption can be witnessed in the significant disparity in median feature uses between schemes SB-Base and S1-Apply-all (Figure 5).Apart from the generalizability feature both schemes are identical.However, while SB-Base participants made a median of 76 individual site choices, S1-Apply-all participants only made 6 opting to generalize their choices instead.Only 21% of participants across the two schemes with apply-all feature -S1-Apply-all and S2-Snooze+Apply-all -chose to exclusively make their privacy choices via banners.68% used the apply-all feature to make their privacy choices on more than 80% of the domains they visited.Thus, while a number of participants seem to value making specific adjustments to their GPC settings, more preferred an overall less disruptive experience by generalizing their choices.

Effort and Ability
Generally, banner schemes -SB-Base, S0-Snooze, S1-Apply-all, and S2-Snooze+Apply-all -required more interactions than category schemes -S3-Profile, S4-Website, S6-Universal, and S7-Data.Scheme SB-Base had the highest interaction rate by far (Appendix A.4, Figure 21).Participants had to make a privacy choice every time they visited a new site.This rate decreased in S0-Snooze as participants had the option to snooze banners for 12 hours a time.It dropped even more substantially in S1-Apply-all and S2-Snooze+Apply-all as participants had the apply-all feature available.Category schemes, on the other hand, required only minimal interactions.
Independently of their scheme assignment, most participants tolerated the effort that their assigned scheme required from them to make their opt out choices.In our exit survey participants across all schemes generally expressed that it did not take them a lot of effort to opt out (Figure 8).Across schemes, 87% disagreed or strongly disagreed that it took them a lot of effort to opt out.This result does not necessarily mean that all schemes had parity in terms of invested effort.Participants were asked to rate their experience against a threshold of "a lot of effort."The question did not ask participants to compare effort.However, our results suggest that generally people would not feel overburdened by making their opt out choices via any of the discussed schemes.

Awareness, Comprehension, and Intent
We evaluated how well participants understood their assigned schemes and the features they used.A majority of participants across schemes expressed that they did not need the help of a technical person (Figure 9).Most expressed confidence in their comprehension (Figure 10).These measures remain relatively similar across schemes indicating that participants were also able to comprehend the more abstract schemes that implement indirect generalizability, such as S4-Website.In their improvement suggestions some participants expressed a desire for an indicator that the choice mechanism is actively working.24% of all participants across schemes suggested in their responses to Q15 or Q31 that  more transparency or clarity would have improved their opt out experience.These responses suggest that ensuring people are aware of not just the features at their disposal but also of their activity could aid in enhancing confidence in privacy choice interfaces.
A lack of participants' awareness or understanding of their privacy choices could undermine their legal validity.When they installed our browser extension, we presented all participants with a standardized explanation of GPC. 25 In the exit survey we showed them this explanation again to evaluate their understanding of GPC.Our results indicate that the majority of participants understood GPC.We found no statistically significant differences between schemes.84% of the 410 participants across all schemes provided the correct answer to a multiple choice question that sending GPC signals under California law would prevent the selling and sharing of data, yet, would still allow first party data collection and advertising (Figure 11, Q13).The correct answer to the question was rephrased to not resemble the GPC explanation we showed participants earlier.The correct responses to the multiple choice question were confirmed by an 83% rate of participants' correct free-form responses to the question of explaining GPC in their own words (Figure 11, Q14).
A closer look at the snooze feature usage also indicates that it was the intent of most participants to express a privacy choice as opposed to just getting rid of the choice banner.57% of participants assigned the S0-Snooze scheme made use of the snooze feature (Figure 5).However, the snooze rate for participants assigned the S2-Snooze+Apply-all scheme was only 21% while 79% of S2-Snooze+Apply-all participants made use of the apply-all feature instead.This rate is the same at which participants in S1-Apply-all -who did not have the snooze feature available -made use of the apply-all feature.This result suggests that participants actually meant to make a legally effective privacy choice using the apply-all feature.2652% agreed or strongly agreed with feeling confident that their opt out choices were honored (Q22).

Nudging Patterns and Decision Reversal
Privacy choice interfaces should be as neutral as possible.A neutral design supports the legal validity of people's choices as it would not be subject to the objection of nudging them towards a choice they otherwise would not make.Thus, we phrased our explanation of GPC as well as any other user interface language as neutral as possible. 27We also kept buttons for enabling and disabling GPC in the same size and in the same style.We then asked participants in our exit survey whether they felt pushed towards opting out.To counter the natural tendency of answering in the affirmative [41] we asked the question such that participants had to disagree with the statement "I felt pushed towards opting out."79% of the participants disagreed or strongly disagreed suggesting that privacy choice interfaces can be designed such that people do not feel nudged (Figure 12).Participants' sense of not being nudged appears consistent across schemes as we could not establish statistically significant differences between them.
Participants across schemes generally felt that they were able to correct errors with ease as well as to change their opt out choices without much difficulty.For the former, 60% of participants cited not encountering any errors.27% agreed or strongly agreed that they were able to correct errors with ease (Q26).Likewise, 37% of participants disagreed or strongly disagreed when asked if they found it difficult to change their opt out choices, with another 40% reporting not having had the need to make any changes (Q27).

DISCUSSION
To help people exercising their opt out rights we have three recommendations: regulators should require publishers to honor GPC signals sent via a generalizable active privacy choice interface ( §6.1), browser vendors should integrate GPC in their browsers via a generalizable active privacy choice interface ( §6.2), and publishers should honor opt outs via GPC ( §6.3).

Regulators Should Require Publishers to
Honor GPC Signals Sent via a Generalizable Active Privacy Choice Interface A majority of study participants expressed a lack of control over who is receiving their data (Figure 1).People want more control [72].
The right to opt out is important for control because it prevents data from entering the online ad ecosystem in the first place.Once it does, data will be disseminated downstream to ad networks and other third parties becoming more difficult to control.Thus, data breaches, data misuses, and other types of data violations can be reduced by broadening the availability of opt out rights and making choice interfaces easier to use.However, given an opt out regime, there are usability challenges to facilitate choice without default settings.
To help people make their choices as efficiently and effectively as possible regulators should require publishers to honor GPC signals sent via a generalizable active privacy choice interface.
As our results demonstrate, GPC signals can be attributed legal meaning.By sending GPC signals the majority of participants understood what they were declaring to the sites they visited ( §5.3).They understood that -to the extent recognized by their jurisdiction -sending a GPC signal would prevent a site from selling and sharing their data while it would still be allowed to collect data and advertise to them.There was no statistically significant difference between schemes.Comparing the usage rates of the snooze and apply-all features further indicates that participants generally had the intention to opt out when they turned on GPC as opposed to just silencing the choice banner.They did not feel pushed either; the decision to opt out was theirs ( §5.4).
Our results further indicate that most participants across schemes would opt out from most sites they visit.This is true independently of whether they made individual site-by-site choices in the baseline schemes or generalized their choices in schemes with generalizability features (Figures 3 and 4).In both groups most participants opted out on most sites.When available, many participants made use of generalizability features (Figure 5).Thus, instead of requiring people to opt out on sites individually, generalizable active privacy choice would provide a more efficient opt out basis for most people.Generalizability features allowed most participants to arrive at their final opt out configuration with fewer interactions and less friction ( §5.1.2).A supplemental domain list would still allow people to make more fine-grained choices, if they so desire.
People should be allowed to opt out by selecting and using privacy-protective technologies, for example, a browser that is marketed with privacy features.As recognized by California law [68], the selection and use of such privacy-protective technologies are indicators that an individual wants to opt out, unless known otherwise.Thus, if people are notified that GPC is being turned on by default, and it is explained how they can adjust their setting, for example, by a prompt at install time, it is clear that they want to use GPC.This situation is similar to the S6-Universal scheme.People are made aware of a browser's GPC setting and by using the browser they confirm that they are intending to send GPC signals accordingly.

Browser Vendors Should Integrate GPC in their Browsers via a Generalizable Active Privacy Choice Interface
Regulators are responsible for determining whether GPC signals are considered valid opt outs.They also provide the broad interface requirements, e.g., whether choices can be generalized.Browser vendors, on the other hand, are responsible for designing and implementing the interfaces for their browsers per those requirements.Generalizability features for GPC should be implemented at the browser-layer and not at the site-layer because the former provides horizontal generalizability.Standardizing privacy choice interfaces in the browser rather than being left to individual sites would have the advantage of providing a uniform interface to support notification, control, and mitigating dark patterns [65].
Our results do not point to a winning scheme.All schemes had high levels of utility (Figure 2) and tolerable browsing disruption (Figure 6).A substantial percentage of participants was willing to engage with opt out banners confirming previous results [57].While prompting participants for their choice at runtime and in the context of a site visit slightly increased opt out utility rates ( §5.1.1),decreasing the level of browsing disruption, which was achieved to the greatest degree by bannerless schemes with indirect generalizability ( §5.1.3),seems more important ( §5.1.4).Thus, the implementation of an indirect scheme is preferable.
Browser vendors could implement a scheme like S6-Universal at browser install time.They should consider the trade-off between disruption and utility for their user base.The level of non-intrusiveness of a generalizability feature deserves the highest priority in making this trade-off.If browser vendors are concerned about browsing disruption, they could describe its GPC setting on its download page or via prompts at install time.To ensure that people understand what they are declaring browsers should display an explanation of GPC.While they should ensure the usability of their GPC interface, browser vendors do not need to concern themselves with the applicability or meaning of GPC as the browser is just the conduit of the signal [23].It would be sufficient to explain that turning on GPC will have the effect of opting out the user to the extent GPC signal recipients are required to honor it under applicable law. 28  28 The GPC explanation is shown in Appendix A.2 and is based on earlier work [81].
Browser vendors should also consider that integrating GPC can have an impact on the fingerprinting surface of their browser.However, as GPC is a binary setting, the impact will be small and can be mitigated by turning on GPC by default for privacy-protective browsers.

Publishers Should Honor Opt Outs via GPC
Sites should be able to identify GPC signals and pass them downstream to the third party sites they integrate.Consent management platforms provide key-turn implementations that can help with these tasks.As a number of participants expressed a desire for an indication that the choice mechanism is actively working ( §5.3), it would be helpful to implement GPC's .well-knownresource or another feedback mechanism to notify people that a site is compliant with GPC [23].We urge publishers that rely on targeted ads to redefine their business models and embrace the future of privacypreserving ad serving.As previous work has shown [81], many people are fine with ads as long as they are not privacy-invasive.But change requires initiative on part of the publishers.

CONCLUSIONS
Increasingly, privacy laws in the US provide people a right to opt out.However, these laws require an intentional choice and generally prohibit opt out settings being turned on by default.Generalizable active privacy choice is an interface design principle for mitigating the usability challenges originating from this legal requirement.Its premises are (1) an active privacy choice that (2) can be generalized towards a larger set of choices.To help people exercising their opt out rights on the web our results support its adoption in form of a browser-layer interface in combination with GPC.As GPC adoption increases it would be interesting to study the real-world deployment of GPC interfaces, how they explain GPC, and how people's experience of the web changes depending on their choices.A more fundamental inquiry would be a critical examination of the choice regime in the US.After all, we currently do not allow opting out by default but permit a de-facto opt in by default, which seems not what most people want.

ACKNOWLEDGMENTS
We kindly thank our anonymous shepherd and reviewers for their valuable feedback.Their work helped us to develop our arguments and make this paper better.We are grateful to the Alfred P. Sloan Foundation (Program in Universal Access to Knowledge) and to the National Science Foundation (Award #2055196) for their support of this research.We also thank Wesleyan University, its Department of Mathematics and Computer Science, and the Anil Fernando Endowment for their additional support.This work would surely not have been possible without our collaborators in the GPC coalition.Conclusions reached or positions taken are our own and not necessarily those of our financial supporters, its trustees, officers, or staff.In loving memory of Rita Zimmeck, mother of the first author.

A.3 Scheme User Interfaces
Figure 13: On the banner schemes, i.e., SB-Base, S0-Snooze, S1-Apply-all, and S2-Snooze+Apply-all (from left to right), participants are prompted for a GPC privacy choice via a banner on each new site they visit.S0-Snooze and S2-Snooze+Apply-all include a snooze button that prevents the banner from popping up on new sites for 12 hours at a time.S1-Apply-all and S2-Snooze+Apply-all include an apply-all feature that will apply a participant's choice to all future sites if they so wish.Participants can select to which sites they want to send GPC signals via a domain list on the settings page.15: Upon installing our extension with the S4-Website scheme, participants are prompted to select the website categories that they would like to opt out from.Each category has a mouse-over tooltip with a more detailed description.Participants may change their categories on the settings page.The settings page also contains a domain list.We implemented the scheme with categories of third party sites from which people would be opted out.However, it would also be possible to implement it with first party site categories such as news, music, etc.
Figure 16: Upon installing our extension with the S5-Learn scheme, participants are prompted for their GPC choices via banners on the first 10 sites they visit.Their choices are then used to select a privacy profile that suits them best.The profiles are the same as for S3-Profile.After the learning period, participants are redirected to the settings page and shown which privacy profile they were assigned.They may change their privacy profile there.The settings page also contains a domain list.
Figure 17: Upon installing our extension with the S6-Universal scheme, participants are prompted as to whether they would like to send GPC signals to all sites they visit or not.They may change this preference on the settings page.There is also a domain list on the settings page that participants may utilize if they so choose.

Figure 1 :
Figure 1: A majority of the 410 participants in our study across schemes expressed a lack of control over who is receiving their data.

Figure 4 :
Figure 4: The opt out choices of participants in the SB-Base scheme, which required a choice on every newly visited site, were fairly homogeneous with most participants opting out on most sites.

Figure 5 :
Figure 5: Percentage of participants in each scheme making use of available scheme features at least once (left) and median number of feature uses normalized to a one week period (right).Percentages and number of uses exclude required interactions.Features not available for a scheme are denoted by an x.

Figure 6 :
Figure6: The perceived level of disruption is lower for schemes with generalizability features than for baseline schemes and, in a less pronounced trend, for banner schemes overall.For the least disruptive scheme -S4-Website -98% participants reported that they did not feel disrupted, a 40% point increase over the baseline schemes.

Figure 7 :
Figure 7: Generalizability features decreased participants' opt out utility, i.e., the sense of being able to make choices the way they want, but increased their sense of no browsing disruption.Illustrated are the 95% confidence intervals of the coefficients on variables representing the presence of the specified scheme features.Q17 and Q23 responses are based on a 5-point Likert scale while responses to Q31 are based on a Boolean variable representing whether a participant had no improvement suggestions.Q23 responses are inverted, 5-Q23, so that, as for the other two outcome variables, positive values represent positive participant perceptions.Replacing Q31 responses with responses to Q15, which asked participants for change suggestions, leads to a similar result.

Figure 8 :
Figure 8: Participants' responses on the effort required to opt out.Across schemes most participants perceived the effort as low.

Figure 9 :
Figure 9: The extent to which participants felt they needed assistance in making their privacy choices.

Figure 10 :
Figure 10: Participants' perceptions of how well they understood the various privacy settings.

Figure 11 :
Figure 11: Participants' understanding of GPC across schemes as evaluated by responses to a multiple-choice question (Q13) and a free-response question (Q14).Correct responses are shown in blue, incorrect responses are shown in red, and responses to Q14 that could not be coded as either correct or incorrect are shown in grey.

Figure 12 :
Figure 12: A majority of the 410 participants in our study across schemes expressed that they did not feel pushed towards opting out.

Figure 14 :
Figure 14: Upon installing our extension with the S3-Profile scheme, participants are prompted to choose a privacy profile.Their choice will then determine which sites will receive GPC signals.They may change this preference on the settings page.The settings page also contains a domain list.

Figure
Figure15: Upon installing our extension with the S4-Website scheme, participants are prompted to select the website categories that they would like to opt out from.Each category has a mouse-over tooltip with a more detailed description.Participants may change their categories on the settings page.The settings page also contains a domain list.We implemented the scheme with categories of third party sites from which people would be opted out.However, it would also be possible to implement it with first party site categories such as news, music, etc.

Figure 18 :
Figure18: Upon installing our extension with the S7-Data scheme, participants are prompted to select the categories of data that they would not like to be shared with or sold to advertisers.Participants can adjust their settings on the settings page.

Figure 19 :
Figure19: The domain list was present in all schemes except S7-Data.It allowed participants the option to make specific GPC privacy choices for each of their domains, i.e., the first party sites they intentionally visited while the extension was running.

Figure 20 :
Figure 20: The median number of unique sites participants' visited per week by scheme.The dotted black line denotes the total median across schemes (78 sites).

Figure 21 :
Figure 21: Participants' rates of interaction for their assigned schemes showing median, minimum, maximum, and the interquartile range for each.Interactions include site, privacy configuration, and snooze interactions ( §4.1).Banner schemes naturally required far more interactions than category schemes.

Figure 22 :
Figure22: Distribution of participant browsing history entries across all schemes relative to total browsing time, cumulative.For example, the graph shows that after 20% of all participants' browsing time (around 1.4 days), around 140,000/600,000 (23%) total website visits had been recorded.The figure indicates a roughly linear relationship, with website visits accumulating at an approximately constant rate.

Figure 23 :
Figure 23: Distribution of participant browsing history entries across all schemes relative to total browsing time, non-cumulative.Of note are the spikes in activity around the start and end of the study periods, but, beyond that, activity is mostly constant save for various dips, presumably around nighttime.

Figure 24 :
Figure24: Distribution of participant banner interactions across banner schemes, including S5-Learn as a mixed banner-category scheme, relative to the total browsing time for each participant (around 7 days), cumulative.Curves that transition from steep to flat slopes indicate that most of participants' banner interactions for that scheme were concentrated in the start of the browsing period.Schemes with generalizability features, such as S2-Snooze + Apply-all and S5-Learn evidently required fewer banner interactions throughout the entire week compared to, for example, SB-Base.

Figure 25 :
Figure 25: Distribution of participant banner interactions across banner schemes relative to the total browsing time for each participant, non-cumulative.More prominent spikes at the beginning of the browsing period and fewer afterwards indicate more interactions being made early on.