New browser signal could make cookie banners obsolete

Jun 14, 2021

New browser signal could make cookie banners obsolete

Today, noyb and Sustainable Computig Lab ("CSL") published a proposal for a new automatic browser signal to finally eliminate obsolete cookie banners. "Advanced Data Protection Control" (ADPC) aims to demonstrate that a user-friendly European solution for privacy settings can easily be implemented.

Cookie banners are annoying for users and companies. Cookie banners are not only often times unlawful (as our 500 complaints from two weeks ago have shown), but also incredibly annoying for users. Also companies that actually want to run an easy-to-use website, have no other choice than using annoying banners if they want to set cookies.

Legally provided, but non-existent. According to Article 21(5) of the GDPR and the ePrivacy Regulation, automatic signals from the browser should actually tell websites in the background whether a user is consenting to data processing - or not. The only problem: such a signal does not exist yet - probably also because many tracking companies promise more consent through annoying banners.

Advanced Data Protection Control (ADPC). Compared to binary "opt-out" approaches from the U.S. (such as "Do not Track" or "Global Privacy Control"), ADPC provides for much more differentiated options: the signal can also represent specific consent ("opt-in") for a specific website and a specific purpose.

Schrems: "For Europe, we need more than just an 'opt-out' so that it fits into our legal framework. That's why we call the prototype 'Advanced' Data Protection Control, because it's much more flexible and specific than previous approaches."

Like "smart" camera sharing in the browser. Web pages can send their privacy requests in a machine-readable way, and ADPC allows the response to be transmitted using header signals or via Java Script. In the same way as you can give an app access to your camera, users can release their data by means of a uniform, simple pop-up in the browser. This would end absurd click marathons on intentionally complex banners. Above all, ADPC also allows intelligent management of queries and automatic responses: This way, similar queries could be answered easily with a yes or no for all websites. Users could also choose to receive only specific requests - similar to a "spam filter" for e-mails.

Schrems: "ADPC allows intelligent management of privacy requests. A user could say, for example, 'please ask me only after I've been to the site several times' or 'ask me again after 3 months.' It is also possible to answer similar requests centrally. ADPC thus allows the flood of data requests to be managed in a meaningful way."

Privileging for quality content possible. It is also important to the proponents of ADPC that so-called "whitelists" make it possible to give preference to quality journalism or art and culture with a single click: associations could offer and promote "whitelists" that users can adopt with a single click. This is not possible through a legal regulation, since the legislator - unlike the users - is not allowed to give preference to a specific economic sector.

Schrems: "Many users are probably willing to share more data with quality media, but don't want to give their data to hundreds of external tracking companies. With ADPC, for example, a newspaper association can advertise a whitelist with which certain data can be automatically processed by quality media. The user can thus support certain groups with one click."

ePrivacy regulation brings decision. Whether such a signal will ultimately have to be used by companies and thus be successful is up to the legislator: A signal like that is proposed as part of the ePrivacy Regulation, which is now undergoing final negotiations. It is still open to debate whether and in what form it will be legally binding. California is ahead of the EU in this respect, as a government agency can make the use of such a signal binding.

Schrems: "With ADPC, we also want to show the European legislator that such a signal is feasible and brings advantages for all sides. We hope that the negotiators of the member states and the European Parliament will ensure a solid legal basis here, which could be applicable law in a short time. What California has done already, the EU should be able to do as well."

***

Background. ADPC is a cooperation between noyb and the Sustainable Computing Lab at the Vienna University of Economics and Business. The project was partially funded by netidee (behind the Austrian domain administration nic.at). Over the last two years we have had countless discussions with experts and are building on the experience of "Do not Track" and similar signals such as "Global Privacy Control" in California. ADPC is a technical specification and prototype for a simple browser plugin and is intended to serve as a basis for discussion and generate lively feedback. More information and FAQs can be found at dataprotectioncontrol.org.