Please disable your adblock and script blockers to view this page

New browser signal could make cookie banners obsolete

Creative Commons Attribution
the Privacy Community Group
the First-Party Sets
the Interactive Advertising Bureau
Consent Framework”
ePrivacy Directive
the Accept-Language
Subresource Integrity
BCP 14
Mandan Kazzazi
the Internet Foundation

“data subjects”

Alan Dahi
Rob van Eijk
Stefanie Alice Hofer
Horst Kapfenberger
Gustaf Neumann
Mike O’Neill
Harshvardhan J. Pandit
Monika Riegler
Stefano Rossetti

The user’s


No matching tags


No matching tags

Positivity     28.00%   
   Negativity   72.00%
The New York Times
Write a review: Hacker News

This specification defines automated means for website visitors to give or refuse consent for the specific purposes that the data controller describes, to withdraw any consent already given, as well as to object to processing for direct marketing purposes based on the data controller’s legitimate interest. This enables the user to easily manage data protection decisions through the web browser, and possibly to customise how requests are presented and responded to (e.g. using a browser extension to import lists of trusted websites). The website provides the user agent with a machine-readable “consent requests list” that specifies the data processing purposes for which it requests the user’s consent. When the web browser detects this link, it notifies the user that the website would like to request consent. The typical communication flow starts with the website requesting its visitor for consent to specific data processing purposes. The website can request consent from the user for zero or more processing purposes by presenting the user agent a consent requests list. While technically the request text may be arbitrary, legally it has to satisfy the requirements under Article 4(7) GDPR, such as allowing a specific and informed consent, using clear, concise and plain language (Recital 42) to enable the website to rely on the affirmative reaction by the user. Within the website that makes the consent request, the request identifier MUST uniquely correspond to this specific consent request, in order to ensure no ambiguity arises as to which wording of a request the user has consented to. The standardisation of consent requests does however open up such possibility for users, as they could for example instruct their agent to refuse particular requests regardless of which website makes it. Either might also first notify the user about the website’s requests before showing the requests themselves, or respect a user’s expressed preference to e.g. only ask for consent after the third visit to any website. To give consent to zero or more specific processing purposes, the user agent presents the website with a list of the corresponding identifiers. For legal validity, the user agent MUST NOT give consent without properly presenting the requests to the user and without freely given, specific, informed and unambiguous affirmative indication by the user. The website would then know that generally no processing based on consent (Article 6(1)(a) GDPR and/or Article 5(3) ePrivacy Directive) and no processing for direct marketing (Article 21(2) GDPR) is allowed, but that the user did consent to the purposes identified by q1analytics and q2recommendation. This section defines the first of the two ways to use the ADPC mechanism, which primarily communicates using the HTTP headers exchanged between the web server and user agent, while using a JSON resource to convey the consent requests. Using the standard content negotiation procedure, the user agent and web server would use the Accept-Language and Content-Language headers to obtain the consent requests resource in the user’s preferred language. To give consent or withdraw consent to zero or more specific processing purposes listed in the received consent requests resource, the user agent adds the ADPC HTTP header in its subsequent HTTP requests to the website. To the consent requests presented in Example 5, assume the user has decided to consent to the processing of their personal data for the purposes of product improvement and personalised recommendations. To object to processing of their personal data, the user agent adds the ADPC HTTP header to any HTTP request to the website, with the value object= followed by a double-quoted string containing zero or more objection identifiers. While the website.example web server would receive the user’s consent decisions through the HTTP request headers, the cmp.example web server would not. Suppose that, in response to the request shown in Example 22, the user decided to consent to the processing of their personal data for the purposes of product improvement and personalised recommendations. If, at any moment, the user decides to withdraw all consent for the website, and object to data processing for the purpose of direct marketing, the next invocation of request() might resolve to the following value: The dataProtectionControl interface enables a web page to request consent from the user and learn about their data protection decisions. Moreover, closer integration of these specifications may be worth consideration; this way, for example, a prompt could request the user both for technical access to one’s location data, and for consent to use this data for a given purpose. For example, excluded consent requests might only be shown when a user has visited a website more often, while included consent requests are shown instantly. If a user agent allows to automatically consent to included consent requests, it MUST ensure a freely given, specific, informed and unambiguous indication of the user’s wishes for each consent request. While this might equally be the case without use of this mechanism, the presentation through the web browser interface, which is generally more trusted than the website being visited, may give a false sense that decisions are enforced by the user agent, as is the case with permission requests for e.g. microphone access. A malicious website could, rather than having a static list of consent requests, customise the request identifiers for each user to recognise the user again (if they consented) during a subsequent visit. For example, user agents could refrain from transmitting the consent header value along with the first HTTP request to a website in a new session, in order to first verify whether the website still makes the same requests as before.

As said here by