https://www.dataprotectioncontrol.org/spec/
Advanced Data Protection Control (ADPC)
Unofficial Draft 15 June 2021
Latest editor's draft:
https://www.dataprotectioncontrol.org/spec/
Editors:
Gerben (noyb)
Soheil Human (Sustainable Computing Lab)
Authors:
Soheil Human (Sustainable Computing Lab)
Max Schrems (noyb)
Alan Toner (noyb)
Gerben (noyb)
Ben Wagner (Sustainable Computing Lab)
Participate:
GitHub Data-Protection-Control/ADPC
File an issue
Commit history
Pull requests
More information
dataprotectioncontrol.org
This document is licensed under a Creative Commons Attribution 4.0
International Public License (CC-BY).
---------------------------------------------------------------------
Abstract
This specification defines a mechanism for expressing user decisions
about personal data processing under the European Union's data
protection regulations, and similar regulations outside the EU. The
mechanism functions through the exchange of HTTP headers between the
user agent and the web server, or through an equivalent JavaScript
interface.
The mechanism serves as an automated means for users to give or
refuse consent, to withdraw any consent already given, as well as to
object to processing. The mechanism provides an alternative to
existing non-automated consent management approaches (e.g. 'cookie
banners') and aims to reduce the efforts of the different parties
involved regarding the protection of users' privacy.
Table of Contents
1. 1. Introduction
2. 2. Technical overview
3. 3. Example
4. 4. Definitions
5. 5. Scope
1. 5.1 Personal scope
2. 5.2 Material scope
3. 5.3 Territorial scope
6. 6. Signals
1. 6.1 Requesting consent
2. 6.2 Giving consent
3. 6.3 Withdrawing consent
4. 6.4 Objecting to processing
5. 6.5 Combining signals
7. 7. HTTP-based interaction
1. 7.1 Requesting consent
1. 7.1.1 Making zero requests
2. 7.2 Giving and withdrawing consent
3. 7.3 Objecting to processing
8. 8. JavaScript-based interaction
1. 8.1 Requesting consent
2. 8.2 Giving and withdrawing consent, and objecting to
processing
3. 8.3 Interface definition
9. 9. Bulk consent requests lists
1. 9.1 Concept
2. 9.2 Definition
10. 10. Compatibility considerations
11. 11. Privacy considerations
1. 11.1 Privacy impact in case of compliant websites
2. 11.2 Privacy impact in case of non-compliant websites
1. 11.2.1 Misplaced trust
2. 11.2.2 Tracking
3. 11.2.3 Third-party scripts
3. 11.3 User agent's role in data protection
12. 12. Conformance
13. A. Acknowledgements
14. B. References
1. B.1 Normative references
2. B.2 Informative references
1. Introduction
This section is non-normative.
Legal frameworks such as the European Union's General Data Protection
Regulation (GDPR) and ePrivacy Directive define rights and
obligations around the processing of personal data. The starting
position of the GDPR is that processing of personal data is only
lawful if it has an appropriate legal basis; one basis being that
"the data subject has given consent to the processing of his or her
personal data for one or more specific purposes" (point (a) of
Article 6(1) GDPR). Similarly, the ePrivacy Directive (in Article 5
(3)) requires the user's consent when any data is stored on or
retrieved from terminal equipment beyond what is strictly necessary.
Moreover, when a data controller relies on legitimate interest as the
legal basis for direct marketing, the user has an absolute right to
object under Article 21(2) GDPR.
As website publishers often desire to process their visitors'
personal data for purposes beyond what is necessary to serve the
website, and beyond what can be based on legitimate interest, a
website operator often wants to ask whether the visitor consents to
such processing. Such communication currently tends to be done via
highly disruptive and repetitive interfaces that are contained in the
web page itself (e.g. 'cookie banners'), rather than through the web
browser or other automated channels.
It is the user's choice how to communicate the exercise of GDPR
rights to a data controller -- the user could send an email, letter,
or click a button on a website. In addition, technical means can be
used:
* Article 21(5) GDPR expressly provides that "the data subject may
exercise his or her right to object by automated means using
technical specifications".
* Recital 32 of the GDPR also makes clear that requesting and
giving consent could take many forms, which "could include
ticking a box when visiting an internet website, [or] choosing
technical settings for information society services [...]", as long
as it satisfies the requirements such as being informed and
unambiguous.
* Recital 66 of Directive 2009/136/EC, which updates the 2002
ePrivacy Directive, likewise states that "the user's consent to
processing may be expressed by using the appropriate settings of
a browser or other application".
* The proposed ePrivacy Regulation (2017/0003 (COD)) equally
foresees automated means to communicate data subject preferences.
Despite various legal provisions suggesting its validity, a
standardised means for communicating GDPR rights has thus far been
lacking.
This specification defines automated means for website visitors to
give or refuse consent for the specific purposes that the data
controller describes, to withdraw any consent already given, as well
as to object to processing for direct marketing purposes based on the
data controller's legitimate interest. This enables the user to
easily manage data protection decisions through the web browser, and
possibly to customise how requests are presented and responded to
(e.g. using a browser extension to import lists of trusted websites).
The result could be comparable to the way websites ask for permission
to access a webcam or microphone: the browser keeps track of the
user's decisions on a site-by-site basis, ensures that the user gets
a genuinely free choice, and puts the user in control over their
decisions.
2. Technical overview
This section is non-normative.
The protocol described in this document interacts between the website
and the user agent (i.e. the browser). The website provides the user
agent with a machine-readable "consent requests list" that specifies
the data processing purposes for which it requests the user's
consent. The user agent responds the user's decisions to the website.
The current specification defines two technical paths for these
interactions:
1. Between the website back-end, i.e. a web server, and the user
agent; by means of an HTTP Link header (or an equivalent HTML
) pointing to a JSON file, and the ADPC header.
2. Between the website front-end, i.e. a web page, and the user
agent; by means of a JavaScript interface.
The two methods are equivalent in meaning. There may be technical
reasons to use one over the other, or even combine them. For example,
the JavaScript approach obviously only works if the user agent
supports JavaScript, but it can be used without requiring changes to
the back-end infrastructure. Moreover, it permits requesting consent
in response to the user's interactions with a page.
The options to present to the user are organised as a list of request
strings, each associated with an identifier. In the HTTP-based
approach this list is encoded as a JSON file that the website links
to. In the JavaScript-based approach, it is passed directly as a
JavaScript object to the DOM interface
navigator.dataProtectionControl.request(...).
The user's response is presented to the website by listing the
identifiers of the requests they consent to. In the HTTP-based
approach, this list is sent in the ADPC HTTP header in a subsequent
HTTP request, while in the JavaScript-based approach, the list is the
final return value of the DOM interface.
In the subsequent sections, the communication protocol is defined in
detail. First come examples (SS 3. Example) and relevant definitions (
SS 4. Definitions). Then SS 6. Signals specifies the messages that the
two sides exchange, defining the meaning of each. The two sections
following it detail how these messages are technically conveyed via
either the HTTP-based (SS 7. HTTP-based interaction) or
JavaScript-based (SS 8. JavaScript-based interaction) approach.
3. Example
This section is non-normative.
Example 1: Full example, using HTTP-based interaction
The website example.org wants to request its visitors' consent to set
and access cookies on their device, as well as to create a
personalised advertising profile. It describes these activities and
purposes in a "consent requests resource":
{
"consentRequests": {
"cookies": "Store and/or access cookies on your device.",
"ads_profiling": "Create a personalised ads profile."
}
}
Along with every web page or other resource the website delivers to a
visitor, it includes a pointer to this consent requests resource. For
example, given a visitor requesting https://example.org/some/page:
GET /some/page HTTP/1.1
Host: example.org
The website may respond with:
HTTP/1.1 200 OK
...
Link: ; rel="consent-requests"
...
When the web browser detects this link, it notifies the user that the
website would like to request consent. The user could be prompted,
perhaps through a pop-up notification, with the purpose descriptions
specified by the website. For each purpose, they are given the option
to consent to that processing. In this example, we will assume they
give consent to set and access cookies, but not for personalised
advertising.
[consent] Figure 1 Possible presentation of a consent request by the
web browser
On subsequent requests to example.org, the web browser sends along
the identifiers of the processing purposes that were consented to (in
this case, cookies). For the avoidance of doubt, the user might also
want to explicitly withdraw consent for any other processing purposes
that are not listed here, but that may previously have been given via
other means. A next request to website would include the ADPC header
to convey these signals:
GET /some/page HTTP/1.1
Host: example.org
ADPC: withdraw=*, consent=cookies
...
Now the website has its answer, and can set and access cookies on the
user's device. The web browser may automatically resend this consent
decision on subsequent visits to example.org.
4. Definitions
This document touches on data protection regulations as well as
technical specifications, which tend to use very different concepts
and terminology. In this document, the following terms are used to
map data protection concepts into a technical specification:
user
The person visiting or interacting with the website.
This specification uses the word "user" as a term that includes
both "data subjects" as defined under Article 4(1) GDPR and
"users" as defined in Article 2(a) ePrivacy Directive.
Note
While this specification uses definitions from GDPR and ePrivacy,
it may be used in any jurisdiction that operates under similar
laws. Future versions of this specification may include
references to such laws.
user agent
Any software that retrieves, renders and facilitates end-user
interaction with web content. The user may communicate with the
controller via the user agent. The term is used interchangeably
with "browser".
controller
The body that provides a website and determines the purposes and
means of the processing of personal data or other information
stored in the terminal equipment of the user.
This specification uses the word "controller" as a term that
includes both the "controller" as defined under Article 4(7) GDPR
and the "provider of an information society service" as used in
Article 5(3) ePrivacy Directive.
website
The information society service through which the user interacts
with a controller. The controller may communicate with the user
via the website. A website is delineated by its URL, where any
URLs whose origins are schemelessly same site are understood as
belonging to the same website.
Example 2
A visit to https://www.example.org/some/page and a visit to http:
//blog.example.org/another/page are considered as visiting the
same website, that could simply be referred to as example.org.
Note
A future version of this specification, or user agents'
implementations of it, could enable treating multiple websites or
services by the same data controller (for example, example.com
and example.org or a mobile application) as a combined
information society service in the context of data protection
control. See the related work in the Privacy Community Group on
the First-Party Sets proposal.
5. Scope
5.1 Personal scope
The same person may or may not be recognisable to the website on a
subsequent visit (for example when the user deletes stored IDs or
uses another device or account), and may thus be considered a new
user from the website's perspective.
The scope of the user's exercise of rights is therefore limited to
any personal data and information that relates to the user present in
any transaction.
Example 3
A website has placed different IDs on the two devices of a user. If
the website linked both IDs to the same user account, the user's
exercise of rights must cover transactions from both devices.
If, on the other hand, the website is unable to link both IDs to the
same user, the user's exercise of rights only extends to any personal
data or information linked to the ID present in the given
transaction.
5.2 Material scope
The signal expressing the user's exercise of rights includes any
processing of personal data or information based on consent (Article
6(1)(a) GDPR and article 5(3) ePrivacy Directive) or for direct
marketing purposes (Article 6(1)(f) and 21(2) GDPR and Article 13(1)
ePrivacy Directive).
Example 4
When a website legitimately uses personal data for security purposes
under Article 6(1)(f) GDPR or to fulfil a contract under Article 6(1)
(b) GDPR, the signal does not apply.
5.3 Territorial scope
The website may determine the territorial scope where it provides
support for this specification. Limited support may be expressed by
not including the Link header (or the equivalent element) in a
transaction.
Note
The GDPR requires controllers in the EEA to apply the GDPR globally.
Non-EEA controllers are usually required to apply the GDPR only for
users in the EEA market. Some controllers may use the same system
globally, independent of the legal requirements.
6. Signals
Regardless whether the protocol is used via the HTTP-based or
JavaScript-based approach, conceptually the same messages are
exchanged between website and user agent. This section describes the
messages and their meaning.
6.1 Requesting consent
The typical communication flow starts with the website requesting its
visitor for consent to specific data processing purposes. The website
can request consent from the user for zero or more processing
purposes by presenting the user agent a consent requests list.
A consent requests list is an array containing zero or more consent
requests, each representing a processing purpose. A consent request
is an associative array containing the following attributes:
text
The request text: an arbitrary Unicode string that is to be
presented to the user. The text should be formulated such that it
allows an unambiguous affirmative or negative reaction by the
user, such as clicking an "accept" button or ticking a checkbox.
Note
While technically the request text may be arbitrary, legally it
has to satisfy the requirements under Article 4(7) GDPR, such as
allowing a specific and informed consent, using clear, concise
and plain language (Recital 42) to enable the website to rely on
the affirmative reaction by the user.
id
A request identifier: a shorthand that is used to refer to this
consent request. Within the website that makes the consent
request, the request identifier MUST uniquely correspond to this
specific consent request, in order to ensure no ambiguity arises
as to which wording of a request the user has consented to. Hence
a website must choose a new identifier when e.g. it modifies its
request text, perhaps by including a version number as part of
the identifier.
Except in standardised consent requests, the identifier consists
of an arbitrary string containing uppercase and lowercase latin
characters, digits, hyphen (-), period (.), underscore (_), and
tilde (~) (i.e. any unreserved characters in the URI syntax).
Note
Future versions of this specification may define other members, to
provide relevant information in a structured, machine-readable way.
Example 5: A consent requests list for multiple processing purposes,
in JavaScript object notation
[
{
"id": "q1analytics",
"text": "We track and analyse your visit(s) on this website, for improving our product; this places a cookie on your device to recognise you on subsequent page visits."
},
{
"id": "q2recommendation",
"text": "We observe your interaction with our content to personalise your experience by recommending content you may find of interest."
},
{
"id": "q3advertising",
"text": "We observe your interaction with our content to personalise advertising to your interests."
},
{
"id": "q4thirdPartyAdvertising",
"text": "We let third party TripleView(tm) observe your interaction with our content to personalise advertising to your interests on its partners' websites."
}
]
A standardised consent request is a consent request whose request
identifier is a URI rather than an arbitrary string. The attributes
of a standardised consent request MUST uniquely correspond to the
request identifier globally, rather than only within a website.
Note
While this standardises the form of the consent request globally, it
does of course not imply that a user's response to any such request
must apply to all websites that present the same standardised consent
request. The standardisation of consent requests does however open up
such possibility for users, as they could for example instruct their
agent to refuse particular requests regardless of which website makes
it. With or without such blanket responses, it can help reduce
information overload and decision fatigue on the side of users, while
it may help with compliance efforts on the side of websites.
Example 6
An organisation such as the Interactive Advertising Bureau might
require all adopters of its "Transparency and Consent Framework" to
use standardised requests for the purposes defined in that framework.
Such an adopter might then present the following consent requests
list:
[
{
"id": "https://iab.com/tcf2/ns/#purpose1",
"text": "Cookies, device identifiers, or other information can be stored or accessed on your device for the purposes presented to you."
},
{
"id": "https://iab.com/tcf2/ns/#purpose2",
"text": "Ads can be shown to you based on the content you're viewing, the app you're using, your approximate location, or your device type."
},
{
"id": "https://iab.com/tcf2/ns/#purpose3",
"text": "A profile can be built about you and your interests to show you personalised ads that are relevant to you."
},
{
"id": "https://iab.com/tcf2/ns/#purpose4",
"text": "Personalised ads can be shown to you based on a profile about you ads that are relevant to you."
}
]
A website MUST NOT request consent if it will not respect the user's
decisions. The act of requesting consent thus doubles as an
indication of compliance. A website that does not need to request
consent, but wishes to (or is obliged to) signal that it supports the
protocol, can simply request consent with zero requests.
A website SHOULD repeat its consent requests with every page it
serves as long as they are applicable. The repetitions help inform
the user agent that the consent requests are still relevant. The user
agent can recognise which requests the user has already responded to
before, and automatically repeat their responses to the website, and
can determine which requests to present to the user.
Presenting the requests involves presenting the human-readable
request text, along with the option to freely and unambiguously
indicate an affirmative or negative wish of the user in line with
Article 4(11) GDPR, such as by choosing between an "accept" and
"reject" button or by ticking or not ticking an adjacent checkbox.
The exact user agent behaviour may depend on its implementation
choices, its interaction modality and user preferences. User agents
MUST use objective, non-discriminatory rules to determine which
consent requests are presented to the user, and in what manner.
Example 7
A graphical web browser may show a pop-up, while a voice web browser
may read out the consent requests. Either might also first notify the
user about the website's requests before showing the requests
themselves, or respect a user's expressed preference to e.g. only ask
for consent after the third visit to any website.
6.2 Giving consent
To give consent to zero or more specific processing purposes, the
user agent presents the website with a list of the corresponding
identifiers.
Example 8
From the list in Example 5, assume the user consents to the first two
purposes. The user agents passes the list of corresponding
identifiers, q1analytics and q2recommendation. In the HTTP approach
this could be expressed by sending this header:
ADPC: consent="q1analytics q2recommendation"
If the user would have refused to give consent to any of the
requests, the list would simply be empty.
For legal validity, the user agent MUST NOT give consent without
properly presenting the requests to the user and without freely
given, specific, informed and unambiguous affirmative indication by
the user. The user agent can remember the user's previously given
consent and repeat it on subsequent repetitions of the same request.
6.3 Withdrawing consent
The user may withdraw consent that was previously given; the consent
is represented by the identifier that was used to request it.
The user can also withdraw all consent for purposes not explicitly
consented to in the current exchange. This also withdraws consent
that was given 'out of band' (i.e. not through this protocol), and
can therefore be useful to ensure that the user has a complete
overview and control over the processing purposes they consented to.
Example 9
After having previously given consent as described in Example 8,
assume the user expresses they want to withdraw their consent to data
processing for the purpose of analytics, possibly by unchecking the
corresponding checkbox in their browser. The user agent passes a list
containing the corresponding identifier, q1analytics. In the HTTP
approach this could be expressed by sending this header:
ADPC: withdraw=q1analytics
If the user would wish to withdraw all previously given consents, the
user agent would send the following header:
ADPC: withdraw=*
Note that as consent has to be given to specific purposes, there is
no equivalent consent=*.
The user agent MUST make it as easy to withdraw as to give consent in
order to comply with Article 7(3) GDPR. This requires that the option
to withdraw consent via the user agent must be as easy to access and
exercise as the option to consent to the processing operation.
6.4 Objecting to processing
The user may object to processing of their personal data as provided
for under Article 21 GDPR. Objection involves passing the appropriate
objection identifier.
An objection identifier is a string corresponding to a type of
objection. This specification defines only one objection identifier:
direct-marketing. The user may provide this identifier to object to
processing of their personal data for direct marketing purposes, as
provided for under Article 21(2) GDPR.
Note
At time of writing, there appears to no general agreement about the
scope of "direct marketing" in Article 21(2) GDPR. This specification
does not take any position on the scope, but merely allows users to
object to whatever falls within this scope.
Note
While Article 21(1) and 21(6) GDPR also define a right to object for
other purposes than direct marketing, objection under these
paragraphs would usually require an exchange about the specific
situation of the user, which seems to require more specific
interactions.
Other specifications, or future versions of this specification, could
define other types of objections, possibly based on other data
protection laws in other jurisdictions.
6.5 Combining signals
To ensure that the records of user preferences stored by the user
agent and by the website stay synchronised and to ensure that the
signalled preferences prevail over other interactions, it may be
useful to combine multiple signals.
When signals are combined, specific signals (such as giving consent
for specific processing purposes) SHALL prevail over more general
signals (such as withdrawing all consent).
Example 10
A user may instruct the user agent to generally withdraw all
previously given consent as well as to object to any direct
marketing, but consent to the purposes identified by q1analytics and
q2recommendation as in Example 8. In the HTTP approach this could be
expressed by sending this header:
ADPC: withdraw=*, object=direct-marketing, consent="q1analytics q2recommendation"
The website would then know that generally no processing based on
consent (Article 6(1)(a) GDPR and/or Article 5(3) ePrivacy Directive)
and no processing for direct marketing (Article 21(2) GDPR) is
allowed, but that the user did consent to the purposes identified by
q1analytics and q2recommendation. Any consent that was previously
obtained (including via e.g. a previously used consent banner) would
now be understood to be withdrawn. This ensures the user that only
those consents they can view and control through their browser are
valid.
7. HTTP-based interaction
This section defines the first of the two ways to use the ADPC
mechanism, which primarily communicates using the HTTP headers
exchanged between the web server and user agent, while using a JSON
resource to convey the consent requests.
Note
An individual HTTP interaction consists of a request by the user, and
a response from the web server. However, the communication flow for
consent tends to require the reverse: the website informs the user
about its data processing purposes, to which the visitor may respond
by giving consent, or refusing to. Therefore, the ADPC flow starts
with the HTTP response of the server, to which the user agent
responds in subsequent HTTP request(s). Because the user agent would
normally only send the ADPC header if the server proclaims to support
the protocol, this approach should also limit the options for device
fingerprinting.
7.1 Requesting consent
A website lists the processing purposes it requests consent for in a
consent requests resource, which is a JSON file containing an object
with the following attributes:
consentRequests
A consent requests list.
Example 11: A consent requests resource
{
"consentRequests": [
{
"id": "q1analytics",
"text": "We track and analyse your visit(s) on this website, for improving our product; this places a cookie on your device to recognise you on subsequent page visits."
},
{
"id": "q2recommendation",
"text": "We observe your interaction with our content to personalise your experience by recommending content you may find of interest."
},
]
}
To request consent, the website points to such a consent requests
resource using the HTTP Link header, with the relation type
consent-requests.
Example 12: Pointing to the consent requests resource via an HTTP
Link header
GET /some/page HTTP/1.1
HTTP/1.1 200 OK
Link: ; rel="consent-requests"
...
When returning an HTML or XML document, instead of adding the Link
header, an equivalent element can be added to the document,
with the same semantics as the header.
Example 13: Pointing to the consent requests resource via an HTML
element
...
Note
Because the consent requests resource is linked to, rather than
directly included in the response, the traffic overhead remains
small. Caching mechanisms (e.g. using the ETag and Cache-Control
headers) can avoid the repeated transfer of the consent requests
resource.
Example 14: Consent request resources in multiple languages
Using the standard content negotiation procedure, the user agent and
web server would use the Accept-Language and Content-Language headers
to obtain the consent requests resource in the user's preferred
language.
The link's hreflang attribute can be used to hint at the language(s)
in which the consent requests resource is available:
GET /some/page HTTP/1.1
HTTP/1.1 200 OK
Link: ; rel="consent-requests"; hreflang="en fr de"
...
Alternatively, a website could give each language its own URL, and
declare multiple links with different hreflang values to point to
translations at different URLs:
GET /some/page HTTP/1.1
HTTP/1.1 200 OK
Link: ; rel="consent-requests"; hreflang="en"
Link: ; rel="consent-requests"; hreflang="fr"
...
The different translations of the consent requests would use the same
identifiers.
When the user agent detects a consent-requests link in a document in
the top-level browsing context, it would typically fetch and parse
the linked JSON resource and, if this succeeds, present the requests
to the user. It MAY reduce traffic by only fetching the resource once
the user decides to interact with the consent requests.
7.1.1 Making zero requests
A website may want to explicitly express that it does not request any
consent. The obvious approach would be to present a consent requests
resource with an empty object as the value of consentRequests. In the
HTTP-based approach, this could however cause an unnecessary round
trip for obtaining this consent requests resource. Moreover, in a
user agent that notifies or hints the user about consent requests
before it retrieves the consent requests resource, it could cause a
confusing experience.
Instead of presenting a consent requests resource without consent
requests, a website SHOULD therefore link to the special target
about:blank.
Example 15: Supporting ADPC, not requesting any consent
GET /some/page HTTP/1.1
HTTP/1.1 200 OK
Link: ; rel="consent-requests"
...
7.2 Giving and withdrawing consent
To give consent or withdraw consent to zero or more specific
processing purposes listed in the received consent requests resource,
the user agent adds the ADPC HTTP header in its subsequent HTTP
requests to the website.
The value of the ADPC header is set to the characters consent=, or
withdraw=, respectively, followed by a double-quoted string
containing the corresponding request identifiers, separated by
spaces. If the list has only one identifier, the double quotes can be
omitted. If it has zero identifiers, the value can equivalently be
empty, or the header can be omitted altogether.
To convey multiple decisions, the ADPC header can be used any number
of times in a single HTTP request, in arbitrary order. As is standard
with HTTP headers, multiple header values can either be listed as
separate headers, or be concatenated with a comma (optionally
surrounded by whitespace).
The user agent SHOULD repeat the ADPC header with every HTTP request
it makes to the website, as long as it is applicable. The repetitions
enable a website to know the user's decision without keeping records
itself. The user agent MAY send a stand-alone HTTP request to ensure
a user's decision is conveyed as soon as possible, instead of waiting
for the next natural occasion to transmit the signal.
Example 16: Giving consent via HTTP
To the consent requests presented in Example 5, assume the user has
decided to consent to the processing of their personal data for the
purposes of product improvement and personalised recommendations. On
the subsequent request(s) to the server, the user agent adds the ADPC
header:
GET /some/page HTTP/1.1
ADPC: consent="q1analytics q2recommendation"
...
Example 17: Withdrawing consent via HTTP
At a subsequent moment, assume the user wishes to withdraw the
consent to the personal data processing for the purpose of content
recommendation. For clarity, the consent for the purpose of product
usage analytics may be repeated:
GET /some/page HTTP/1.1
ADPC: withdraw=q2recommendation, consent=q1analytics
...
To withdraw all consent, the special value * can be used in place of
an identifier.
Example 18: Withdrawing all consent via HTTP
Assume the user wishes to withdraw all consent it has previously
given a website:
GET /some/page HTTP/1.1
ADPC: withdraw=*
...
Or, the user may wish to consent to particular processing purposes,
but withdraw any other consent they may have given in the past:
GET /some/page HTTP/1.1
ADPC: withdraw=*, consent="q1analytics q2recommendation"
...
A stand-alone HTTP request is an HTTP HEAD request to an arbitrary
path on the website's origin. It can be used to deliver HTTP headers
without requesting any resource.
Example 19: A stand-alone HTTP request to withdraw all consent
A user can find, locally in their browser, an overview of previously
given consent, and may wish to withdraw all consent for a chosen
website even while not visiting it at that moment. The browser sends
the appropriate ADPC header along with a stand-alone HTTP request to
an arbitrary path of the website.
HEAD / HTTP/1.1
ADPC: withdraw=*
...
7.3 Objecting to processing
To object to processing of their personal data, the user agent adds
the ADPC HTTP header to any HTTP request to the website, with the
value object= followed by a double-quoted string containing zero or
more objection identifiers. If the list has only one identifier, the
double quotes can be omitted. If it has zero identifiers, the value
can equivalently be empty, or the header can be omitted altogether.
Example 20: An HTTP request to object to direct marketing
The user expresses their objection to the processing of their
personal data for the purpose of direct marketing, along with a
request to a web page:
GET /some/page HTTP/1.1
ADPC: object=direct-marketing
...
Extending Example 19, the user expresses the objection in combination
with a withdrawal of all previous consent:
GET /some/page HTTP/1.1
ADPC: withdraw=*, object=direct-marketing
...
8. JavaScript-based interaction
While the HTTP signalling approach can be sufficient, there are
several reasons why a website may prefer to communicate in other
ways. For example:
* Statically hosted web content that cannot adapt to the HTTP
signals.
* Third party services or proxies are used that do not give access
to the HTTP headers.
* Scripts or other content involved in data processing is loaded
from third parties, which will therefore not receive the user's
decisions.
Example 21
Assume website.example uses a third-party CMP, loaded directly from
cmp.example using a