Advanced Data Protection Control (ADPC)

ADPC is an automated mechanism for the communication of users’ privacy decisions and data controllers’ responses. It aims to empower users to protect their online privacy in a human-centric and enforceable manner. It also helps online publishers and service providers to comply with the data protection and consumer protection regulations.

The ADPC spec defines a method for expressing user decisions about personal data processing under the European Union’s data protection regulations, and similar regulations outside the EU. Currently, ADPC functions through the exchange of HTTP headers between the user agent and the web server, or through an equivalent JavaScript interface.

The mechanism serves as an automated means for users to give or refuse consent, to withdraw any consent already given, and object to processing based on legitimate interest. ADPC is an alternative to existing non-automated consent management approaches (e.g. ‘cookie banners’) which aims to reduce the overheads of the different parties involved in the protection of users privacy equation.



There have been other attempts to implement automatic privacy controls globally. ADPC is different because it has been designed to better integrate with the requirements of GDPR and the upcoming ePrivacy Regulation, as well as with other international laws:

— ADPC is domain specific (‘site specific’), so users can choose to tailor their interaction with different web sites and data controllers.

— ADPC allows opt-in (consent) and opt-out (objection) signals, whereas other signals were based on an opt-out framework.

— ADPC allows domains to freely define a consent request, or use a formulation standardized by industry groups (like the IAB’s TCF specification). This makes ADPC open and interoperable with other systems.

— ADPC allows general signals (like “reject all”, “withdraw all”, “object to all”), specific signals (like consent to a specific request) and a combination of general and specific signals (like “reject all, but consent to requests ‘x’ and ‘y'”).

— ADPC allows browsers, plugins or operating systems to provide users with settings and logic that determines how requests are treated. This includes white- and blacklisting, industry-wide purposes, or logic like showing a request only when visiting a page regularly.

— ADPC limits the (legal) fingerprinting surface by not sending any signal if a domain does not support ADPC (and thereby publicly commits to not use the signal further), as well as sending different signals to different domains.

We are looking forward to hearing back from you on this approach. You can find all the technical details in our draft specifications.

Status of ADPC

ADPC is currently at a proof of concept status and meant to be a starting point for a larger debate on browser signals that implement user rights under Article 21(5) GDPR and the upcoming ePrivacy Regulation, as well as similar laws in other jurisdictions.