Questions about ADPC.

ADPC stands for Advanced Data Protection Control.

ADPC is a technical specification that describes how signals for automated communication of users’ data protection decisions can be sent from the terminal of a user (usually the browser) to a website. It aims to demonstrate that a more reasonable approach to communicating privacy preferences than typical cookie banners is possible.

No. While ADPC has been carefully designed to be in compliance with privacy and consumer protection regulations such as the EU General Data Protection Regulation (GDPR), it can be used to express data subjects’ privacy decisions in non-EU frameworks. Any form of opt-in and opt-out can be communicated with a system like ADPC.

Yes. You are more than welcome to get involved — whether through code, research, piloting, or advocacy.

ADPC started as a collaboration between the Sustainable Computing Lab at the Vienna University of Economics and Business and noyb in a joint project called RESPECTeD, partially funded by netidee.

You can cite the specification itself. See: epub.wu.ac.at/8280. Additional scientific publications are forthcoming.

Yes. ADPC aims to empower all users, with non-technical users as its main priority. A browser extension implementing ADPC is available on GitHub. If ADPC gains wider support, browsers and operating systems could provide even more accessible implementations in the future.

ADPC is not dependent on any browser or operating system. The current browser extension works on desktop Firefox and Chromium-based browsers (Chrome, Brave, Opera and alike). ADPC as a specification can be implemented on any platform.

The most valuable support is to introduce ADPC to people you know — regulators, policymakers, businesses, engineers, academics and activists. Follow the project, share updates, and write about it. User feedback about prototype implementations is also directly helpful.

A server-side JavaScript implementation is available on GitHub. CMS plugins for WordPress and other platforms are in development. See the implementations page for current options.

DNT is a binary on/off signal. ADPC is an advanced mechanism that allows communication of different consent and objection decisions, and also enables data controllers to express and request specific consents.

GPC is a binary signal for opt-out. ADPC supports both opt-in (consent) and opt-out (objection and withdrawal) signals, and allows data controllers to request individual, named consents rather than a blanket opt-out.

No. While the current specification focuses on website use cases, ADPC as a signalling mechanism can apply to apps, IoT devices, AI systems and any other digital technology that involves privacy decisions.

ADPC limits the fingerprinting surface by not sending any signal unless a domain publicly announces ADPC support and thereby commits not to misuse the signal. It also sends domain-specific signals, so different choices go to different controllers. This approach substantially reduces fingerprinting risk, though the issue warrants ongoing study.

No. ADPC is a signalling mechanism, not a vocabulary standard. Data controllers and data subjects are not limited to a specific set of terms. Broader standardisation of privacy vocabularies is a separate, complementary effort.

If a website publicly declares that it supports ADPC by implementing the signal, any non-compliance with a user’s expressed decision is enforceable under GDPR or ePrivacy. ADPC is designed to demonstrate to regulators how a mandatory enforceable signal could work.

No. ADPC has been carefully designed to be compatible with GDPR and the upcoming ePrivacy Regulation, but it is not limited to European law. Any form of opt-in or opt-out required by other national or regional frameworks can be communicated through ADPC.

No. Unlike DNT or GPC, ADPC supports both opt-in (consent) and opt-out (objection, withdrawal) signals, as well as combinations of general and specific choices.

Yes. ADPC supports general signals (reject all, withdraw all, object to all), specific signals (consent to a named request), and combinations of the two. This is the “Advanced” in Advanced Data Protection Control.

No. ADPC is domain-specific. Each data controller sends its own specific consent request to the ADPC user agent, and users can tailor their choices per site. Users may also send a general opt-out to all controllers at once using ADPC.

ADPC is built on a human-centric approach to online privacy. Rather than treating consent as an abstract checkbox, it considers consenting as a sociocognitive action involving individual and social dimensions. A detailed account of this perspective can be found in A Human-centric Perspective on Digital Consenting by Soheil Human and Florian Cech.

No. ADPC addresses the fundamental gap of automation in privacy rights management. But technical, legal, cognitive, economic and political solutions all need to work together. ADPC is designed as a foundational enabler for other interdisciplinary approaches, not a complete solution on its own.