The open specification for
machine-readable digital protection choices.
The ADPC specification defines how data-protection requests and decisions can be exchanged between services and user-side software. It enables automated communication of consent, refusal, withdrawal and objection across browsers, plugins, operating systems, CMPs, CMSs and other digital environments.
“version”: “1”,
“purposes”: [
{
“id”: “analytics”,
“type”: “consent”
},
{
“id”: “marketing”,
“type”: “consent”
}
]
}
Six design commitments
that shape the protocol.
Every design decision in the ADPC specification follows from these commitments. Rights and architecture are not separated: one is derived from the other.
Rights-first
Legal rights define what the protocol must support. The specification starts from GDPR and ePrivacy logic, not from what is technically convenient for data brokers or advertisers.
Bidirectional
Services can request and users can respond. Users can also initiate relevant signals. Neither party is the sole gatekeeper of the exchange.
Purpose-sensitive
Choices can be connected to specific purposes and identifiers. ADPC does not collapse the full complexity of EU consent law into a single binary signal.
User-side control
Presentation, memory and support can move closer to the user. User-side software can act on behalf of the person, remember preferences, and apply them consistently across services.
Interoperable
ADPC can connect to CMPs, CMSs and future standardised vocabularies. Implementation examples already exist for WordPress, browser extensions and CMP-side integrations.
Privacy-aware
ADPC is designed to limit unnecessary signalling and reduce fingerprinting risk. The protocol does not create new surveillance infrastructure in the course of protecting against it.
From signals to decisions
across every environment.
The specification defines the communication logic. The transport layer adapts to the environment. The rights commitments remain constant.
Signals and decisions
ADPC can communicate specific consent decisions, withdrawal of specific or all prior consent, and objections where legally relevant. It can combine signals so that a person can express a general rule while allowing exceptions. Consent, refusal, withdrawal and objection are not the same legal act.
Web implementation
On the web, a service can expose a consent-requests resource and signal its availability to the browser. The user-side software presents the request and communicates the decision through the ADPC header or an equivalent JavaScript interface, making ADPC compatible with existing web stacks.
Beyond websites
The specification is a foundation, not a limit. ADPC’s communication logic can be implemented for IoT devices, robotics, immersive systems, apps and AI-mediated interfaces. The legal and design goal remains the same: choices should be understandable, machine-readable, auditable and under meaningful user-side control.
From specification to
European standard.
Proposed Article 88b foresees harmonised standards for interpreting machine-readable indications of choices. ADPC gives standardisation work a concrete starting point. The next step is not to invent the concept from zero, but to test, govern, refine and institutionalise a rights-first mechanism through an inclusive European process.
Read the specification, test the implementations, file issues, propose improvements and help build a standard that can serve citizens, regulators and responsible digital businesses.
Conformance checklist
for implementers.
Requests must be clear, specific and connected to stable identifiers
User-side software must not create consent without a valid user decision
Withdrawal must be as easy as giving consent
Implementations must respect partial choices and purpose-specific decisions
CMP and CMS integrations must apply the decision, not merely hide a banner
Logs and records should support accountability without creating unnecessary surveillance
Contribute to the standard.
Read the specification, test the implementations, file issues, propose improvements and help build a standard that can serve citizens, regulators and responsible digital businesses.