Introducing Global Consent Manager

Web users face a confusing array of data sharing choices including GDPR consent, existing standards such as Platform for Privacy Preferences and Do Not Track, and individual user preferences and norms. It is widely predicted that all these privacy choices will lead to poor user experience and possible inadvertent selection of options that do not match the user’s privacy norms because of misleading copy and design combined with user fatigue.

However, user control of data sharing also presents an opportunity for sites trusted by users to work together with browsers that implement user data sharing controls. Existing work shows that users running ad blockers have higher levels of engagement. In a natural experiment on May 25, a GDPR-compliant version of the “USA Today” web site outperformed the original site in performance.

Publisher sites currently have several inadequate options.

But what if there is another way? This project aims to do the tedious work of setting the right consent bits, and do a better job than users can achieve manually. We plan to use several sources of data:

  1. Implement existing consent standards. IAB Europe has published a cookie-based standard for consent, called GDPR Transparency and Consent Framework. Many of the permissions reflected in this new standard are already covered by existing preferences such as “Do Not Track,” or can be determined from user behavior. A browser extension can fill in the necessary data in the cookie to reflect the user’s privacy preferences, without asking the user to micromanage consent.
  2. If necessary, manually recognize known consent forms, and auto-complete them based on the user’s norms. This can be built out with open-source lists of consent forms and how they map to recognized user preferences. (This is not likely to be needed as more companies choose to work with consent standards.)
  3. Develop and use microformats for consent, so that consent management will “work out of the box” for new and small sites that aren’t on the list of known consent forms. (This is also a fallback measure in case of sites that do not comply with consent standards.)

We will release a browser extension that will do the right thing with the consent forms and other site affordances, and automatically implement a mapping between user norms and site data usage request and policy. The extension will keep track of known data usage policies and which sites the user appears to trust, based on their activity.

Avoiding reflexive denial of data collection practices that match the user’s norms is a key goal. We will design the extension to facilitate users making the appropriate choice when sites they trust make a request for consent.

The deliverable is user research results from the browser extension. At this point the browsers can compete to do their own versions, in order to give their users a more trustworthy and less annoying experience. Browsers need to differentiate in order to attract new users and keep existing users. Right now a good way to do that is in creating a safer-feeling, more trustworthy environment.

Related projects: Consent Cookie Manager from Consent Hack Day