When given the option to control how their data is being collected and distributed with a simple click on a button, 94 percent of participants in a study from researchers at Wesleyan University said they would use the tool.
The new opt out mechanism, called Global Privacy Control (GPC), promises to allow people to universally exercise their right to opt out of data sharing and selling through a simple click in their browsers to communicate their preferences to websites across the internet. “The opt out right is especially important because it controls whether or not people’s data enters the online ad ecosystem,” said the study, published by the Proceedings on Privacy Enhancing Technologies Symposium. “There will be no need to access or delete data if it was not stored.”
The study tested whether participants would use the tool, if they correctly understand what it does, and whether websites comply with what people’s GPC settings tell them to do. Sebastian Zimmeck, study co-author and assistant professor of computer science, said that by proving that the tool is useful, and people understand how to use it, companies would be required to honor the signals. Zimmeck was joined by four former and current Wesleyan undergraduates in the study—Kuba Alicki ’22 (now pursuing a graduate degree at Princeton), Sophie Eng ’25, Jocelyn Wang ’24, and Oliver Wang ’24.
Of those surveyed, 89 percent said they would enable GPC signals to “most” or “all” websites they visit. Just four percent said they would not send any GPC signals at all. Not only would those surveyed use the tool, 81 percent correctly understood what it does, the study said.
“That’s why it’s important to nail down that people actually do understand what they’re doing and that they want to do it,” Zimmeck said. “It prevents this argument from companies that, ‘we can just ignore it.’”
To test whether sites are compliant with GPC signals, the study authors ran a GPC compliance enforcement analysis of 464 websites. They found that just 12 percent of sites were compliant. The answer to this issue, Zimmeck said, is further and, in particular, federal regulation on data privacy.
Currently in the United States, there are data privacy protection laws in California, Colorado, Connecticut as well as in various other states. Each are varying in scope and strength, with the California, Colorado, and Connecticut laws each requiring websites to honor designated opt outs via mechanisms like GPC, the study says. The European Union initially went by a similar state-by-state approach from the 1990s until 2018, when they shifted toward a central data privacy law applicable across every member state, the General Data Protection Regulation, Zimmeck said. This state-by-state approach led to several small blockages and discrepancies in privacy laws, he said. “I think we should take a lesson from what was learned in the European Union,” he added, noting the centralized law has been more effective in his eyes.
He added that GPC’s universal switch allows for users to make one decision across all websites, or just across some, rather than having to individually make privacy decisions at every turn. “On one side, we want to help people make their privacy choices, but on the other side, we don’t want to annoy them,” he said.
Part of the data privacy conversation is how to square privacy with the ad-financed web. According to the study, 52 percent of those surveyed were not comfortable with being shown ads based on their activity on a website. On one hand, that suggests that about half of the people do not want their data to be used for targeted ads, but it also suggests there’s still a large number of people either willing to be shown ads as a tradeoff for cost-controlled content access, a key part of the equation, Zimmeck said.
“There is a place for advertising, it just that has to be done in a way that’s privacy preserving,” Zimmeck said. “Not everybody can or would like to pay for everything. So, advertising is a way to finance content that otherwise would need to be paid for.”