Persistent Opt Outs #915
Comments
|
Global Privacy Control (GPC) might do what you're looking for here. It's a persistent setting that works independently of third-party cookies. Although GPC has a specific legal meaning in some jurisdictions, there's nothing preventing an individual company or industry organization from also treating it as equivalent to their old cookie-based opt-out. Most users aren't familiar with the specifics of web advertising, so GPC would likely produce less surprising results than an opt-out that is tied to PAAPI. (It also means less code to maintain than separate opt-outs for PAAPI and non-PAAPI browers.) |
|
On the same use case, @thegreatfatzby : #573 (comment) Also, I guess that Xandr "do not use my data" applies to all forms of processing for web advertising. If so in the case of Privacy Sandbox, the solution should apply not only to Protected Audience, but also to Topics, Attribution Reporting, and Shared Storage. |
|
@dmarti thanks for the suggestion. That said, I'm not quite following, might need a bit more elaboration. I hadn't looked at GPC since doing Xandr's US Privacy work last year, just reviewed it, to summarize a few key things:
So I guess my main question is if there a way to instruct the browser, Chrome in particular, to always set GPC? |
|
@lbdvt agreed. |
|
@michaelkleber I'm curious if you'd be open to something directionally like this:
So two examples could be:
|
|
Maybe we could call them E-CHOPS: Enumerated Cookies Having Overlapping Partitions State? |
|
@thegreatfatzby GPC is one of the specifications to be discussed at the proposed Privacy Working Group. Right now it is not implemented in Google Chrome as far as I know. The current trend in the privacy policy and services scene is to try to give users fewer, but more effective controls, so GPC might be more future-proof than an opt-out tied to a specific technology. For example,
GPC is different technically, but it also ties in to the trend of trying to minimize privacy labour for users. If an opt-out takes effect only one domain at a time, there is a backwards incentive for domains to provide worse opt-out UX. Whoever can design the worst opt-out is going to end up being able to collect the most data. Enabling opt-outs that take effect for all domains connected to by the same browser (or user, if they share a preference across multiple devices) means you won't get punished relative to competitors just for improving UX. Currently many privacy polices include instructions on how to set up a third-party-cookie-based industry opt out, and those tend to be less reliable than GPC which can be set once in a browser preference. There may be a few users who want to out out of just Xandr and nobody else, but they're going to be rarer than people who just want to opt out. |
|
Coming back to this after a bit, few comments I'll separate out. @dmarti I certainly agree that if there is a global opt out available, and it's reasonably clear what it means in the context of a request to a platform, in a jurisdiction, etc etc, that platform should respect that opt out w/o needing an additional platform specific opt out for that purpose. For right now I still think a per-platform opt-out feature makes sense to pursue for a few reasons:
Now I suppose what we could do, technically, is on our privacy site say "You can opt out of our services by indicating a global opt out. Some ways to do that include installing this Chrome extension...etc"...I'm not sure which side will win that battle internally :) |
|
So @michaelkleber et al, we talked about this in our Wed group a bit back, and my "enumerated cookie" idea didn't get much love (whatevs), but I was digging around Private State Tokens and it seems to have evolved in a direction that is kinda-sorta like what I meant, so I wanted to bounce this off the group. Very Coarse SetsA much better way to say what I meant by "enumerated cross partition cookie", might be this from the PST Motivation doc (highlights mine):
One of those "very coarse sets" for a site/service could very well be "is opted out", and that seems like a reasonable "web trust" use case. So I'd like to reframe for this forum as whether "site defined coarse set segmentation" is a use case that Privacy Sandbox is open to, or even currently wants to, support, with/without design limitations related to "web trust"? I would see what PST is today as a great starting point, with a few issues I'll call out below. Couple of Specific PST NotesThe challenges I think we (Xandr/MSAN, others I suspect as well) would hit with PST as it exists now are around some of the (intentional) design limits that were baked in for Trust Tokens and I'm unclear if PST wants to evolve in a more general, if not unlimitedly general, direction:
I thiiink we could deal with token expiry by setting an effectively unlimited expiration date, never redeeming a token, and just using the query API hasPrivateToken. Key rotation mayyyybe could work by just not rotating, although that doesn't seem great. But for this to be a reliable primitive for something like opt-out-status, the 2 issuer limit would be a problem, as that could get quickly filled with opt outs on 2 out of the many ad tech platforms, let alone other types of services. Private State Tokens LimitationsSo my more general PST questions seem more appropriate in the PST repo, but I'll refer to it here. WICG/trust-token-api#288 |
|
I wonder if the DNT header could be useful. sequenceDiagram
participant b as Browser
participant s as K-V Server
participant g as generateBid.js
b->>s: with DNT header
s->>b: sends a Key with DNT flag
b->>g: Call generateBid(...with args)
g->>b: No Bid !
|
|
@ruturajv thanks! Yeah I think that would be interesting. Am I getting it right that, at least in theory minus the deprecation status, DNT is similar to GPC at least in the sense that it is a browser level setting, i.e. you tell the browser "send DNT=X" and it sends it every (or most) requests it sends out? (Also nice sequence diagram, I need to get better at those). |
|
Chrome has a recently-opened issue to remove DNT. Remove Do-Not-Track Settings and Header (https://issues.chromium.org/issues/41440843) |
|
GPC is not currently supported in Chromium/Chrome but there is a feature request issue for adding support: https://issues.chromium.org/issues/40745270 |
|
Right, the downside to using something "browser level", DNT/GPC otherwise, is that it would cause an opt out of advertising on all platforms, and impact non-adtech requests as well (I'm assuming, to be fair). Again I'd guess the overlap of people who would visit privacy-center.xandr.com to opt out, and those who want GPC=1 everywhere, is high, but I don't think Xandr should be making that choice for other platforms (and again I'm curious the non ad tech consequences). |
Background
Today we have a little page, the Xandr Privacy Center, which a consumer can go to to make elections about how their data is used, in our case pretty simply "do not use my data". It has two options: one which will set your Xandr Cookie to -1, which will indicate an opt out, and Xandr Platform will respect on a go-forward basis, for both our ANID and any other IDs we may get on a request (RampID, etc); the second will do that and record the ID (can be a device ID as well) so that any IDs we have linked at the household level are also opted out.
(There is also the MSFT Privacy Dashboard that does similarly for the MSAN platforms, it has a few other variables, but we can focus on the Xandr piece for our purposes here).
Issue
With Cross Partition 3PC going away, I'm actually not sure how we'll accomplish this anymore.
So, all else equal, the following will occur:
Solution?
In the "previously visited" case we could use "CHIP w/o IG" as a signal, but that is a weak/noisy/bad signal I think; I'm not sure what we even could do in the "not previously visited" case (fingerprinting based opt outs :) ).
Could clearOriginJoinedAdInterestGroups offer additional flags to:
The text was updated successfully, but these errors were encountered: