Katherine Hausladen, Oliver Wang, and Sophie Eng, Wesleyan University; Jocelyn Wang, Princeton University; Francisca Wijaya, Matthew May, and Sebastian Zimmeck, Wesleyan University
The California Consumer Privacy Act (CCPA) gives California residents the right to opt out of the sale or sharing of their personal information via Global Privacy Control (GPC). In this study we show how to evaluate websites' compliance with GPC. Using longitudinal data collected by crawling a set of 11,708 sites, we show the extent to which sites are respecting California residents' opt out rights expressed via GPC. We do so by examining the values of four privacy strings that indicate a web user's opt out status: the US Privacy String, the Global Privacy Platform String, the OptanonConsent cookie, and the .wellknown/gpc.json. We find that about a third of sites that have evidence of selling or sharing personal information per the CCPA implement at least one of the four privacy strings. In December 2023, 44% (1,411/3,226) of such sites opted users out via all implemented privacy strings. In February 2024, this percentage decreased to 43% (1,473/3,402) before increasing to 45% (1,620/3,566) in April 2024. Despite the slight uptick between December 2023 and April 2024, compliance rates remained at a low level overall, indicating widespread disregard for California residents' right to opt out. Our findings highlight the importance of effective enforcement of the CCPA, in particular, with a focus on big web publishers.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
