Project page
I created a client-side JavaScript utility that detects and logs Global Privacy Control (GPC) signals from user browsers.
GPC is a web standard that allows users to signal their privacy preferences to websites, particularly their
desire to opt-out of data sharing and selling. A GPC signal of true indicates the user has opted out.
The goal was to measure how many users arrive with a GPC signal already enabled — and whether that signal
aligns with their in-session consent behavior. By pairing passive GPC detection with an explicit opt-in/opt-out
consent banner, the study captures both ambient privacy preferences and active user decisions in the same session.
A lot of the struggle in this work came from developing the logging functionality. Not only did I have to get this
running on an EC2 instance with proper security measures in place, but I needed to make sure that this logger, which was
our primary source of information, didn't accidentally expose thousands of students personal information in the process
to our research. In turn, I had to fight against my production environment- built in loggers were configured to expose ip
addresses, this was solved by instead logging a fingerprint by hashing ip address together with browser version to get a unique
identifier for each user.
Logging GPC alongside explicit consent responses surfaces a gap that most analytics pipelines ignore entirely.
When a user's GPC signal contradicts their banner choice, it raises real compliance questions under CCPA and
similar frameworks. The utility also uses navigator.sendBeacon to fire consent events before page unload,
ensuring interaction data isn't lost even when a user immediately opts out and gets redirected.
