Update Explainer to add new 6.4 (Consent to Track Notwithstanding a Universal GPC Signal) #88
Conversation
Added new section 6.4 to address Issue-80 on when separate consent to track can override GPC
Any recommendation on where that should be? Maybe a sentence or two in 5.3 (maybe in lieu of some of the existing language in the second half of that section which is largely duplicative of what's now in the explainer)? |
|
It ought to be somewhere in the definition of the meaning of the
which refers to section 2:
A possible change could be "... except as permitted by law or specifically arranged between the person and the website."? |
|
These changes look good to me. I don't have any opinions on Jeffrey's comment but the suggested wording looks good to me. |
Minor wording change as suggested by Martin Thompson Co-authored-by: Martin Thomson <mt@lowentropy.net>
Amended 5.3 to add reference to different jurisdictions having different rules for consent to override, and deleted extraneous legal analysis that is duplicative of the Explainer (Legal and Implementation Considerations guide).
j-br0
added
the
agenda+
| @@ -216,6 +217,12 @@ Setting the USPAPI for propagating GPC downstream. | |||
|
|
|||
| Generally website developers should consider GPC signals to be identical to a user flipping the opt out switch on their website and take action accordingly. | |||
|
|
|||
| ### 6.4 Consent to Track Notwithstanding a Universal GPC Signal | |||
|
|
|||
| A do-not-sell-or-share preference is when a person generally requests of all website publishers that their data "not be sold or shared.” However, it is possible that a particular publisher would seek to enter into a separate agreement with a user permitting that publisher to sell or share the user’s data notwithstanding the general preference. The GPC spec does not provide for a mechanism or syntax to negotiate or indicate such an exception, so any user consent to tracking would be communicated apart from the GPC signal. | |||
There was a problem hiding this comment.
Similar to the suggested changes to the section title, maybe "so any user consent to tracking" here could be rephrased to "any consent to override" or the like.
There was a problem hiding this comment.
This is a broader point about consistent terminology around tracking/selling/sharing/targeting that I will raise as a separate issue.
Change "Consent to Track Notwithstanding a Universal GPC Signal" to "Consent to Disregard a Universal GPC Signal"
There was a problem hiding this comment.
I'm still uncomfortable that the definition of Sec-GPC doesn't include the possibility that the user wanted it to apply generally but not on a specific website. The change in this PR, in the "User Interface Language" section, is fine to warn UAs that they shouldn't imply that it applies globally, but we ought to also accuratly define the signal itself.
index.html
Outdated
| @@ -442,30 +442,17 @@ <h2>User Interface Language</h2> | |||
| </p> | |||
| <p> | |||
| Different jurisdictions have different prerequisites before a platform can enable a universal | |||
| opt-out. For example, the most recent regulations promulgated under the California Consumer | |||
| Privacy Act state: | |||
| opt-out. Many states say that a user agent may not send a universal opt-out signal by "default," | |||
There was a problem hiding this comment.
"States" is probably ambiguous in a global context. Use either "US states" or "jurisdictions"?
| opt-out signal. For example, Colorado’s regulations explicitly provide “a Universal Opt-Out | ||
| Mechanism may not be the default setting for a tool that comes pre-installed with a device, | ||
| such as a browser or operating system” ([[?COLORADO-REGULATIONS]], Rule 5.04(a)). | ||
| Different jurisdiction may also have different rules for when companies can override or disregard |
There was a problem hiding this comment.
Is the "may" needed here? Are we unsure whether the rules actually vary?
| Different jurisdiction may also have different rules for when companies can override or disregard | |
| Different jurisdictions also have different rules for when companies can override or disregard |
There was a problem hiding this comment.
The language may differ slightly (though some statutes are identical), but in practice regulators may enforce the same way --- most statutes include language directing regulators to try to accord interpretation to be consistent with other states. I don't feel strongly though . . .
index.html
Outdated
| a website to ignore a generally applicable [=preference=] (see § 5.3 below and the | ||
| <a href="https://privacycg.github.io/gpc-spec/explainer" target="_blank">Legal and Implementation | ||
| Considerations guide</a>). |
There was a problem hiding this comment.
Some markup nits, but also a fix to the URL: This should be
| a website to ignore a generally applicable [=preference=] (see § 5.3 below and the | |
| <a href="https://privacycg.github.io/gpc-spec/explainer" target="_blank">Legal and Implementation | |
| Considerations guide</a>). | |
| a website to ignore a generally applicable [=preference=] (see | |
| [[[#user-interface-language]]] below and the [[[?GPC-LEGAL-CONSIDERATIONS]]]). |
and then there should be a localBiblio entry above of the form:
{
'...': '...',
'GPC-LEGAL-CONSIDERATIONS': {
title: 'GPC Legal and Implementation Considerations guide',
href: 'https://github.com/w3c/gpc/blob/main/explainer.md',
},
'...': '...'
}The replacement of "§ 5.3" ensures the section number stays in sync if sections are added or removed, and the switch to a bibliography reference instead of a plain link ensures it shows up in the informative references section at the bottom of the document. There's a second mention of this guide in section 5.3: up to you if you also replace that with the [[[?biblio reference]]].
Adopted @jyasskin's wording tweak Co-authored-by: Jeffrey Yasskin <jyasskin@google.com>
Fixed capitalization and added link to Legal and Implementation Considerations Guide.
SebastianZimmeck
removed
the
agenda+
Added new section 6.4 to address #80 on when separate consent to track can override GPC.