Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Say that the do-not-sell-or-share preference applies unless the site has an overriding signal #80

Open
jyasskin opened this issue Sep 24, 2024 · 3 comments
Open

Say that the do-not-sell-or-share preference applies unless the site has an overriding signal #80

jyasskin opened this issue Sep 24, 2024 · 3 comments

Comments

@jyasskin
Copy link
Member

Sec-GPC sets a default that users' data shouldn't be sold or shared, but users can have a special relationship with a certain site that overrides that default. The spec should say something like

A do-not-sell-or-share preference is when a person requests that their data "not be sold or shared" by default, unless they have informed a specific website that they want to override that default. This overriding preference is not necessarily communicated using the same format or channel as the original default.
@j-br0
Copy link
Contributor

j-br0 commented Oct 16, 2024

When site-specific arrangements override universal GPC signals will be a question of law. Both California and Colorado, for example, have requirements for when consent to override a previous opt-out is deemed to be valid.

I have no objection noting in the spec and/or the explainer that it is possible that specific consent may override a GPC signal, but I would want to also point to the fact that jurisdictions that have rules for when GPC is valid may also have rules for when GPC may be disregarded (which is probably best done in the explainer).

@jyasskin jyasskin mentioned this issue Oct 30, 2024
Open
@npdoty npdoty mentioned this issue Nov 19, 2024
Closed
@j-br0 j-br0 mentioned this issue Dec 4, 2024
Open
@j-br0
Copy link
Contributor

j-br0 commented Dec 4, 2024

Created PR #88 to try to address this in a new Section 6.4 of the explainer --- any feedback welcome!

@j-br0 j-br0 added the agenda+ Request to add this issue to the agenda of our next telcon or F2F label Dec 4, 2024
@npdoty npdoty mentioned this issue Dec 4, 2024
Closed
@coolharsh55
Copy link

Suggested wording to clarify such effects legally:

A do-not-sell-or-share preference is when a person requests that their data "not be sold or shared" by default**., unless they have informed a specific website that they want to override that default. This overriding preference is not necessarily communicated using the same format or channel as the original default. Where users want to inform or have a specific arrangement with a site for communicating a different preference than what is communicated by the GPC, such communications may not necessarily use the same format or channel as GPC (as default). Further, the validity of such arrangements in terms of potential conflicts with expressed GPC preferences, and whether such arrangements can override the expressed GPC preferences may also depend on the interpretation of application jurisdictional laws. For example, California and Colorado allow subsequent consent to override or replace a prior opt-out (which would have been expressed using GPC). It is therefore recommended that such arrangements should always explicitly acknowledge the existing application of GPC preferences when asking the user to replace or override it with a different decision communicated through alternative arrangements.**

@SebastianZimmeck SebastianZimmeck removed the agenda+ Request to add this issue to the agenda of our next telcon or F2F label Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jyasskin @coolharsh55 @SebastianZimmeck @j-br0