Say that the do-not-sell-or-share preference applies unless the site has an overriding signal

[jyasskin]

Sec-GPC sets a default that users' data shouldn't be sold or shared, but users can have a special relationship with a certain site that overrides that default. The spec should say something like

A do-not-sell-or-share preference is when a person requests that their data "not be sold or shared" by default, unless they have informed a specific website that they want to override that default. This overriding preference is not necessarily communicated using the same format or channel as the original default.

[j-br0]

When site-specific arrangements override universal GPC signals will be a question of law. Both California and Colorado, for example, have requirements for when consent to override a previous opt-out is deemed to be valid.

I have no objection noting in the spec and/or the explainer that it is possible that specific consent may override a GPC signal, but I would want to also point to the fact that jurisdictions that have rules for when GPC is valid may also have rules for when GPC may be disregarded (which is probably best done in the explainer).

[j-br0]

Created PR #88 to try to address this in a new Section 6.4 of the explainer --- any feedback welcome!