Align all descriptions of GPC to say it's meant to restrict sale and sharing of data. #102
Conversation
…sharing of data. And mention that regulators haven't always followed that intention.
|
This proposed change would dramatically weaken GPC, subverts the clear intent of the tool, and would make it ineffective in the majority of states that have passed privacy laws with universal opt-out mechanisms. Originally, CCPA's opt-out rights were limited to the "sale" of personal information, but that prohibition ended up being ineffective in practice because companies adopted very constrained interpretations of the term "sale." When opt-out rights didn't even turn off cross-site retargeting --- the paradigmatic example of online tracking for most consumers --- something was wrong. CA addressed this issue by adding in rights around "sharing of data for targeting advertising" and other states addressed by expanding opt-out rights for cross-context targeted advertising. The GPC spec was originally written to help users preserve contextual integrity and it has long been explicit in the text that GPC should logically be interpreted to invoke universal rights to opt out of sales as well as cross-context targeted advertising. Deciding to retroactively and radically narrow the scope of GPC today would change the meaning for states like Colorado, Connecticut, and New Jersey that have already said GPC is legally binding. It would lead to a perverse situation where GPC turns off targeted ads in California but might not in other states---even though those states explicitly allow for universal tools to turn off cross-site targeting. There is no need for a separate signal for cross-site targeting --- it introduces unnecessary confusion and complication and would kneecap an effective existing tool to let consumers opt out. |
|
Strongly agree with @j-br0 on behalf of DCN, representing hundreds of premium publishers’. |
|
The spec can't cover every possible legal implication in every jurisdiction, but should be consistent with existing well-documented requirements that sites are already complying with. The State of Colorado went through an extensive process intended to register specific universal opt-out mechanisms (UOOMs) as "recognized to meet the standards" of Colorado law, and GPC was chosen. More background and documents at https://comments.coag.gov/s/universal-opt-out-applications Colorado law specifically includes "THE RIGHT TO OPT OUT OF THE PROCESSING OF PERSONAL DATA CONCERNING THE CONSUMER FOR PURPOSES OF TARGETED ADVERTISING" in the text of the Colorado Privacy Act. (they put it in all caps, not me) https://coag.gov/app/uploads/2022/01/SB-21-190-CPA_Final.pdf Many intended readers of the GPC spec, including maintainers of web sites, service providers, and industry organizations, are already treating GPC as a Colorado-compliant UOOM, as required by law. |
This keeps the Abstract's definition of GPC, and aligns the other sections to match that and: the description on globalprivacycontrol.org, the UI wording that Firefox has chosen, and the description on extension sites like https://privacybadger.org/#What-is-Global-Privacy-Control. There's clearly appetite from some regulators to also have signals about cross-site advertising, cross-context advertising, and targeted advertising, but
Sec-GPC:1isn't enough information to serve all of those purposes at the same time (#51).This follows up on @michaelkleber's comment at #52 (comment). It doesn't touch the UI guidance: if and when this part is merged, we can think about whether #99 is sufficient, or whether @michaelkleber or I should send a follow-up patch for that section.
Preview (#intro…) (#defin…) (#legal…) (#unite…) (#other…) (#user-…) | Diff