Comments (7)
"Tell websites not to sell or share my data" might be tailored to the scope of opt-outs for some laws, but not others that have broader opt-outs, for example. If the GPC field sticks to a boolean value, the language might need to clarify other ways it could be interpreted (in addition to the ‘learn more’ link with more complete information). We flag these questions to consider, as many actors in the ecosystem will be required to figure out how to parse and respond to these signals.
from gpc-spec.
I submitted PR #57 to try to provide more information about existing legal guidance on UI requirements. I do not think it is practical to get browsers to agree on specific disclosures since at least some user agents have stated an intent to continue to turn GPC on by default (which is allowable under certain conditions under at least both California and Colorado regulations). And even if W3C were to agree on consensus language, there is no certainty that regulators (who have the final say in their jurisdictions) would agree with our interpretation of what is or is not legally required. I think it is unlikely that regulators are going to require or even bless specific language formulations, though if any do we should certainly update our documentation to reflect that.
Because legal guidance will continue to evolve, I agree with the proposal from @AramZS to set up an explainer document with more detail about legal requirements that can be updated more regularly than this spec (see Issue #56).
from gpc-spec.
I agree that setting a norm for a string, if not a requirement, would be useful given the legal implications.
I am working internally in Firefox to get language set now. One idea we have had that I am partial to is "Tell websites not to sell or share my data" with a link to learn more.
from gpc-spec.
We have a paper at the Privacy Enhancing Technologies Symposium next year that may be relevant,
Generalizable Active Privacy Choice: Designing a Graphical User Interface for Global Privacy Control.
The question we address is how GPC can be integrated into the browser without default settings, compliant with the law, and in a usable way. The main idea is to generalize settings, e.g., apply the GPC opt out on site towards all future sites people visit.
from gpc-spec.
@jyasskin Does the latest state of the explainer satisfy your questions here enough that we can close the issue?
from gpc-spec.
Looking at https://github.com/privacycg/gpc-spec/blob/main/explainer.md#6-user-experience-considerations-and-recommendations, I don't see clear answers to the questions in my original post.
As discussed when we talked about adopting GPC into the Privacy CG, UAs aren't sure how to do this so that the header stays legally enforceable and has the intended effect across many jurisdictions. UAs also want to make it clear to users what happens when they turn on the header, and we need guidance about how that depends on where the user is, where the target site is based, the user's history of moving around, etc.
For example, if Chrome were to start sending the header by default, with no indication from the user that they intended to opt out of sale/sharing, would that remove sites' obligations in some jurisdictions to respect the header when it came from Chrome? And so is it something that the specification or explainer should tell Chrome not to do?
I also don't see anything in the explainer yet that covers the concern about how we make the effects clear to users. I see the link to Robin's speculation about the effects under the GDPR, but our legal folks aren't convinced he's right. This might be a task to leave to the WG.
from gpc-spec.
I see the link to Robin's speculation about the effects under the GDPR, but our legal folks aren't convinced he's right.
I'd say @darobin's point is a bit more than speculation. Notably, the Landgericht Berlin required LinkedIn to honor DNT signals based on GDPR, Article 21(5) (in German).
from gpc-spec.
Related Issues (20)
- Does this really need a GPC support resource HOT 13
- Private mode/incognito HOT 8
- Weak requirements language HOT 2
- Fingerprinting HOT 4
- lack of version HOT 4
- Update gpc-spec links
- Ensure consistency between HTTP and JavaScript HOT 6
- Make the architecture support other privacy laws HOT 10
- Legal Effects section may fall out of date HOT 5
- Set up explainer document in this repo with more detail for implementers HOT 6
- Are implementers expected to always have the header active or not? HOT 3
- Should the navigator property always have the property active or not? HOT 5
- Create consumer-facing GPC instructions HOT 1
- Mixed documentation on navigator.globalPrivacyControl returning 1 or true HOT 5
- Clarify when a Global Privacy Control preference needs to be conveyed
- Add direct identification for each jurisdiction HOT 1
- GPC spec status HOT 4
- Move laws to Explainer HOT 2
- §5 should end after the sentence "For additional details on legal effects, consult the explainer." HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gpc-spec.