-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"data" is poorly defined #19
Comments
The legal effects of the signal is dependent on the regulatory regimes in a user's jurisdiction. Please see: https://globalprivacycontrol.github.io/gpc-spec/#legal-effects |
I'm not talking about the legal effects. I'm taking about this being vague in terms of what the user expects the site to do. Does a website saying "we honor GPC" mean that "we do not share data with anyone else at all" or "we share data in limited circumstances that are outlined in our privacy policy and are allowed according to our lawyer's interpretation of the regulatory regime". If someone connects to that website with Sec-GPC set to "1", how are the the website's operators support to handle this w.r.t. to sharing data in limited circumstances?
|
Again, those will depend on the legal requirements in the jurisdiction that GPC is honored/invoked. In California, where GPC is required under the CCPA, the definition of who is a third party and the manner/frequency with which a business can show a popup is outlined in the AG's rule making which you can find here: https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf? In other jurisdictions where GPC may be adopted, those definitions and regulations may vary. Please refer to the privacy framework in the jurisdiction in which you're concerned about. |
In Section 1,
What constitutes "user data" that can or cannot be shared?
For example, if a website uses a CDN for fonts, stylesheets or JavaScript libraries, then that site is implicitly sharing user information with the CDN (HTTP Referrer, IP address, user Agent string).
Likewise, what constitutes a "third party"?
Users making a purchase will be implicitly sharing their information with payment services and possibly shipping services.
If a website is an agent or reseller for other parties, then it will be sharing information about sales with those parties. For example, a site that sells artwork will notify the original artist who purchased their work (and it may be the responsibility of the artist to send the artwork to the buyer).
Media companies may share purchase information with copyright enforcement agencies, e.g. an agency finds a copyrighted image or video on a website, notifies copyright holder, who then responds that that website is legit user.
The user is acting on behalf of or granted access by a third party (e.g. their employer or school), and information will be shared with that third party.
All of the above will be spelled out clearly in a website's terms or privacy policies. But a binary true/false misses important exceptions.
The text was updated successfully, but these errors were encountered: