"data" is poorly defined

[robrwo]

In Section 1,

This specification addresses the issue by providing a way to signal... user's assertion of their applicable rights to prevent selling their data to third parties or sharing data with them

What constitutes "user data" that can or cannot be shared?

For example, if a website uses a CDN for fonts, stylesheets or JavaScript libraries, then that site is implicitly sharing user information with the CDN (HTTP Referrer, IP address, user Agent string).

Likewise, what constitutes a "third party"?

• Users making a purchase will be implicitly sharing their information with payment services and possibly shipping services.

• If a website is an agent or reseller for other parties, then it will be sharing information about sales with those parties. For example, a site that sells artwork will notify the original artist who purchased their work (and it may be the responsibility of the artist to send the artwork to the buyer).

• Media companies may share purchase information with copyright enforcement agencies, e.g. an agency finds a copyrighted image or video on a website, notifies copyright holder, who then responds that that website is legit user.

• The user is acting on behalf of or granted access by a third party (e.g. their employer or school), and information will be shared with that third party.

All of the above will be spelled out clearly in a website's terms or privacy policies. But a binary true/false misses important exceptions.

[asoltani]

The legal effects of the signal is dependent on the regulatory regimes in a user's jurisdiction. Please see: https://globalprivacycontrol.github.io/gpc-spec/#legal-effects

[robrwo]

I'm not talking about the legal effects. I'm taking about this being vague in terms of what the user expects the site to do.

Does a website saying "we honor GPC" mean that "we do not share data with anyone else at all" or "we share data in limited circumstances that are outlined in our privacy policy and are allowed according to our lawyer's interpretation of the regulatory regime".

If someone connects to that website with Sec-GPC set to "1", how are the the website's operators support to handle this w.r.t. to sharing data in limited circumstances?

• Should the site show a popup suggesting the user review the privacy policy?
• Should the site not use 3rd-party analytics tools?
• Should the site not use 3rd party CDNs for scripts/styles/fonts/etc?
• Should the site refuse to let the user perform actions like making purchases that might lead to third-parties being notified?

[asoltani]

Again, those will depend on the legal requirements in the jurisdiction that GPC is honored/invoked.

In California, where GPC is required under the CCPA, the definition of who is a third party and the manner/frequency with which a business can show a popup is outlined in the AG's rule making which you can find here: https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf?

In other jurisdictions where GPC may be adopted, those definitions and regulations may vary. Please refer to the privacy framework in the jurisdiction in which you're concerned about.