Align all descriptions of GPC to say it's meant to restrict sale and sharing of data. #102
Conversation
…sharing of data. And mention that regulators haven't always followed that intention.
|
This proposed change would dramatically weaken GPC, subverts the clear intent of the tool, and would make it ineffective in the majority of states that have passed privacy laws with universal opt-out mechanisms. Originally, CCPA's opt-out rights were limited to the "sale" of personal information, but that prohibition ended up being ineffective in practice because companies adopted very constrained interpretations of the term "sale." When opt-out rights didn't even turn off cross-site retargeting --- the paradigmatic example of online tracking for most consumers --- something was wrong. CA addressed this issue by adding in rights around "sharing of data for targeting advertising" and other states addressed by expanding opt-out rights for cross-context targeted advertising. The GPC spec was originally written to help users preserve contextual integrity and it has long been explicit in the text that GPC should logically be interpreted to invoke universal rights to opt out of sales as well as cross-context targeted advertising. Deciding to retroactively and radically narrow the scope of GPC today would change the meaning for states like Colorado, Connecticut, and New Jersey that have already said GPC is legally binding. It would lead to a perverse situation where GPC turns off targeted ads in California but might not in other states---even though those states explicitly allow for universal tools to turn off cross-site targeting. There is no need for a separate signal for cross-site targeting --- it introduces unnecessary confusion and complication and would kneecap an effective existing tool to let consumers opt out. |
|
Strongly agree with @j-br0 on behalf of DCN, representing hundreds of premium publishers’. |
|
The spec can't cover every possible legal implication in every jurisdiction, but should be consistent with existing well-documented requirements that sites are already complying with. The State of Colorado went through an extensive process intended to register specific universal opt-out mechanisms (UOOMs) as "recognized to meet the standards" of Colorado law, and GPC was chosen. More background and documents at https://comments.coag.gov/s/universal-opt-out-applications Colorado law specifically includes "THE RIGHT TO OPT OUT OF THE PROCESSING OF PERSONAL DATA CONCERNING THE CONSUMER FOR PURPOSES OF TARGETED ADVERTISING" in the text of the Colorado Privacy Act. (they put it in all caps, not me) https://coag.gov/app/uploads/2022/01/SB-21-190-CPA_Final.pdf Many intended readers of the GPC spec, including maintainers of web sites, service providers, and industry organizations, are already treating GPC as a Colorado-compliant UOOM, as required by law. |
|
Not only does this meaningfully undermine GPC (as mentioned above) but the justification provided for it seems to be at best a mild editorial improvement (I say at best because I think it actually removes clarity). The trade-off doesn't seem worth it. |
…ec-GPC to limit cross-site targeting.
|
Thank you for the comments here. They made me actually read the relevant laws, and I realized that the issue is that we've been assuming that those laws let users opt out of cross-site targeting, when they actually only let users opt out of targeting based on "personal data obtained … across nonaffiliated websites". That means that the change in Oct 2022 that introduced "cross-site ad targeting" (titled "editorial updates to front matter") was unnecessary to fit GPC into Colorado's framework. The Colorado AG seems to agree with this, since they describe GPC as a way "to allow the user to notify businesses of their privacy preferences, such as whether or not they want their personal information to be shared or sold.", and say that this suffices to invoke their state's opt-out laws. I've removed the incorrect claim that some jurisdictions have extended the meaning, and I hope that makes the change more acceptable to this group. I've also sent an alternative change (#104) that talks about "cross-organization ad targeting", in case people would prefer to be explicit about that kind of sharing. |
This keeps the Abstract's definition of GPC, and aligns the other sections to match that and: the description on globalprivacycontrol.org, the UI wording that Firefox has chosen, and the description on extension sites like https://privacybadger.org/#What-is-Global-Privacy-Control. There's clearly appetite from some regulators to also have signals about cross-site advertising, cross-context advertising, and targeted advertising, but
Sec-GPC:1isn't enough information to serve all of those purposes at the same time (#51).This follows up on @michaelkleber's comment at #52 (comment). It doesn't touch the UI guidance: if and when this part is merged, we can think about whether #99 is sufficient, or whether @michaelkleber or I should send a follow-up patch for that section.
Preview (#intro…) (#defin…) (#legal…) (#unite…) (#other…) (#user-…) | Diff