Merge pull request #88 from w3c/issue-80-overriding-gpc

j-br0 · web-flow · commit af90a90cdb86 · 2025-04-02T15:02:48.000-04:00
Update Explainer to add new 6.4 (Consent to Track Notwithstanding a Universal GPC Signal)
diff --git a/explainer.md b/explainer.md
@@ -30,6 +30,7 @@ This Legal and Implementation Considerations Guide is designed to give an overvi
   - [6.1 Example Presentations of User-agent Level UI](#61-example-presentations-of-user-agent-level-ui)
   - [6.2 User-agents](#62-user-agents)
   - [6.3 Adopting on Your Website](#63-adopting-on-your-website)
+  - [6.4 Consent to Disregard a Universal GPC Signal](#64-consent-to-track-notwithstanding-a-universal-gpc-signal)
 - [7. Alternatives Considered](#7-alternatives-considered)
 
 ## 1. Draft Specification
@@ -227,6 +228,12 @@ Setting the USPAPI for propagating GPC downstream.
 
 Generally website developers should consider GPC signals to be identical to a user flipping the opt out switch on their website and take action accordingly.
 
+### 6.4 Consent to Disregard a Universal GPC Signal
+
+A do-not-sell-or-share preference is when a person generally requests of all website publishers that their data "not be sold or shared.” However, it is possible that a particular publisher would seek to enter into a separate agreement with a user permitting that publisher to sell or share the user’s data notwithstanding the general preference. The GPC spec does not provide for a mechanism or syntax to negotiate or indicate such an exception, so any user consent to tracking would be communicated apart from the GPC signal.
+
+When and how a separate agreement to disregard GPC requests overrides the legal status of the signal will be a matter of local law. Some jurisdictions that have explicitly endorsed GPC as a legally binding opt-out signal have also placed limitations on how companies can request permission to track despite the general signal. One rationale for such limitations is that without some restrictions, users with GPC enabled could be inundated with countless requests for exceptions to track as they browse the internet — undermining the fundamental purpose of offering a simple, binary universal opt-out tool. Both California and Colorado, for example, constrain how overrides for universal opt-out signals like GPC can be requested, including rules against retaliating against users for exercising privacy rights, conditions for valid consent, and limiting how frequently companies can ask consumers to reconsider opt-out requests.
+
 ## 7. Alternatives Considered
 
 The authors of GPC considered other options for how the signal would work. The current state of privacy controls across the world is varied. The authors have experience both working on and implementing these more complex controls and found that people generally consider them to be unnecessarily complex. If people intend to make privacy choices, they almost always intend to exercise their rights broadly, e.g., opting out from all sites they visit, no matter how many individual controls exist. More recent laws have also adopted this understanding and moved towards requiring universal or significantly fewer degrees of control. GPC reflects this understanding of people’s privacy choices and, therefore, works in support of these laws.
diff --git a/index.html b/index.html
@@ -226,9 +226,12 @@ <h3>Preference Caching</h3>
       <section>
         <h3>The <code>Sec-GPC</code> Header Field for HTTP Requests</h3>
         <p>
-          The <dfn><code>Sec-GPC</code></dfn> header field is a mechanism for expressing the person's
-          [=preference=] for a [=do-not-sell-or-share interaction=] in an HTTP request (for any
-          request method).
+          The <dfn><code>Sec-GPC</code></dfn> header field is a mechanism for expressing a person's
+          general universal [=preference=] for a [=do-not-sell-or-share interaction=] in HTTP requests
+          (for any request method). In some cases, a specific arrangement with that person may permit
+          a website to ignore a generally applicable [=preference=] (see § 5.3 below and the
+          <a href="https://privacycg.github.io/gpc-spec/explainer" target="_blank">Legal and Implementation
+          Considerations Guide</a>).
         </p>
         <p>
           The syntax ([[ABNF]]) of the field is:
@@ -458,30 +461,17 @@ <h2>User Interface Language</h2>
         </p>
         <p>
           Different jurisdictions have different prerequisites before a platform can enable a universal
-          opt-out. For example, the most recent regulations promulgated under the California Consumer
-          Privacy Act state:
+          opt-out. Many US states say that a user agent may not send a universal opt-out signal by "default,"
+          though at least one state has said that selecting a privacy focused user agent is a sufficient
+          indicator of user intent.
         </p>
-        <blockquote cite=https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf>
-          The platform, technology, or mechanism that sends the opt-out preference signal shall make
-          clear to the consumer, whether in its configuration or in disclosures to the public, that
-          the use of the signal is meant to have the effect of opting the consumer out of the sale
-          and sharing of their personal information. The configuration or disclosure does not need to
-          be tailored only to California or to refer to California ([[?CPPA-REGULATIONS]], §7025(b)(2)).
-        </blockquote>
         <p>
-          Colorado and other jurisdictions are more prescriptive about requirements for a valid universal
-          opt-out signal. For example, Colorado’s regulations explicitly provide “a Universal Opt-Out
-          Mechanism may not be the default setting for a tool that comes pre-installed with a device,
-          such as a browser or operating system” ([[?COLORADO-REGULATIONS]], Rule 5.04(a)).
+          Different jurisdictions may also have different rules for when companies can override or disregard
+          a universally applicable opt-out signal,
+          for example because they have consent from the user to do so.
         </p>
         <p>
-          Currently California, Colorado, and New Jersey are the only jurisdictions in the United States that empower
-          regulators to issue detailed regulations on topics such as universal opt-outs. Other statutes
-          state relatively high level legal requirements that may be augmented by informal guidance
-          (such as an FAQ) or through enforcement.
-        </p>
-        <p>
-          The legal landscape around global opt-outs is also changing. In 2023, several new states passed
+          The legal landscape around global opt-outs is also changing. Several states have now passed
           laws that include requirements to honor global opt-outs, though some of those states’ provisions
           differ considerably. Additionally states may revise their legal requirements as California has
           already amended the original CCPA that was passed in 2018.
@@ -490,9 +480,10 @@ <h2>User Interface Language</h2>
           and may impose their own requirements before such signals are deemed legally bindinging.
         </p>
         <p>
-          For more information on the latest legal requirements, please review the implementation guide
-          which will provide more up-to-date information about the latest legal guidance around global
-          opt-outs.
+          For more information on the latest legal requirements, please review the
+          <a href="https://privacycg.github.io/gpc-spec/explainer" target="_blank">Legal and Implementation
+          Considerations Guide</a> which will provide more up-to-date information about the latest legal guidance
+          around global opt-outs.
         </p>
         <p>
           User agents are expected, where required, to present all the appropriate notices to people
