-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Are implementers expected to always have the header active or not? #60
Comments
GPC is designed to be a binary signal --- either it's on or it's not. There is no third state. If the user has activated GPC, it seems like the header should always be transmitted (unless some edge case or technical challenge I'm not thinking of). The user agent generally won't know the extent to which the recipient has seen, logged, or responded to previous GPC signals, so the header should be always sent so long as the consumer hasn't changed their preference. On the other hand, if the user hasn't activated GPC, or subsequently turns it off, the signal should never be sent (what constitutes user intent to turn on the signal is a different question raised by Issue #52). I can imagine a mechanism where a user agent could be configured by the user to whitelist certain domains to not receive the signal (e.g., a particular website asks to be exempted from the general preference to not have data shared and the user agrees). I would be fine clarifying that in the spec, though again the signal would still be binary: either the header would be persistently sent because the user wants to send it to that domain, or the header wouldn't be sent. I don't know if we need to get into that level of granularity but I don't feel strongly either way. FWIW, the California regulations on Opt-out Preference Signals state that if a business had previously received an opt-out signal from a known user but then stops receiving the signal, the business should still treat the user as opted out unless they receive explicit permission to undo the opt-out: Where the consumer is known to the business, the business shall not interpret the § 7025(c)(5). Other jurisdictions may treat opt-out/re-opt-in differently, so I don't think the spec should get into detail about what sort of consent or interface is legally required. |
Standards and discussion in the January 11 Privacy CG group have indicated that not transmitting the header when the user has not set or unset the control is the preferred process. With a note that we want to make the above clear (reverting the setting does not indicate an opt in when there was previously an opt out) we should update the documentation accordingly. |
#61 now merged covers this question well. |
I want to open discussion on this issue because some comments we have on this front indicate this issue is unclear. If an implementer has a user who has turned off the GPC or has not activated it, is it clear to everyone what behavior is expected from the user agent?
The text was updated successfully, but these errors were encountered: