Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Are implementers expected to always have the header active or not? #60

Closed
AramZS opened this issue Nov 20, 2023 · 3 comments
Closed

Are implementers expected to always have the header active or not? #60

AramZS opened this issue Nov 20, 2023 · 3 comments

Comments

@AramZS
Copy link
Member

AramZS commented Nov 20, 2023

I want to open discussion on this issue because some comments we have on this front indicate this issue is unclear. If an implementer has a user who has turned off the GPC or has not activated it, is it clear to everyone what behavior is expected from the user agent?

@SebastianZimmeck SebastianZimmeck changed the title Are implementers are expected to always have the header active or not? Are implementers expected to always have the header active or not? Nov 30, 2023
@AramZS AramZS added the agenda+ Request to add this issue to the agenda of our next telcon or F2F label Dec 14, 2023
@j-br0
Copy link
Contributor

j-br0 commented Dec 14, 2023

GPC is designed to be a binary signal --- either it's on or it's not. There is no third state. If the user has activated GPC, it seems like the header should always be transmitted (unless some edge case or technical challenge I'm not thinking of). The user agent generally won't know the extent to which the recipient has seen, logged, or responded to previous GPC signals, so the header should be always sent so long as the consumer hasn't changed their preference. On the other hand, if the user hasn't activated GPC, or subsequently turns it off, the signal should never be sent (what constitutes user intent to turn on the signal is a different question raised by Issue #52).

I can imagine a mechanism where a user agent could be configured by the user to whitelist certain domains to not receive the signal (e.g., a particular website asks to be exempted from the general preference to not have data shared and the user agrees). I would be fine clarifying that in the spec, though again the signal would still be binary: either the header would be persistently sent because the user wants to send it to that domain, or the header wouldn't be sent. I don't know if we need to get into that level of granularity but I don't feel strongly either way.

FWIW, the California regulations on Opt-out Preference Signals state that if a business had previously received an opt-out signal from a known user but then stops receiving the signal, the business should still treat the user as opted out unless they receive explicit permission to undo the opt-out:

Where the consumer is known to the business, the business shall not interpret the
absence of an opt-out preference signal after the consumer previously sent an opt-out
preference signal as consent to opt-in to the sale or sharing of personal information.

§ 7025(c)(5). Other jurisdictions may treat opt-out/re-opt-in differently, so I don't think the spec should get into detail about what sort of consent or interface is legally required.

@AramZS
Copy link
Member Author

AramZS commented Jan 11, 2024

Standards and discussion in the January 11 Privacy CG group have indicated that not transmitting the header when the user has not set or unset the control is the preferred process. With a note that we want to make the above clear (reverting the setting does not indicate an opt in when there was previously an opt out) we should update the documentation accordingly.

@SebastianZimmeck SebastianZimmeck removed the agenda+ Request to add this issue to the agenda of our next telcon or F2F label Jan 11, 2024
@AramZS
Copy link
Member Author

AramZS commented Jan 25, 2024

#61 now merged covers this question well.

@AramZS AramZS closed this as completed Jan 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants