Move laws to explainer #81
Conversation
Make legal discussion in main spec higher level.
Expand explainer to include more detailed explanation of privacy law and GPC
| factors such as the location of the individual sending the signal, the scope of the | ||
| applicable law, as well as any separate agreement between the recipient of the signal and | ||
| the individual. For additional details on legal effects, | ||
| The GPC signal was designed to allow users to take advantage of legal rights to stop certain |
There was a problem hiding this comment.
The GPC signal was designed -> GPC was designed
| have passed privacy laws that give consumers the legal right to opt out of the sale or share of | ||
| their data, or the use of their data for cross-context targeted advertising. Many of those state | ||
| laws make explicit provision for the exercise of those rights through universal opt-out mechanisms | ||
| such as the GPC. At least two states have specifically identified GPC as a valid means to exercise |
There was a problem hiding this comment.
such as the GPC -> such as GPC
| </p> | ||
| <h3>Other Jurisdictions and Privacy Rights</h3> | ||
| <p> | ||
| GPC could potentially be used to indicate rights in other jurisdictions as well. | ||
| GPC could potentially be used to indicate rights in other jurisdictions as well. For example, the | ||
| GDPR potentially affords data subjects the right to limit the sharing of personal information under |
There was a problem hiding this comment.
the GDPR -> the [[?GDPR]]
(just adding the reference)
| GPC could potentially be used to indicate rights in other jurisdictions as well. For example, the | ||
| GDPR potentially affords data subjects the right to limit the sharing of personal information under | ||
| Articles 7 and 21. Many other countries around the world have adopted affirmative privacy | ||
| legislation — often modeled on the GDPR; a regulator in one of those countries could determine that |
| @@ -94,18 +99,50 @@ There are situations where the design of GPC, by intent, matches specific legal | |||
|
|
|||
| ### 4.1 GPC in the US | |||
|
|
|||
| The [CCPA Regulations](https://oag.ca.gov/privacy/ccpa/regs) provide specific language supporting consumer’s use of a global privacy control. GPC was created with the intent to supply users with the ability to exercise CCPA and related opt out requests. GPC compliance is [enforced by the Office of the California Attorney General](https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement) and the California Privacy Protection Agency. | |||
| Since 2018, at least nineteen states have passed comprehensive state privacy laws that include, among other rights, the right to opt out of the sale or sharing of their personal information and/or the right to opt out of cross-context targeted advertising. Many of these laws explicitly state that consumers may exercise these rights through a universal signal, including a signal sent through a browser or operating system. At least two states laws — California and Colorado — state that receipt of a Global Privacy Control signal should be interpreted as a legally binding opt-out right in that state. | |||
There was a problem hiding this comment.
of their personal information -> of personal information
| @@ -94,18 +99,50 @@ There are situations where the design of GPC, by intent, matches specific legal | |||
|
|
|||
| ### 4.1 GPC in the US | |||
|
|
|||
| The [CCPA Regulations](https://oag.ca.gov/privacy/ccpa/regs) provide specific language supporting consumer’s use of a global privacy control. GPC was created with the intent to supply users with the ability to exercise CCPA and related opt out requests. GPC compliance is [enforced by the Office of the California Attorney General](https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement) and the California Privacy Protection Agency. | |||
| Since 2018, at least nineteen states have passed comprehensive state privacy laws that include, among other rights, the right to opt out of the sale or sharing of their personal information and/or the right to opt out of cross-context targeted advertising. Many of these laws explicitly state that consumers may exercise these rights through a universal signal, including a signal sent through a browser or operating system. At least two states laws — California and Colorado — state that receipt of a Global Privacy Control signal should be interpreted as a legally binding opt-out right in that state. | |||
There was a problem hiding this comment.
At least two states laws — California and Colorado — -> At least two laws — those of California and Colorado —
should be interpreted as a legally binding opt-out right in that state. -> is to be interpreted as a legally binding exercise of the opt-out right in that state.
|
|
||
| Virginia and Utah have privacy laws that grant people the right to opt out but do not have information about specific mechanisms. While the law does not explicitly require respecting GPC in those states, GPC intends to provide a signal to opt out using those rights and regulators are free to adopt it. | ||
| In 2018, California passed the first comprehensive privacy law in the United States. In addition to transparency obligations, the right to access personal information, and the right to delete data held by companies, the CCPA gave California citizens for the first time the legal right to opt out of the sale of their personal information. The CCPA included text that a person could appoint another entity to exercise their rights on their behalf. In January 2021, the California Attorney General [issued guidance](https://digiday.com/media/why-a-tweet-from-californias-ag-about-a-global-privacy-tool-has-companies-scrambling/) to companies that GPC signals should be interpreted as legally binding opt-out rights under California law. Subsequently, the California Attorney General’s office updated its [Frequently Asked Questions page](https://oag.ca.gov/privacy/ccpa), which in addition to other guidance, stated that GPC signals were legally binding invocation of opt-out rights under California law. |
There was a problem hiding this comment.
delete data held by companies -> delete data held by businesses
gave California citizens -> gave California residents
that a person -> that a consumer
In January 2021, the California Attorney General issued guidance to companies that GPC signals should be interpreted as legally binding opt-out rights under California law.
->
In January 2021, the California Attorney General issued guidance to businesses that sending GPC signals is to be interpreted as a legally binding exercise of opt-out rights under California law.
|
|
||
| In November 2020, California voters approved an update to the CCPA under the California Privacy Rights Act ballot initiative. The initiative expanded the CCPA in a number of ways, including through the creation of a new privacy regulator (the California Privacy Protection Agency) and through [increased specificity](https://thecpra.org/#1798.135(e)) on the legally binding nature of global privacy signals. Under the CPRA, the California Privacy Protection Agency was directed to expand on previously issued regulations. | ||
|
|
||
| In March 2023, the Agency issued [revised regulations](https://cppa.ca.gov/regulations/consumer_privacy_act.html), including provisions on the operation of “opt-out preference signals.” See § 7025. Opt-out Preference Signals. The text includes detailed requirements around issues such as: the technical requirements for opt-out preference signals, when to apply browser-based opt-out preference signals to other customer data, and when companies can rely upon specific consent to disregard opt-out preference signals. The regulations includes illustrative examples on how the rules should work in practice. |
There was a problem hiding this comment.
customer data -> consumer data
when companies - when businesses
|
|
||
| In March 2023, the Agency issued [revised regulations](https://cppa.ca.gov/regulations/consumer_privacy_act.html), including provisions on the operation of “opt-out preference signals.” See § 7025. Opt-out Preference Signals. The text includes detailed requirements around issues such as: the technical requirements for opt-out preference signals, when to apply browser-based opt-out preference signals to other customer data, and when companies can rely upon specific consent to disregard opt-out preference signals. The regulations includes illustrative examples on how the rules should work in practice. | ||
|
|
||
| In August 2022, the California Attorney issued its [first enforcement action]([https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement) under the CCPA, alleging that the makeup company Sephora adopted an unduly narrow definition of “sale” under the CCPA and failed to respond to GPC requests as legally valid opt-out requests. The company was required to pay a fine of $1.2 million and agree to substantial injunctive relief, including agreeing to treat GPC signals as requests to opt out of the sale of personal data. |
There was a problem hiding this comment.
personal data -> personal information
|
|
||
| The text of the CPA explicitly provides for global privacy signals, stating “a consumer may authorize another person, acting on the consumer's behalf, to opt out of the processing of the consumer's personal data . . . including through a technology indicating the consumer's intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting." See § 6-1-1306(a)(ii). The CPA then included a number of additional requirements of global privacy signals, including: the signal should not be sent by default but should reflect the user’s affirmative choice, it should be as consistent as possible with similar mechanisms in other states, and the user agent sending the signal should not “unfairly disadvantage” another data controller. | ||
|
|
||
| The Colorado Privacy Act also directed the state Attorney General to issue more detailed regulations, including specifically on the operation of global privacy signals. On March 2023, the Colorado Attorney General’s office published the initial [regulations](https://coag.gov/app/uploads/2023/03/FINAL-CLEAN-2023.03.15-Official-CPA-Rules.pdf) implementing the privacy law, including greater specificity on the operation of universal opt-out mechanisms (see Part 5, Universal Opt-Out Mechanism). These regulations provide clarity on a number of issues, including restrictions on data use by companies sending the signal. The regulations also clarify the rules on default settings, stating that general purpose, pre-installed browsers may not set universal opt-out signals by default, but if a product is marketed as exercising users’ privacy choices, it may send an opt-out signal to controllers without additional consent from the user. |
There was a problem hiding this comment.
state Attorney General -> Colorado Attorney General
"including restrictions on data use by companies sending the signal"
@j-br0, you mean companies receiving the signal, right?
There was a problem hiding this comment.
@j-br0, I included a few minor suggestions. But other than that, spec and explainer are good to go from my end!
| <a href="https://privacycg.github.io/gpc-spec/explainer" target="_blank">consult the explainer</a>. | ||
| </p> | ||
| <p> | ||
| For example, the use of the GPC signal by an individual will be intended to communicate the | ||
| individual's intention to invoke the following rights, as applicable: | ||
| </p> | ||
| <h3>Calfornia Consumer Privacy Act (CCPA)</h3> | ||
| <h3>United States Privacy Law</h3> |
There was a problem hiding this comment.
I suggest stopping here, as the following text still speculates on how states may interpret GPC signals, which fits better into the explainer document.
There was a problem hiding this comment.
I think there's some value in having some very basic bare bones information about legal consequences in the spec without forcing people to go hunt down another document. I think everything about US law is factual and non-controversial. The only thing vaguely speculative is that states without rulemaking could try to provide guidance in other ways. I don't feel strongly about keeping that, I was just trying to provide basic info to folks, and then if states DO provide that information guidance, that would be in the explainer.
The stuff later on about other jurisdictions is more speculative, I would be ok moving that to the explainer, or just stripping it down to say application elsewhere around the world isn't currently clear.
There was a problem hiding this comment.
I agree, so I'll review again once this is merged and may raise another PR to suggest follow up changes.
Pursuant to #73 I have shortened the legal discussion in the main spec and expanded it in the explainer document. Any feedback would be welcome.