Give UAs more help in establishing user intent

[jyasskin]

https://privacycg.github.io/gpc-spec/#user-interface-language currently says

User agents are expected, where required, to present all the appropriate notices to people to ensure that the rights they wish to avail themselves of are effectively binding.

As discussed when we talked about adopting GPC into the Privacy CG, UAs aren't sure how to do this so that the header stays legally enforceable and has the intended effect across many jurisdictions. UAs also want to make it clear to users what happens when they turn on the header, and we need guidance about how that depends on where the user is, where the target site is based, the user's history of moving around, etc.

As far as I can tell, none of the existing implementations at https://globalprivacycontrol.org/#download have tackled this problem. I believe all of them except for Firefox turn the setting on by default, on the assumption that users are installing them because they want to turn on every privacy setting that exists. Firefox does it through about:config instead of through general-purpose UI.

Although browsers are usually opposed to standardizing UI, I think the legal implications of this one will make us more amenable to at least getting some hints in this case. I would actually lean toward standardizing the exact string, in one or more languages, that invokes particular rights within particular laws, but others might prefer just having some examples.

[bvandersloot-mozilla]

I agree that setting a norm for a string, if not a requirement, would be useful given the legal implications.

I am working internally in Firefox to get language set now. One idea we have had that I am partial to is "Tell websites not to sell or share my data" with a link to learn more.

[arichiv]

"Tell websites not to sell or share my data" might be tailored to the scope of opt-outs for some laws, but not others that have broader opt-outs, for example. If the GPC field sticks to a boolean value, the language might need to clarify other ways it could be interpreted (in addition to the ‘learn more’ link with more complete information). We flag these questions to consider, as many actors in the ecosystem will be required to figure out how to parse and respond to these signals.

[j-br0]

I submitted PR #57 to try to provide more information about existing legal guidance on UI requirements. I do not think it is practical to get browsers to agree on specific disclosures since at least some user agents have stated an intent to continue to turn GPC on by default (which is allowable under certain conditions under at least both California and Colorado regulations). And even if W3C were to agree on consensus language, there is no certainty that regulators (who have the final say in their jurisdictions) would agree with our interpretation of what is or is not legally required. I think it is unlikely that regulators are going to require or even bless specific language formulations, though if any do we should certainly update our documentation to reflect that.

Because legal guidance will continue to evolve, I agree with the proposal from @AramZS to set up an explainer document with more detail about legal requirements that can be updated more regularly than this spec (see Issue #56).

[SebastianZimmeck]

We have a paper at the Privacy Enhancing Technologies Symposium next year that may be relevant,
Generalizable Active Privacy Choice: Designing a Graphical User Interface for Global Privacy Control.

The question we address is how GPC can be integrated into the browser without default settings, compliant with the law, and in a usable way. The main idea is to generalize settings, e.g., apply the GPC opt out on site towards all future sites people visit.

[AramZS]

@jyasskin Does the latest state of the explainer satisfy your questions here enough that we can close the issue?

[jyasskin]

Looking at https://github.com/privacycg/gpc-spec/blob/main/explainer.md#6-user-experience-considerations-and-recommendations, I don't see clear answers to the questions in my original post.

As discussed when we talked about adopting GPC into the Privacy CG, UAs aren't sure how to do this so that the header stays legally enforceable and has the intended effect across many jurisdictions. UAs also want to make it clear to users what happens when they turn on the header, and we need guidance about how that depends on where the user is, where the target site is based, the user's history of moving around, etc.

For example, if Chrome were to start sending the header by default, with no indication from the user that they intended to opt out of sale/sharing, would that remove sites' obligations in some jurisdictions to respect the header when it came from Chrome? And so is it something that the specification or explainer should tell Chrome not to do?

I also don't see anything in the explainer yet that covers the concern about how we make the effects clear to users. I see the link to Robin's speculation about the effects under the GDPR, but our legal folks aren't convinced he's right. This might be a task to leave to the WG.

[SebastianZimmeck]

I see the link to Robin's speculation about the effects under the GDPR, but our legal folks aren't convinced he's right.

I'd say @darobin's point is a bit more than speculation. Notably, the Landgericht Berlin required LinkedIn to honor DNT signals based on GDPR, Article 21(5) (in German).

[j-br0]

I created PR #99 to try to address this based on the conversation at the 3.20.25 Privacy Working Group meeting.

[michaelkleber]

Thank you Justin for starting on a PR to address our discussion from 2025-03-20, but I feel this went in a different direction from than that meeting.

There are three elements I was advocating for:

(a) The spec currently has several different points of view of what GPC is supposed to mean. That worries me: we surely don't want the spec to keep changing as a result of new regulator interpretations. I think that we should unify all the descriptions of GPC's intent. Personally, I'd opt to say clearly that it is meant to be a "Do Not Sell or Share" signal, in line with its CCPA roots.

(b) The Legal Effects section should explicitly recognize that laws are not uniform in that interpretation — and in particular that some jurisdictions have decided to also use it as a prohibition against cross-site targeted advertising, even when such advertising does not involve the selling or sharing of data. I really hope we can try to not sweep this under the rug. Let's be clear to regulators that the signal had a particular intent, whether or not they choose to expand on that in their rulemaking.

(c) Finally, the UI section. Of course we need to tread lightly here, because browsers get to make their own choices. But perhaps we could suggest that browser UI should acknowledge both the sell-or-share intent and the variation in interpretation.

Sorry for suggesting-bombing your PR; of course it would be more productive to have just offered up a separate PR along these lines. I'm about to be OOO for a bit, but I'll talk to @jyasskin about keeping on moving this forward while I'm away.

[j-br0]

The existing spec is quite clear that GPC is intended to invoke both rights to limit the sale of personal information as well as rights to limit cross-site targeting. This is not swept under the rug, the text is abundantly clear.

PR #102 would undo that and declare that GPC isn't meant to stop cross-site targeting. This would be an unacceptable outcome both for users who want to use GPC for its stated purpose as well as for regulators who have relied upon GPC as a way to offer easy-to-use tools to exercise their legal rights (every state that allows for a universal opt-out for sales also allows for universal opt-outs for cross-site targeting).

GPC is designed to be simple and universal. We do not need to make a different signal for every slightly different invocation of similar rights. As the spec is clear, GPC is not designed to invoke every privacy right (such as a right to delete data), but both opt-out of sale and opt-out of cross-site targeting are clearly within the scope of what GPC is designed to let users turn off.