├── .gitignore ├── .pr-preview.json ├── assets └── images │ ├── USPAPI.png │ ├── OptMeowt_Popup.png │ ├── OptMeowt_Domain_List.png │ ├── OptMeowt_GPC_Response.png │ ├── Firefox_Universal_Setting.png │ └── OptMeowt_Universal_Setting.png ├── docs ├── Do_Not_Sell_WPES_Final.pdf └── CCPA_Compliance_Framework_US_Privacy_USER_SIGNAL_API_SPEC_IABTechLab_DRAFT_for_Public_Comment.pdf ├── w3c.json ├── LICENSE.md ├── CODE_OF_CONDUCT.md ├── .github └── workflows │ └── auto-publish.yml ├── README.md ├── CONTRIBUTING.md ├── explainer.md └── index.html /.gitignore: -------------------------------------------------------------------------------- 1 | # Local user files 2 | .DS_Store 3 | 4 | -------------------------------------------------------------------------------- /.pr-preview.json: -------------------------------------------------------------------------------- 1 | { 2 | "src_file": "index.html", 3 | "type": "respec" 4 | } 5 | -------------------------------------------------------------------------------- /assets/images/USPAPI.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darobin/gpc/main/assets/images/USPAPI.png -------------------------------------------------------------------------------- /assets/images/OptMeowt_Popup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darobin/gpc/main/assets/images/OptMeowt_Popup.png -------------------------------------------------------------------------------- /docs/Do_Not_Sell_WPES_Final.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darobin/gpc/main/docs/Do_Not_Sell_WPES_Final.pdf -------------------------------------------------------------------------------- /w3c.json: -------------------------------------------------------------------------------- 1 | { 2 | "group": "wg/privacy", 3 | "contacts": ["tjwhalen"], 4 | "repo-type": "rec-track" 5 | } 6 | -------------------------------------------------------------------------------- /assets/images/OptMeowt_Domain_List.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darobin/gpc/main/assets/images/OptMeowt_Domain_List.png -------------------------------------------------------------------------------- /assets/images/OptMeowt_GPC_Response.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darobin/gpc/main/assets/images/OptMeowt_GPC_Response.png -------------------------------------------------------------------------------- /assets/images/Firefox_Universal_Setting.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darobin/gpc/main/assets/images/Firefox_Universal_Setting.png -------------------------------------------------------------------------------- /assets/images/OptMeowt_Universal_Setting.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darobin/gpc/main/assets/images/OptMeowt_Universal_Setting.png -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | All documents in this Repository are licensed by contributors 2 | under the 3 | [W3C Software and Document License](https://www.w3.org/copyright/software-license/). 4 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | All documentation, code and communication under this repository are covered by the [W3C Code of Conduct](https://www.w3.org/policies/code-of-conduct/). 4 | -------------------------------------------------------------------------------- /docs/CCPA_Compliance_Framework_US_Privacy_USER_SIGNAL_API_SPEC_IABTechLab_DRAFT_for_Public_Comment.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/darobin/gpc/main/docs/CCPA_Compliance_Framework_US_Privacy_USER_SIGNAL_API_SPEC_IABTechLab_DRAFT_for_Public_Comment.pdf -------------------------------------------------------------------------------- /.github/workflows/auto-publish.yml: -------------------------------------------------------------------------------- 1 | # .github/workflows/pr-push.yml 2 | name: CI 3 | on: 4 | pull_request: {} 5 | push: 6 | branches: [main] 7 | jobs: 8 | main: 9 | name: Build, Validate and Deploy 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v4 13 | - uses: w3c/spec-prod@v2 14 | with: 15 | TOOLCHAIN: respec 16 | SOURCE: index.html 17 | W3C_ECHIDNA_TOKEN: ${{ secrets.GPC_W3C_TR_TOKEN }} 18 | W3C_WG_DECISION_URL: https://lists.w3.org/Archives/Public/public-privacy/2024OctDec/0020.html 19 | W3C_BUILD_OVERRIDE: | 20 | shortName: gpc 21 | specStatus: WD 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![][gpc-logo]][gpc-url] 2 | [![Twitter](https://img.shields.io/twitter/follow/globalprivctrl.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=globalprivctrl) 3 | 4 | # Global Privacy Control (GPC) Specification 5 | 6 | This draft specification can be [viewed via GitHub Pages](https://w3c.github.io/gpc/). 7 | 8 | ## Getting Involved 9 | 10 | This specification is a work item of the [Privacy Working Group](https://www.w3.org/groups/wg/privacy/). 11 | 12 | ## Resources 13 | - Visit [initiative site](https://globalprivacycontrol.org) to learn more about the proposed standard and who is involved 14 | - Check out [test site](https://global-privacy-control.glitch.me) to learn how to interact with the GPC signal 15 | 16 | [gpc-url]: https://globalprivacycontrol.org/ 17 | [gpc-logo]: https://pbs.twimg.com/profile_banners/1311398695162703872/1601662219/1500x500 18 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # {{name}} 2 | 3 | Contributions to this repository are intended to become part of Recommendation-track documents governed by the 4 | [W3C Patent Policy](https://www.w3.org/Consortium/Patent-Policy/) and 5 | [Software and Document License](https://www.w3.org/copyright/software-license/). To make substantive contributions to specifications, you must either participate 6 | in the relevant W3C Working Group or make a non-member patent licensing commitment. 7 | 8 | If you are not the sole contributor to a contribution (pull request), please identify all 9 | contributors in the pull request comment. 10 | 11 | To add a contributor (other than yourself, that's automatic), mark them one per line as follows: 12 | 13 | ``` 14 | +@github_username 15 | ``` 16 | 17 | If you added a contributor by mistake, you can remove them in a comment with: 18 | 19 | ``` 20 | -@github_username 21 | ``` 22 | 23 | If you are making a pull request on behalf of someone else but you had no part in designing the 24 | feature, you can remove yourself with the above syntax. 25 | -------------------------------------------------------------------------------- /explainer.md: -------------------------------------------------------------------------------- 1 | # Global Privacy Control (GPC) Legal and Implementation Considerations Guide 2 | 3 | Editors: 4 | [Aram Zucker-Scharff](https://github.com/AramZS) 5 | [Justin Brookman](https://github.com/j-br0) 6 | [Sebastian Zimmeck](https://github.com/SebastianZimmeck) 7 | 8 | ## 0. tl;dr 9 | 10 | Global Privacy Control (GPC) is a proposed specification designed to allow Internet users to notify businesses of their preference to not have their personal information sold or shared, or used for cross-context targeted advertising. It consists of a setting or extension in the user’s browser that provides a mechanism that websites can use to indicate they support the specification. 11 | 12 | This Legal and Implementation Considerations Guide is designed to give an overview of how GPC operates as well as a summary of the legal effects GPC may have in different jurisdictions. However, this document is for reference purposes only --- it does not constitute legal advice. 13 | 14 | - [Global Privacy Control (GPC) Legal and Implementation Considerations Guide](#global-privacy-control-gpc-legal-and-implementation-considerations-guide) 15 | - [0. tl;dr](#0-tldr) 16 | - [1. Draft Specification](#1-draft-specification) 17 | - [2. Background](#2-background) 18 | - [3. Solution](#3-solution) 19 | - [3.1 Header](#31-header) 20 | - [3.2 Navigator Object](#32-navigator-object) 21 | - [3.3 Signal Semantics](#33-signal-semantics) 22 | - [3.4 GPC Support Resource](#34-gpc-support-resource) 23 | - [4. Legal Effects](#4-legal-effects) 24 | - [4.1 GPC in the US](#41-gpc-in-the-us) 25 | - [4.1.1 The California Consumer Privacy Act](#411-the-california-consumer-privacy-act) 26 | - [4.1.2 The Colorado Privacy Act](#412-the-colorado-privacy-act) 27 | - [4.1.3 Other states that explicitly provide for universal opt-out mechanisms](#413-other-states-that-explicitly-provide-for-universal-opt-out-mechanisms) 28 | - [4.1.4 States that have privacy law that is silent on universal opt-out mechanisms](#414-states-that-have-privacy-law-that-is-silent-on-universal-opt-out-mechanisms) 29 | - [4.1.5 Federal law and states without dedicated privacy laws](#415-federal-law-and-states-without-dedicated-privacy-laws) 30 | - [4.2 GPC outside the US](#42-gpc-outside-the-us) 31 | - [5. User Experience Considerations and Recommendations](#5-user-experience-considerations-and-recommendations) 32 | - [5.1 Example Presentations of User-agent Level UI](#51-example-presentations-of-user-agent-level-ui) 33 | - [5.2 User-agents](#52-user-agents) 34 | - [5.3 Adopting on Your Website](#53-adopting-on-your-website) 35 | - [5.4 Consent to Disregard a Universal GPC Signal](#54-consent-to-disregard-a-universal-gpc-signal) 36 | - [6. Alternatives Considered](#6-alternatives-considered) 37 | 38 | ## 1. Draft Specification 39 | 40 | You can find the draft specification [here](https://github.com/privacycg/gpc-spec). 41 | 42 | ## 2. Background 43 | 44 | An increasing number of laws and regulatory environments require that sites respect people’s choices to not be tracked across different contexts. While these laws describe privacy choices in different ways it is clear that they represent an interest in giving people the capability to exercise a right to privacy and that people have an interest in exercising that right. 45 | 46 | Some laws establish a requirement for a universal control that can present this opt out request at a user-agent level automatically, making it easier for people to exercise their rights without negotiating a site-level user interface. 47 | 48 | With this in mind the GPC specification proposes a way for user-agents to present people’s preferences to opt out to sites via both a header and a JavaScript object. The specification intends to capture the standard ways sites currently handle opt out choices. 49 | 50 | The motivation of GPC is to: 51 | 52 | 1. Make it easy for people to clearly and unambiguously present their privacy preference to a website and the various technologies it may run. 53 | 2. Allow website developers to incorporate people’s privacy choices with as little delay and complexity as possible. 54 | 55 | The specification also provides an option for sites to provide a GPC Support Resource that allows sites to state that they are aware of and support the GPC specification. Some laws or regulatory environments may require GPC compliance. The goal of the GPC Support Resource is to allow sites to assert their support actively. This demonstration is useful to regulators, lawyers, and activists in determining the impact of people’s privacy choices as well as sites’ awareness. It is also useful in giving people a clear signal that their privacy choices are respected to the best of a site’s ability. 56 | 57 | ## 3. Solution 58 | 59 | The GPC signal is either on or not present. If it is on, then an individual is expressing a privacy choice, for example, to opt out of the sale and data sharing per the California Consumer Privacy Act (CCPA). Sites may choose to support this request beyond what they are legally required to do and their vendors may choose to do so as well. 60 | 61 | If someone expresses a preference for their information to not be sold or shared, a device or browser that supports the feature will enable GPC signals. GPC is signaled with an HTTP header and a property that can be read by JavaScript. Sites can read either signal. 62 | 63 | ### 3.1 Header 64 | 65 | When GPC is enabled, a browser includes the following header field in all requests that it makes: 66 | 67 | ```http-message 68 | Sec-GPC: 1 69 | ``` 70 | 71 | This signal will be absent when no preference has been expressed or where GPC has been disabled. 72 | 73 | ### 3.2 Navigator Object 74 | 75 | Browsers that support JavaScript will expose `navigator.globalPrivacyControl`. If `navigator.globalPrivacyControl` is `true`, then GPC has been enabled. 76 | 77 | The `navigator.globalPrivacyControl` attribute will be present and have a value of `false` if the browser supports GPC but there has either been no preference expressed or GPC has been disabled. This attribute will be absent only if the browser does not support GPC. 78 | 79 | ### 3.3 Signal Semantics 80 | 81 | When GPC is enabled, the browser is expressing a [do-not-sell-or-share preference](https://privacycg.github.io/gpc-spec/#dfn-preference). These signals are direct requests to sites to respect that preference. 82 | 83 | The specification presents this design to ensure that there can be no mistake in understanding the intent or state of the signal. If the signal is active, it expresses an individual’s privacy choice. 84 | 85 | ### 3.4 GPC Support Resource 86 | 87 | The GPC Support Resource should be at `https://{yourwebsite.com}/.well-known/gpc.json`. The GPC Support Resource should only be hosted by domains that are concerned with listening to the signal. If you develop technology to emit the signal, it is not intended that the GPC Support Resource is stating something about your technology. 88 | 89 | A website that is intending to listen to and take action based on the GPC signal in any way should have the following style object in that JSON file: 90 | 91 | ```json 92 | { "gpc": true, "lastUpdate": "1997-03-10" } 93 | ``` 94 | 95 | The `lastUpdate` value is meant to reflect your understanding of the specification. If the specification changes in such a way as to not be backwards compatible, this value gives adopters the capacity to note their understanding of the signal being based on the state of the GPC specification at the particular time they last updated the file. 96 | 97 | Sites may respect GPC without the GPC Support Resource. Sites that do not respect GPC may do so either by setting `gpc` to `false` or not providing the GPC Support Resource. User-agents may parse the GPC Support Resource and announce its presence, lack of presence, or values to people in a way that indicates their understanding of the domain’s support for GPC. Not all legal regimes may consider sites able to reject the GPC signal. Consult your lawyer if you intend to reject the GPC signal. 98 | 99 | ## 4. Legal Effects 100 | 101 | Where laws arise to provide Internet privacy GPC intends to have a very specific privacy purpose. **It asks domains not to share or sell people’s personal data, or to use personal data across different contexts, using similar definitions to CCPA and other U.S. state privacy laws.** Other nationalities or regions may choose to incorporate the signal directly or may find user-agents using it. While the legal or regulatory requirements to respect GPC vary, people’s intent in exactly what they are requesting should be considered consistently. 102 | 103 | GPC is not necessarily intended to invoke every new privacy right in every jurisdiction. For example, GPC is not intended to globally invoke data deletion rights on every website people visit. GPC is also not intended to limit a first party’s use of personal information within the first-party context (such as a publisher targeting ads to an individual on its website based on that individual’s previous activity on that same site). For that reason, GPC should not be interpreted as exercising the CCPA’s right to limit the use of sensitive information in a first-party context. 104 | 105 | ### 4.1 GPC in the US 106 | 107 | Since 2018, at least nineteen states have passed comprehensive state privacy laws that include, among other rights, the right to opt out of the sale or sharing of personal information and/or the right to opt out of cross-context targeted advertising. Many of these laws explicitly state that consumers may exercise these rights through a universal signal, including a signal sent through a browser or operating system. At least four states have declared that receipt of a Global Privacy Control signal is to be interpreted as a legally binding exercise of the opt-out right in that state. 108 | 109 | #### 4.1.1 The California Consumer Privacy Act 110 | 111 | In 2018, California passed the first comprehensive privacy law in the United States. In addition to transparency obligations, the right to access personal information, and the right to delete personal information held by businesses, the CCPA gave California residents for the first time the legal right to opt out of the sale of their personal information. The CCPA included text that a consumer could appoint another entity to exercise their rights on their behalf. In January 2021, the California Attorney General [issued guidance](https://digiday.com/media/why-a-tweet-from-californias-ag-about-a-global-privacy-tool-has-companies-scrambling/) to businesses that sending GPC signals is to be interpreted as a legally binding exercise of opt-out rights under California law. Subsequently, the California Attorney General’s office updated its [Frequently Asked Questions page](https://oag.ca.gov/privacy/ccpa), which in addition to other guidance, stated that GPC signals were legally binding invocation of opt-out rights under California law. 112 | 113 | Under the CCPA, the California Attorney General is empowered to issue regulations offering more clarity about specific portions of the text of the law. The [initial set of regulations](https://oag.ca.gov/privacy/ccpa/reg) provided more clarity on how global opt-out signals should be interpreted as opt-out requests under the law. See § 999.315. Requests to Opt-Out (though note that these regulations have since been superceded — see following paragraphs). 114 | 115 | In November 2020, California voters approved an update to the CCPA under the California Privacy Rights Act ballot initiative. The initiative expanded the CCPA in a number of ways, including through the creation of a new privacy regulator (the California Privacy Protection Agency) and through [increased specificity](https://thecpra.org/#1798.135(e)) on the legally binding nature of global privacy signals. Under the CPRA, the California Privacy Protection Agency was directed to expand on previously issued regulations. 116 | 117 | In March 2023, the Agency issued [revised regulations](https://cppa.ca.gov/regulations/consumer_privacy_act.html), including provisions on the operation of "opt-out preference signals." See § 7025. Opt-out Preference Signals. The text includes detailed requirements around issues such as: the technical requirements for opt-out preference signals, when to apply browser-based opt-out preference signals to other consumer data, and when businesses can rely upon specific consent to disregard opt-out preference signals. The regulations includes illustrative examples on how the rules should work in practice. 118 | 119 | In August 2022, the California Attorney issued its [first enforcement action]([https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement) under the CCPA, alleging that the makeup company Sephora adopted an unduly narrow definition of "sale" under the CCPA and failed to respond to GPC requests as legally valid opt-out requests. The company was required to pay a fine of $1.2 million and agree to substantial injunctive relief, including agreeing to treat GPC signals as requests to opt out of the sale of personal information. 120 | 121 | #### 4.1.2 The Colorado Privacy Act 122 | 123 | In July 2021, Colorado enacted the [Colorado Privacy Act (CPA)](https://coag.gov/resources/colorado-privacy-act/), which offered similar — though slightly different — protections as the California Consumer Privacy Act. One difference is that the CPA offers two different though related opt-out rights — the right to opt out of data sales and the right to opt out of cross-context targeted advertising. 124 | 125 | The text of the CPA explicitly provides for global privacy signals, stating "a consumer may authorize another person, acting on the consumer's behalf, to opt out of the processing of the consumer's personal data . . . including through a technology indicating the consumer's intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting." See § 6-1-1306(a)(ii). The CPA then included a number of additional requirements of global privacy signals, including: the signal should not be sent by default but should reflect the user’s affirmative choice, it should be as consistent as possible with similar mechanisms in other states, and the user agent sending the signal should not "unfairly disadvantage" another data controller. 126 | 127 | The Colorado Privacy Act also directed the Colorado Attorney General to issue more detailed regulations, including specifically on the operation of global privacy signals. On March 2023, the Colorado Attorney General’s office published the initial [regulations](https://coag.gov/app/uploads/2023/03/FINAL-CLEAN-2023.03.15-Official-CPA-Rules.pdf) implementing the privacy law, including greater specificity on the operation of universal opt-out mechanisms (see Part 5, Universal Opt-Out Mechanism). These regulations provide clarity on a number of issues, including restrictions on data use by companies receiving the signal. The regulations also clarify the rules on default settings, stating that general purpose, pre-installed browsers may not set universal opt-out signals by default, but if a product is marketed as exercising users’ privacy choices, it may send an opt-out signal to controllers without additional consent from the user. 128 | 129 | The regulations also set up a "registry" of legally binding signals under the law to provide greater clarity to businesses as to which universal opt-out mechanisms must be treated as binding opt-out requests. In October 2023, the Colorado Attorney General’s office issued a call for proposals for signals that should be included in its registry. In February 2024, the office published the first [official registry](https://coag.gov/uoom/) of legally binding universal opt-out mechanisms. The only signal recognized as legally binding was the Global Privacy Control. 130 | 131 | #### 4.1.3 Other states that explicitly provide for universal opt-out mechanisms 132 | 133 | In addition to California and Colorado, at least ten other states have passed comprehensive privacy legislation that explicitly provides for the operation of global privacy signals that must be treated as legally binding opt-outs under the law. Most of these state laws are broadly similar to the text of the Colorado Privacy Act, in that they apply to both sales and cross-context targeted advertising, and have similar provisions requiring, for example, that the signals reflect the intent of the user and that they not unfairly disadvantage other controllers. 134 | 135 | However, they also differ in a number of key ways. As one example, states like Texas and Nebraska provide that specific global opt-out signals will be deemed valid if they are legally recognized in another state jurisdiction. Most of these states do not provide for rulemaking from the Attorney General to issue more clarity on the operation of the global opt-out provisions, though regulators may offer more informal guidance through FAQs (as California originally did) or may bring enforcement actions to clarify the boundaries of the law. 136 | 137 | Two states --- [Connecticut](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act) and 138 | [New Jersey](https://www.njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-Law-FAQ.aspx) --- have issued FAQs explicitly stating 139 | that GPC should be treated as a universal opt-out under their laws. 140 | 141 | #### 4.1.4 States that have privacy law that is silent on universal opt-out mechanisms 142 | 143 | Some U.S. states have passed comprehensive privacy laws that make no mention of universal opt-out mechanisms. It is not clear what legal effect — if any — global mechanisms like GPC would have in such states. Because those state laws give significant discretion to companies in how opt-out rights are offered to consumers, it may well be the case that universal opt-out signals would have no effect under those laws. However, the ultimate interpretation of those laws lies with local enforcement agencies and the courts. 144 | 145 | #### 4.1.5 Federal law and states without dedicated privacy laws 146 | 147 | The majority of U.S. states have not enacted comprehensive privacy legislation, and federally there is no privacy statute specifically covering commercial information. The Federal Trade Commission and state Attorneys General have enforced general purpose consumer protection law that prohibits unfair or deceptive practices against certain privacy behaviors, though none have made a specific claim about how GPC intersects with those laws. The FTC has proposed to issue regulations under its consumer protection statute governing “surveillance capitalism," and [some privacy advocacy groups have argued](https://advocacy.consumerreports.org/wp-content/uploads/2022/01/CR_Epic_FTCDataMinimization_012522_VF_.pdf) that failure to respond to universal opt-out requests could be treated as an unfair business practice under such a regulation. 148 | 149 | ### 4.2 GPC outside the US 150 | 151 | The European Union and European Economic Area have the General Data Protection Regulation (GDPR). This law provides for a number of bases for data processing, including consent and the "legitimate interest" of the data controller. For processing pursuant to a company’s "legitimate interest," Article 21 of the GDPR offers people an ability to object, or opt out, of such processing. As GPC is intended to convey a general request that data controllers limit the sale or sharing of the person's personal data to other data controllers, European regulators may deem GPC to constitute a legally binding invocation of Article 21 rights. To date, no European regulator has explicitly made this case, though some commentators have argued that [GPC has legal effect under the GDPR](https://berjon.com/gpc-under-the-gdpr/). 152 | 153 | Mauritius, an African country, has the Data Protection Act (DPA). The DPA was inspired by the GDPR. The law provides for a number of bases for data processing, including consent and the "legitimate interest" of the data controller. For processing pursuant to a company's "legitimate interest," Article 24 of the DPA offers people an ability to opt out of such processing. As GPC is intended to convey a general request that data controllers limit the sale or sharing of the person's personal data to other data controllers, Mauritian regulators may deem GPC to constitute a legally binding invocation of Article 24 rights. That would be the case if people's GPC opt out preferences are their only known opt out preferences or their GPC opt out preferences are in line with any other opt out preferences they invoked. However, in case of conflicts there might be ambiguities as there is no explicit mention of global opt-out mechanism winning over a direct consent to a specific sharing request on a specific site. 154 | 155 | The Privacy Commissioner of Bermuda has also [written](https://www.privacy.bm/post/global-privacy-control-interoperability-in-action) that GPC may ultimately be interpreted to exercise legal rights under its Personal Information and Privacy Act. 156 | 157 | ## 5. User Experience Considerations and Recommendations 158 | 159 | It is not considered standard for W3C specifications to present user interface recommendations or restrictions. User interfaces are the domain of user-agents who, being closest to the user, best understand how their users interpret and react to the underlying functionality. For GPC, some user-agents may present themselves as privacy-focused technology, in which case it may make sense for the signal to be defaulted to on, which, for example, is supported in California and Colorado for privacy-focused technology. Some user-agents may be generic, with no expectation for people setting defaults. Some user-agents may present GPC in different formats and devices and necessitate unique user interface requirements. 160 | 161 | This Guide presents examples of user-agent user interfaces for GPC as an aid to adopters who are interested in or required to implement GPC as to how it can be presented. 162 | 163 | ### 5.1 Example Presentations of User-agent Level UI 164 | 165 | The following examples come from the [OptMeowt browser extension](https://github.com/privacy-tech-lab/gpc-optmeowt), which is developed at the [privacy-tech-lab](https://privacytechlab.org/) at Wesleyan University. We also show how Mozilla surfaces the GPC setting in Firefox. These examples are shown to illustrate. They are not meant as a comprehensive set of UIs for GPC. 166 | 167 | Whichever user interface applications are implemented, they are expected to meet accessibility standards. 168 | 169 | User interfaces are further expected to have a clear visible switch for turning on the GPC signal that can clearly distinguish between active and inactive. **For GPC "active" always means an individual is exercising their choice to opt out of sharing and cross-site usage to the extent provided by the law.** 170 | 171 | ![OptMeowt Popup](assets/images/OptMeowt_Popup.png) 172 | The OptMeowt popup showing GPC details of the current site. 173 | 174 | User-agents may choose to allow people to manage the GPC signal for individual domains. The Individual domains can be represented to the user as a list that clearly indicates their settings. In such a list people may be able to add individual domains, domains may be automatically added, and people may manage domains on which they have already made an active choice, or exclude domains from the GPC opt out signal being active. When people choose a GPC setting for a site, it is expected that the user-agent retain that setting until they make an active choice to change it. 175 | 176 | ![OptMeowt Domain List](assets/images/OptMeowt_Domain_List.png) 177 | The OptMeowt domain list for setting GPC on individual sites. 178 | 179 | It is expected that most people will choose if they want to universally activate GPC across all domains and requests. Interfaces should reflect GPC’s intent to be as straightforward and simple as possible. People may also choose to disable GPC universally for their user-agent. 180 | 181 | ![OptMeowt Universal Setting](assets/images/OptMeowt_Universal_Setting.png) 182 | The universal GPC setting of OptMeowt. 183 | 184 | ![Firefox Universal Setting](assets/images/Firefox_Universal_Setting.png) 185 | The universal setting of GPC in the Firefox browser settings. 186 | 187 | A user interface can show what response is at `https://{yourwebsite.com}/.well-known/gpc.json` and display that information to the users so they can understand what claims the website is making in terms of GPC compliance. This can be done regardless of the properties included on the JSON document, the main concern is the value of the `gpc` property, as seen here. 188 | 189 | ![OptMeowt GPC Response](assets/images/OptMeowt_GPC_Response.png) 190 | An example of how GPC responses can be surfaced (OptMeowt). 191 | 192 | ### 5.2 User-agents 193 | 194 | The above examples are from an extension in a web browser. User-agents should implement similar interface conventions. The authors of this document recommend that user-gents have some way to display to people the state of their GPC signal when it is on during the course of regular interaction with the site instead of putting it behind a settings page. 195 | 196 | A setting should be included to manage GPC. At the very least a simple Boolean-value switch should be available to the user within settings to manage GPC universally for the user-agent. 197 | 198 | If GPC is not turned on by default, there should be a control that is accessible to people to turn it on when interacting with an individual site. 199 | 200 | If the user-agent makes the GPC setting visible when active, it should retain individuals’ privacy choices when they turn off GPC for a specific site. 201 | 202 | User-agents should not challenge people with a request to set GPC in either mode beyond initial setup. Per-domain settings of GPC should be up to an individual to engage with, not pushed via a notification, modal, pop-up, or similar interactive element. 203 | 204 | Many user-agents offer a "private browsing" or "incognito" mode that provides heightened privacy protections when in use, such as not retaining local history or cookies at the end of a session. Depending upon how that private mode is described to users, the developers of the user-agent may deem it appropriate to send GPC to websites while this mode is activated as a means of offering additional privacy protection. While browser developers make decide that additional consent or user prompting is unnecessary before sending GPC in such cases, they should be transparent about the fact that in "private" or "incognito" mode, GPC will be sent. 205 | 206 | ### 5.3 Adopting on Your Website 207 | 208 | Given the complexities of existing privacy choice and consent frameworks, sites that implement GPC should disclose how they treat it in any jurisdiction for which they adopt it and how they deal with conflicts between a GPC signal and other specific privacy choices that an individual has already made directly with the site, including instances where third party sharing may be permitted, such as sharing to service providers/processors or at the direction of the individual. 209 | 210 | Where industry standards set specific strings or signals that are needed to communicate people’s privacy choices, sites should anticipate translating GPC into the downstream signal. A good example of such setting is handling GPC to set California-based US Privacy Strings for advertising technology: 211 | 212 | ```javascript 213 | if ( 214 | navigator.globalPrivacyControl && 215 | identityObject.geoState === 'CA' 216 | ) { 217 | this.uspapi.uspStringSet = true; 218 | this.uspapi.setUSPString(`1YYY`); 219 | } else if 220 | ``` 221 | 222 | Setting the USPAPI for propagating GPC downstream. 223 | 224 | Generally website developers should consider GPC signals to be identical to a user flipping the opt out switch on their website and take action accordingly. 225 | 226 | ### 5.4 Consent to Disregard a Universal GPC Signal 227 | 228 | A do-not-sell-or-share preference is when a person generally requests of all website publishers that their data "not be sold or shared.” However, it is possible that a particular publisher would seek to enter into a separate agreement with a user permitting that publisher to sell or share the user’s data notwithstanding the general preference. The GPC spec does not provide for a mechanism or syntax to negotiate or indicate such an exception, so any user consent to tracking would be communicated apart from the GPC signal. 229 | 230 | When and how a separate agreement to disregard GPC requests overrides the legal status of the signal will be a matter of local law. Some jurisdictions that have explicitly endorsed GPC as a legally binding opt-out signal have also placed limitations on how companies can request permission to track despite the general signal. One rationale for such limitations is that without some restrictions, users with GPC enabled could be inundated with countless requests for exceptions to track as they browse the internet — undermining the fundamental purpose of offering a simple, binary universal opt-out tool. Both California and Colorado, for example, constrain how overrides for universal opt-out signals like GPC can be requested, including rules against retaliating against users for exercising privacy rights, conditions for valid consent, and limiting how frequently companies can ask consumers to reconsider opt-out requests. 231 | 232 | ## 6. Alternatives Considered 233 | 234 | The authors of GPC considered other options for how the signal would work. The current state of privacy controls across the world is varied. The authors have experience both working on and implementing these more complex controls and found that people generally consider them to be unnecessarily complex. If people intend to make privacy choices, they almost always intend to exercise their rights broadly, e.g., opting out from all sites they visit, no matter how many individual controls exist. More recent laws have also adopted this understanding and moved towards requiring universal or significantly fewer degrees of control. GPC reflects this understanding of people’s privacy choices and, therefore, works in support of these laws. 235 | 236 | The signal has been through a few iterations with the specification before it was submitted to the W3C. More complex signals, more extensive data, and different delivery formats were all considered. Additional complexity in the signal creates fingerprinting risk. Delivering the signal for JavaScript-based consumers via a promise was considered as a more privacy-preserving option that would allow greater complexity but was rejected to prefer performance and simplicity. 237 | 238 | Removal of the GPC Support Resource was considered as well as further simplification of the contents. However, the maintenance of both the GPC Support Resource as an indicator of compliance and the presentation of the date were both reinforced during consultation with lawyers as extremely useful for maintaining documented compliance and dealing with potential legal activity, especially in cases of specification updates. 239 | -------------------------------------------------------------------------------- /index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Global Privacy Control (GPC) 7 | 98 | 99 | 100 |
101 |

102 | This document defines a signal, transmitted over HTTP and through the DOM, that conveys a 103 | person's request to websites and services to not sell or share their personal information with 104 | third parties. This standard is intended to work with existing and upcoming legal frameworks 105 | that render such requests enforceable. 106 |

107 |
108 |
109 |
110 |

Introduction

111 |

112 | Building websites today often involves relying on services provided by businesses other than 113 | the one with which a person chooses to interact. This result is a consequence of the 114 | increasing complexity of Web technology and of the division of labor between different 115 | services. While this architecture can be used in the service of better Web experiences, 116 | it can also be abused to violate privacy ([[?privacy-principles]]). While data can be shared 117 | with service providers for limited operational purposes, it can also be shared or used for 118 | behavioral targeting in ways that many users find objectionable. 119 |

120 |

121 | Several different legal frameworks have been proposed or enacted by jurisdictions around 122 | the world to address this concern. Some models rely upon user consent for tracking. Other 123 | models based on the principle of data minimization simply prohibit certain data sharing or 124 | data processing entirely. 125 |

126 |

127 | Some laws and proposals grant users the right to request that their privacy be 128 | protected, including "opt out" requests that their data not be sold or shared beyond the 129 | business with which they intend to interact. Requiring that people manually express their 130 | rights for each and every site they visit is, however, impractical, and an imposition of 131 | "privacy labor" on people ([[?privacy-principles]]). 132 |

133 |

134 | This specification is designed for this last category of laws and addresses the problem of the 135 | difficulty of scaling user choices by providing a way to universally signal to all website 136 | publishers, through an HTTP header 137 | or the DOM, a person's assertion of their applicable rights to prevent the sale of their data, 138 | the sharing of their data with third parties, and the use of their data for cross-context targeted 139 | advertising. This signal allows users to take advantage of specific provisions in some of these 140 | opt-out based laws, such as, for example, the provisions relating to "opt out preferences 141 | signals" in the California Consumer Privacy Act to stop the sale of sharing of personal information, 142 | [[?CCPA-REGULATIONS]], or similar provisions for "universal opt-out mechanisms" in laws in Colorado 143 | and other states to allow users to opt out of the sale of their information or its use for 144 | cross-organization targeted advertising. 145 |

146 |

147 | However, while the Global Privacy Control is designed to allow users to express a preference to opt out 148 | of sharing and cross-context targeted advertising, the control is not intended to exercise every possible 149 | privacy right, nor even every right to opt out of advertising or ad targeting. GPC is not designed to 150 | exercise deletion rights, for example. GPC is also not designed to address [=same site=] data collection and 151 | [=same site=] ad targeting. For more details, see the 152 | Legal and Implementation Considerations Guide 153 |

154 |

155 | The specification should not be interpreted as an endorsement of the opt-out model of 156 | regulation — or of cross-context tracking more broadly — or a rejection of other models based on 157 | consent or data minimization. It is instead designed to make it possible to exercise the affirmative rights 158 | granted to users in certain jurisdictions. 159 |

160 |
161 |
162 |

Definitions

163 |

164 | A do-not-sell-or-share interaction is an interaction with a website in which the 165 | person is requesting that their data not be sold to or shared with any party other than the 166 | one the person intends to interact with, or to have their data used for cross-context ad targeting. 167 |

168 |

169 | A do-not-sell-or-share preference is when a person requests 170 | that their data "not be sold or shared" for instance by activating a Global Privacy Control 171 | setting with their user agent or by using tools that default to such a setting (possibly 172 | because this setting matches the most common expectations of that tool's users). 173 | When set, this [=preference=] indicates that the person expects to browse the Web with 174 | [=do-not-sell-or-share interactions=]. 175 |

176 |
177 |
178 |

Expressing a Do Not Sell Or Share Preference

179 |
180 |

Expression Format

181 |

182 | A Global Privacy Control [=preference=] should be conveyed for all HTTP requests (in the form 183 | of the HTTP header) and all websites (in the form of the Web API property). 184 |

185 |

186 | If set, this [=preference=] is expressed as a single value of 1 or equivalently 187 | true according to context. 188 |

189 |

190 | In the absence of regulatory, legal, or other requirements, websites MAY interpret an 191 | expressed Global Privacy Control [=preference=] as they find most appropriate for the given 192 | person, particularly as considered in light of the person's privacy expectations, context, and 193 | cultural circumstances. Likewise, websites might make use of other [=preference=] information 194 | outside the scope of this protocol, such as site-specific person [=preferences=] or third-party 195 | registration services, to inform or adjust their behavior when no explicit [=preference=] is 196 | expressed via this protocol. 197 |

198 |

199 | User agents are expected to convey a person's [=preferences=] as accurately as they can. User 200 | agents SHOULD strive to represent what the user agent best believes to be the person's 201 | [=preference=] for the Global Privacy Control value. 202 |

203 |
204 |
205 |

Preference Caching

206 |

207 | The [=preference=] MUST be cached on each top-level navigation to ensure consistency in communication of 208 | the person's request that their data "not be sold or shared." This means that if the [=preference=] changes 209 | during or after a top-level navigation, it will not be reflected until the next navigation. 210 |

211 |

212 | A [=top-level browsing context=] has a gpcAtNavigation boolean. 213 | It is initially false. 214 |

215 |

216 | The value of [=gpcAtNavigation=] MUST reflect the [=preference=] 217 | of the person when the [=top-level browsing context=]'s [=navigable/active document=] began loading. 218 | It will be true if the person's [=preference=] was enabled, and false if 219 | the person's [=preference=] was disabled or had not been set. 220 |

221 |

222 | If [=preference=] is changed to be inconsistent with some gpcAtNavigation cached in a 223 | [=top-level browsing context=], the user agent SHOULD inform the user of any inconsistent tabs and provide 224 | the option to reload them, refreshing the cached gpcAtNavigation to reflect the current [=preference=]. 225 |

226 |
227 |
228 |

The Sec-GPC Header Field for HTTP Requests

229 |

230 | The Sec-GPC header field is a mechanism for expressing a person's 231 | general universal [=preference=] for a [=do-not-sell-or-share interaction=] in HTTP requests 232 | (for any request method). In some cases, a specific arrangement with that person may permit 233 | a website to ignore a generally applicable [=preference=] (see § 5.3 below and the 234 | Legal and Implementation 235 | Considerations Guide). 236 |

237 |

238 | The syntax ([[ABNF]]) of the field is: 239 |

240 | 
241 |           Sec-GPC-field-name  = "Sec-GPC"
242 |           Sec-GPC-field-value = "1"
243 |
244 |

245 | A user agent MUST NOT generate a [=Sec-GPC=] header field if [=top-level browsing context=]'s 246 | gpcAtNavigation is false. 247 |

248 |

249 | A user agent MUST generate a [=Sec-GPC=] header field with a field-value that 250 | is exactly the numeric character "1" if [=top-level browsing context=]'s 251 | gpcAtNavigation is true. 252 |

253 |

254 | A user agent MUST NOT generate more than one [=Sec-GPC=] in a given HTTP 255 | request and MUST NOT use a [=Sec-GPC=] field in an HTTP trailer. 256 |

257 |

258 | A server processing an HTTP request that contains a [=Sec-GPC=] header MUST 259 | ignore it and process the request as if that header had not been specified unless the 260 | field value is exactly the character "1". If there are multiple [=Sec-GPC=] 261 | headers and at least one has a field value of exactly "1" then the server MUST treat the 262 | request as if there were only one [=Sec-GPC=] header with a field value of 263 | "1"; and as if there were none otherwise. 264 |

265 |

266 | HTTP intermediaries MUST NOT remove a [=Sec-GPC=] header set to "1", but they 267 | MAY remove [=Sec-GPC=] headers that contain other values. Additionally, an 268 | HTTP intermediary that has reasons to believe the the person originating a given HTTP 269 | request has a [=do-not-sell-or-share preference=], MAY insert a [=Sec-GPC=] 270 | header set to "1". 271 |

272 | 279 |
280 |

281 | Extensibility of the Sec-GPC Field Value 282 |

283 |

284 | The [=Sec-GPC=] is deliberately defined without an extension mechanism. 285 | Experience with previous similar headers shows that people tend to rely on string 286 | equality instead of parsing the value when testing for their presence, especially when 287 | extensions do not yet exist. Such checks would of course fail in the presence of 288 | extension content, which would in turn render the mechanism moot. Should extensions 289 | prove necessary to this standard, they will need to be implemented through other 290 | headers, which may in time supersede this one. 291 |

292 |
293 |
294 |
295 |

JavaScript Property to Detect Preference

296 |

297 | The {{GlobalPrivacyControl/globalPrivacyControl}} property enables a client-side 298 | script to determine what [=Sec-GPC=] header field value was sent when 299 | loading the [=top-level browsing context=]'s [=navigable/active document=]. 300 |

301 | 
302 |           interface mixin GlobalPrivacyControl {
303 |             readonly attribute boolean globalPrivacyControl;
304 |           };
305 |           Navigator includes GlobalPrivacyControl;
306 |           WorkerNavigator includes GlobalPrivacyControl;
307 |
308 |

309 | The value is false if no Sec-GPC header field would be sent; 310 | otherwise, the value is true. 311 |

312 |

313 | The value of {{GlobalPrivacyControl/globalPrivacyControl}} MUST be the 314 | [=top-level browsing context=]'s gpcAtNavigation. 315 |

316 |

317 | The {{GlobalPrivacyControl/globalPrivacyControl}} property is available on the 318 | navigator object in both regular and worker contexts, and so can be checked 319 | reading from navigator.globalPrivacyControl. 320 |

321 | 328 |
329 |
330 |
331 |

GPC Support Resource

332 |

333 | A site MAY produce a resource at a .well-known URL in order for a site to represent the fact 334 | that it abides by GPC requests, at least where required to do so. The purpose of a GPC support 335 | resource is for a site to convey its awareness of and support for the Global Privacy Control. 336 | The support resource is not intended to convey whether the site abides by GPC requests from 337 | the user agent accessing the resource. By default, an origin's support is unknown. 338 |

339 |

340 | A GPC support resource has the well-known identifier /.well-known/gpc.json 341 | relative to the origin server's URL [[RFC8615]]. 342 |

343 |

344 | An origin server that receives a valid GET request targeting its GPC support resource 345 | responds either with a successful response containing a machine-readable representation of 346 | the site-wide tracking status, as defined below, or a sequence of redirects that leads to 347 | such a representation (which MAY be provided by a server at another origin). 348 |

349 |
350 |

GPC Support Representation

351 |

352 | The origin server MUST return the GPC support resource as a valid representation using the 353 | application/json media type [[RFC8259]], otherwise the origin's support is 354 | unknown. 355 |

356 |

357 | The GPC support representation MUST be a 358 | JSON object, otherwise the 359 | origin's support is unknown. Members of this JSON object not in the list below have no 360 | meaning in this specification and MUST be ignored. Members include: 361 |

378 |

379 | 394 |
395 |
396 |
397 |

Legal Effects

398 |

399 | The GPC signal was designed to allow users to take advantage of legal rights to stop certain 400 | sharing or processing of their data. As such, the sending and receipt of a GPC signal may 401 | have legal effects, depending on factors such as the location of the individual sending the 402 | signal, the scope of the applicable law, as well as any separate agreement between the 403 | recipient of the signal and the individual. However, GPC is not necessarily intended to invoke 404 | every new privacy right in every jurisdiction. For additional details on legal effects, 405 | consult the Legal and 406 | Implementation Considerations Guide. 407 |

408 |

409 | For example, the use of the GPC signal by an individual will be intended to communicate the 410 | individual's intention to invoke the following rights, as applicable: 411 |

412 |

United States Privacy Law

413 |

414 | GPC was originally created to take advantage of new opt-out privacy laws in the United States. 415 | Starting with the enactment of the California Consumer Privacy Act in 2018, several U.S. states 416 | have passed privacy laws that give consumers the legal right to opt out of the sale or share of 417 | their data, or the use of their data for cross-organization targeted advertising. Many of those state 418 | laws make explicit provision for the exercise of those rights through universal opt-out mechanisms 419 | such as the GPC. At least four states have specifically identified GPC as a valid means to exercise 420 | legal opt-out rights. A minority of states provide for rulemaking procedures to allow regulators 421 | to expand on the specifics of how universal opt-out requests should be honored; other states may 422 | rely upon informal guidance or enforcement actions to provide clarity on the scope of legal 423 | obligations around GPC signals. 424 |

425 |

Other Jurisdictions and Privacy Rights

426 |

427 | GPC could potentially be used to indicate rights in other jurisdictions as well. For example, the 428 | GDPR potentially affords data subjects the right to limit the sharing of personal information under 429 | Articles 7 and 21. Many other countries around the world have adopted affirmative privacy 430 | legislation — often modeled on the GDPR; a regulator in one of those countries could determine that 431 | GPC invokes a legal right that requires some response from a recipient. 432 |

433 |

434 | Other US state privacy laws, such as those in Virginia and Utah, give consumers new opt-out 435 | rights around data sales and cross-organization targeted advertising but are silent on the legal 436 | effect of global opt-out signals. Regulators enforcing those statutes may determine that a user 437 | activating a signal such as GPC may be sufficient to legally exercise opt-out rights in 438 | those jurisdictions. 439 |

440 |

441 | However, GPC is not necessarily intended to invoke every new privacy right in every 442 | jurisdiction. For example, GPC is not intended to globally invoke data deletion rights on 443 | every website visited by the user. GPC is also not intended to limit a first party’s use of 444 | personal information within the first-party context (such as a publisher targeting ads to a 445 | user on its website based on that user’s previous activity on that same site). 446 |

447 |

448 | Given the complexities of existing consent frameworks, publishers who accept the GPC signal 449 | should disclose how they treat the GPC signal in that jurisdiction and how they deal with 450 | conflicts between the signal and other specific privacy choices that the person has already 451 | made directly with the publisher, including instances where third party sharing may be 452 | permitted such as sharing to service providers/processors, sharing at law or at the 453 | direction of the individual. 454 |

455 |
456 |

User Interface Language

457 |

458 | This document does not specify what information must be presented to a user before activating 459 | GPC. When a user agent promotes a privacy feature or offers a privacy setting, it can make the 460 | determination if it is appropriate to send GPC based on what has been disclosed to the user. 461 | 462 | User agents SHOULD strive to represent what the user agent best believes to be the person's 463 | preference for the Global Privacy Control value. While studies have shown that most people do not 464 | want their data sold or shared, some jurisdictions have enacted "opt-out" legal frameworks 465 | where consumers have to take an affirmative action to express a [=preference=] to limit data 466 | sharing or the use of their data for targeted advertising. GPC is designed to let users easily 467 | take advantage of these laws. 468 |

469 |

470 | Different jurisdictions have different prerequisites before a platform can enable a universal 471 | opt-out like GPC. Many US states say that a user agent may not send a universal opt-out signal by 472 | "default," though at least one state has said that selecting a privacy focused user agent is a 473 | sufficient indicator of user intent. 474 |

475 |

476 | Different jurisdictions may also have different rules for when companies can override or disregard 477 | a universally applicable opt-out signal, 478 | for example because they have consent from the user to do so. 479 |

480 |

481 | The legal landscape around global opt-outs is also changing. Several states have now passed 482 | laws that include requirements to honor global opt-outs, though some of those states’ provisions 483 | differ considerably. Additionally states may revise their legal requirements as California has 484 | already amended the original CCPA that was passed in 2018. 485 |

486 |

In addition to the United States, other jurisdictions may recognize universal privacy signals 487 | and may impose their own requirements before such signals are deemed legally binding. 488 |

489 |

490 | For more information on the latest legal requirements, please review the 491 | Legal and Implementation 492 | Considerations Guide which will provide more up-to-date information about the latest legal guidance 493 | around global opt-outs. 494 |

495 |

496 | User agents are expected, where required, to present all the appropriate notices to people 497 | to ensure that the rights they wish to avail themselves of are effectively binding. 498 |

499 |
500 |
501 |
502 |

Privacy Considerations

503 |

504 | Exposing a user's preference (in the HTTP header field or {{Window/navigator}} object) 505 | potentially divides users into two groups in a way that might increase the information 506 | available for browser or device fingerprinting. This additional information is available 507 | unless the signal perfectly correlates with other signals or is turned on in a 508 | non-configurable setting. Thus, depending on the implementation, the GPC signal may impose 509 | a privacy cost, though, one intended to be justified by the privacy benefit of sending the 510 | signal. 511 |

512 |
513 |
514 |

Security Considerations

515 |

516 | There are no known security impacts of the features in this specification. 517 |

518 |
519 |
520 |

Automation

521 | For the purposes of user-agent automation and application testing, this document defines 522 | the following [=extension command|extension commands=]. [[WebDriver]] 523 | 524 |

Set Global Privacy Control

525 | 526 | 527 | 528 | 529 | 530 | 531 | 532 | 533 | 534 | 535 | 536 |
HTTP MethodURI Template
POST/session/{session id}/privacy
537 | 538 |

The Set Global Privacy Control [=extension command=] modifies the 539 | [=do-not-sell-or-share preference=] for the current session. 540 | 541 |

The [=remote end steps=], given session, URL variables and 542 | parameters are: 543 | 544 |

    545 |

  1. Let |gpc| be the property `gpc` of |parameters|. 546 |

  2. If |gpc| is undefined or is not a boolean, return error with error code invalid argument. 547 |

  3. Record the user's [=preference=] for this |session| such that the browser will perform 548 | [=do-not-sell-or-share interaction|do-not-sell-or-share interactions=] if |gpc| is true and 549 | will not perform [=do-not-sell-or-share interaction|do-not-sell-or-share interactions=] if 550 | |gpc| is false. 551 |

  4. Return [=success=] with data `null`. 552 |

553 | 554 |

Get Global Privacy Control

555 | 556 | 557 | 558 | 559 | 560 | 561 | 562 | 563 | 564 | 565 | 566 |
HTTP MethodURI Template
GET/session/{session id}/privacy
567 | 568 |

The Get Global Privacy Control [=extension command=] returns the 569 | [=do-not-sell-or-share preference=] for the current session. 570 | 571 |

The [=remote end steps=], given session, URL variables and 572 | parameters are: 573 | 574 |

    575 |

  1. If the user's [=preference=] for this |session| issuch that the browser will 576 | perform [=do-not-sell-or-share interaction|do-not-sell-or-share interactions=], let 577 | |gpc| be true. 578 |

  2. Otherwise, let |gpc| be false. 579 |

  3. Let |result| be a JSON [=Object=] with property "gpc" set to |gpc|. 580 |

  4. Return [=success=] with data `null`. 581 |

582 | 583 |
584 |
585 |
586 |

Implementation Considerations

587 |

588 | It is worth considering that a GPC signal will be attached to every HTTP request made to a 589 | given site. Rendering a page on the Web often requires making dozens such requests. As such 590 | it can prove impractical for GPC signals to trigger full-blown opt-out procedures with 591 | costly audit trails for every single GPC interaction as that will cause a large amount of 592 | processing, including for resources served from a content delivery network (CDN) that must 593 | be executed as efficiently as possible. 594 |

595 |

596 | Regulations that intend to support GPC are encouraged to consider such implementation 597 | difficulties. One way of addressing them is to differentiate between user interface 598 | affordances given to people for the purpose of requesting a [=do-not-sell-or-share 599 | interaction=] [=preference=] to persist on the site, and the provision of a 600 | [=do-not-sell-or-share interaction=] signal the state of which is maintained with the 601 | user agent. In the latter case, the interaction can be processed as if the person had 602 | previously requested such a [=do-not-sell-or-share interaction=] [=preference=] and were 603 | interacting with that [=preference=] already active. 604 |

605 |
606 |
607 |

Acknowledgments

608 | This specification relies on concepts developed in large part by the 609 | Tracking Protection Working Group 610 | and others who contributed to 611 | Tracking Preference Expression (DNT). 612 |
613 | 614 | 615 | --------------------------------------------------------------------------------