Give UAs more help in establishing user intent

[jyasskin]

https://privacycg.github.io/gpc-spec/#user-interface-language currently says

User agents are expected, where required, to present all the appropriate notices to people to ensure that the rights they wish to avail themselves of are effectively binding.

As discussed when we talked about adopting GPC into the Privacy CG, UAs aren't sure how to do this so that the header stays legally enforceable and has the intended effect across many jurisdictions. UAs also want to make it clear to users what happens when they turn on the header, and we need guidance about how that depends on where the user is, where the target site is based, the user's history of moving around, etc.

As far as I can tell, none of the existing implementations at https://globalprivacycontrol.org/#download have tackled this problem. I believe all of them except for Firefox turn the setting on by default, on the assumption that users are installing them because they want to turn on every privacy setting that exists. Firefox does it through about:config instead of through general-purpose UI.

Although browsers are usually opposed to standardizing UI, I think the legal implications of this one will make us more amenable to at least getting some hints in this case. I would actually lean toward standardizing the exact string, in one or more languages, that invokes particular rights within particular laws, but others might prefer just having some examples.

[bvandersloot-mozilla]

I agree that setting a norm for a string, if not a requirement, would be useful given the legal implications.

I am working internally in Firefox to get language set now. One idea we have had that I am partial to is "Tell websites not to sell or share my data" with a link to learn more.

[arichiv]

"Tell websites not to sell or share my data" might be tailored to the scope of opt-outs for some laws, but not others that have broader opt-outs, for example. If the GPC field sticks to a boolean value, the language might need to clarify other ways it could be interpreted (in addition to the ‘learn more’ link with more complete information). We flag these questions to consider, as many actors in the ecosystem will be required to figure out how to parse and respond to these signals.

[j-br0]

I submitted PR #57 to try to provide more information about existing legal guidance on UI requirements. I do not think it is practical to get browsers to agree on specific disclosures since at least some user agents have stated an intent to continue to turn GPC on by default (which is allowable under certain conditions under at least both California and Colorado regulations). And even if W3C were to agree on consensus language, there is no certainty that regulators (who have the final say in their jurisdictions) would agree with our interpretation of what is or is not legally required. I think it is unlikely that regulators are going to require or even bless specific language formulations, though if any do we should certainly update our documentation to reflect that.

Because legal guidance will continue to evolve, I agree with the proposal from @AramZS to set up an explainer document with more detail about legal requirements that can be updated more regularly than this spec (see Issue #56).

[SebastianZimmeck]

We have a paper at the Privacy Enhancing Technologies Symposium next year that may be relevant,
Generalizable Active Privacy Choice: Designing a Graphical User Interface for Global Privacy Control.

The question we address is how GPC can be integrated into the browser without default settings, compliant with the law, and in a usable way. The main idea is to generalize settings, e.g., apply the GPC opt out on site towards all future sites people visit.

[AramZS]

@jyasskin Does the latest state of the explainer satisfy your questions here enough that we can close the issue?

[jyasskin]

Looking at https://github.com/privacycg/gpc-spec/blob/main/explainer.md#6-user-experience-considerations-and-recommendations, I don't see clear answers to the questions in my original post.

As discussed when we talked about adopting GPC into the Privacy CG, UAs aren't sure how to do this so that the header stays legally enforceable and has the intended effect across many jurisdictions. UAs also want to make it clear to users what happens when they turn on the header, and we need guidance about how that depends on where the user is, where the target site is based, the user's history of moving around, etc.

For example, if Chrome were to start sending the header by default, with no indication from the user that they intended to opt out of sale/sharing, would that remove sites' obligations in some jurisdictions to respect the header when it came from Chrome? And so is it something that the specification or explainer should tell Chrome not to do?

I also don't see anything in the explainer yet that covers the concern about how we make the effects clear to users. I see the link to Robin's speculation about the effects under the GDPR, but our legal folks aren't convinced he's right. This might be a task to leave to the WG.

[SebastianZimmeck]

I see the link to Robin's speculation about the effects under the GDPR, but our legal folks aren't convinced he's right.

I'd say @darobin's point is a bit more than speculation. Notably, the Landgericht Berlin required LinkedIn to honor DNT signals based on GDPR, Article 21(5) (in German).