Merge pull request #109 from w3c/exclude-same-site

Exclude same site

Author: SebastianZimmeck

explainer.md

@@ -7,9 +7,9 @@ Editors:
 
 ## 0. tl;dr
 
-Global Privacy Control (GPC) is a proposed specification designed to allow Internet users to notify businesses of their preference to not have their personal information sold or shared, or used for targeted advertising. It consists of a setting or extension in the user’s browser that provides a mechanism that websites can use to indicate they support the specification.
+Global Privacy Control (GPC) is a proposed specification designed to allow Internet users to notify businesses of their preference to not have their personal information sold or shared, or used for cross-context targeted advertising. It consists of a setting or extension in the user’s browser that provides a mechanism that websites can use to indicate they support the specification.
 
-This Legal and Implementation Considerations Guide is designed to give an overview of how GPC operates as well a summary of the legal effects GPC may have in different jurisdictions. However, this document is for reference purposes only --- it does not constitute legal advice. 
+This Legal and Implementation Considerations Guide is designed to give an overview of how GPC operates as well as a summary of the legal effects GPC may have in different jurisdictions. However, this document is for reference purposes only --- it does not constitute legal advice. 
 
 - [1. Draft Specification](#1-draft-specification)
 - [2. Background](#2-background)
@@ -39,7 +39,7 @@ You can find the draft specification [here](https://github.com/privacycg/gpc-spe
 
 ## 2. Background
 
-An increasing number of laws and regulatory environments require that sites respect people’s choices to not be tracked. While these laws describe privacy choices in different ways it is clear that they represent an interest in giving people the capability to exercise a right to privacy and that people have an interest in exercising that right.
+An increasing number of laws and regulatory environments require that sites respect people’s choices to not be tracked across different contexts. While these laws describe privacy choices in different ways it is clear that they represent an interest in giving people the capability to exercise a right to privacy and that people have an interest in exercising that right.
 
 Some laws establish a requirement for a universal control that can present this opt out request at a user-agent level automatically, making it easier for people to exercise their rights without negotiating a site-level user interface.
 
@@ -50,7 +50,7 @@ The motivation of GPC is to:
 1. Make it easy for people to clearly and unambiguously present their privacy preference to a website and the various technologies it may run.
 2. Allow website developers to incorporate people’s privacy choices with as little delay and complexity as possible.
 
-The specification also provides an option for sites to provide a GPC Support Resource that allows sites to state that they are aware of and support the GPC specification. Some laws or regulatory environments may require GPC compliance. The goal of the GPC Support Resource is to allow sites to demonstrate their support actively. This demonstration is useful to regulators, lawyers, and activists in determining the impact of people’s privacy choices as well as sites’ awareness. It is also useful in giving people a clear signal that their privacy choices are respected to the best of a site’s ability.
+The specification also provides an option for sites to provide a GPC Support Resource that allows sites to state that they are aware of and support the GPC specification. Some laws or regulatory environments may require GPC compliance. The goal of the GPC Support Resource is to allow sites to assert their support actively. This demonstration is useful to regulators, lawyers, and activists in determining the impact of people’s privacy choices as well as sites’ awareness. It is also useful in giving people a clear signal that their privacy choices are respected to the best of a site’s ability.
 
 ## 3. Solution
 
@@ -96,13 +96,13 @@ Sites may respect GPC without the GPC Support Resource. Sites that do not respec
 
 ## 4. Legal Effects
 
-The specification is designed to express a generic preference to have their data not shared or sold, or used across different contexts for targeted advertising. The spec discusses a number of laws and regulations that may be implicated by declaring such a preference, though legal effects will ultimately be determined by local regulators. This list is intended to provide examples, not be complete. Website operators may also choose to respect GPC beyond the legal requirements.
+Where laws arise to provide Internet privacy GPC intends to have a very specific privacy purpose. **It asks domains not to share or sell people’s personal data, or to use personal data across different contexts, using similar definitions to CCPA and other U.S. state privacy laws.** Other nationalities or regions may choose to incorporate the signal directly or may find user-agents using it. While the legal or regulatory requirements to respect GPC vary, people’s intent in exactly what they are requesting should be considered consistently.
 
-There are situations where the design of GPC, by intent, matches specific legal or regulatory mechanisms. The intent is to connect GPC to specific laws and legally-understood requests by users to allow users to exercise privacy rights at scale.
+GPC is not necessarily intended to invoke every new privacy right in every jurisdiction. For example, GPC is not intended to globally invoke data deletion rights on every website people visit. GPC is also not intended to limit a first party’s use of personal information within the first-party context (such as a publisher targeting ads to an individual on its website based on that individual’s previous activity on that same site). For that reason, GPC should not be interpreted as exercising the CCPA’s right to limit the use of sensitive information in a first-party context.
 
 ### 4.1 GPC in the US
 
-Since 2018, at least nineteen states have passed comprehensive state privacy laws that include, among other rights, the right to opt out of the sale or sharing of personal information and/or the right to opt out of cross-context targeted advertising. Many of these laws explicitly state that consumers may exercise these rights through a universal signal, including a signal sent through a browser or operating system. At least two laws — those of California and Colorado — state that receipt of a Global Privacy Control signal is to be interpreted as a legally binding exercise of the opt-out right in that state.
+Since 2018, at least nineteen states have passed comprehensive state privacy laws that include, among other rights, the right to opt out of the sale or sharing of personal information and/or the right to opt out of cross-context targeted advertising. Many of these laws explicitly state that consumers may exercise these rights through a universal signal, including a signal sent through a browser or operating system. At least four states have declared that receipt of a Global Privacy Control signal is to be interpreted as a legally binding exercise of the opt-out right in that state.
 
 #### 4.1.1 The California Consumer Privacy Act
 
@@ -133,9 +133,8 @@ In addition to California and Colorado, at least ten other states have passed co
 However, they also differ in a number of key ways. As one example, states like Texas and Nebraska provide that specific global opt-out signals will be deemed valid if they are legally recognized in another state jurisdiction. Most of these states do not provide for rulemaking from the Attorney General to issue more clarity on the operation of the global opt-out provisions, though regulators may offer more informal guidance through FAQs (as California originally did) or may bring enforcement actions to clarify the boundaries of the law.
 
 Two states --- [Connecticut](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act) and
-[New Jersey](https://www.njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-Law-FAQ.aspx) --- have issued FAQs explicity stating
-that GPC should be treated as a univeral opt-out under their laws (New Jersey's universal opt-out provision goes into effect
-on July 15, 2025).
+[New Jersey](https://www.njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-Law-FAQ.aspx) --- have issued FAQs explicitly stating
+that GPC should be treated as a universal opt-out under their laws.
 
 #### 4.1.4 States that have privacy law that is silent on universal opt-out mechanisms
 
@@ -153,15 +152,9 @@ Mauritius, an African country, has the Data Protection Act (DPA). The DPA was in
 
 The Privacy Commissioner of Bermuda has also [written](https://www.privacy.bm/post/global-privacy-control-interoperability-in-action) that GPC may ultimately be interpreted to exercise legal rights under its Personal Information and Privacy Act.
 
-## 5. Additional Interpretation Options and Explanations
-
-Where laws arise to provide Internet privacy GPC intends to have a very specific privacy purpose. **It asks domains not to share or sell people’s personal data, or to use personal data across different contexts, using similar definitions to CCPA and other U.S. state privacy laws.** Other nationalities or regions may choose to incorporate the signal directly or may find user-agents using it. While the legal or regulatory requirements to respect GPC vary, people’s intent in exactly what they are requesting should be considered consistently.
-
-GPC is not necessarily intended to invoke every new privacy right in every jurisdiction. For example, GPC is not intended to globally invoke data deletion rights on every website people visit. GPC is also not intended to limit a first party’s use of personal information within the first-party context (such as a publisher targeting ads to an individual on its website based on that individual’s previous activity on that same site). For that reason, GPC should not be interpreted as exercising the CCPA’s right to limit the use of sensitive information in a first-party context.
-
 ## 6. User Experience Considerations and Recommendations
 
-It is not considered standard for W3C specifications to present user interface recommendations or restrictions. User interfaces are the domain of user-agents who, being closest to the user, best understand how their users interpret and react to the underlying functionality. For GPC, some user-agents may present themselves as privacy-focused technology, in which case it may make sense for the signal to be defaulted to on at all times, which, for example, is supported in California and Colorado for privacy-focused technology. Some user-agents may be generic, with no expectation for people setting defaults. Some user-agents may present GPC in different formats and devices and necessitate unique user interface requirements.
+It is not considered standard for W3C specifications to present user interface recommendations or restrictions. User interfaces are the domain of user-agents who, being closest to the user, best understand how their users interpret and react to the underlying functionality. For GPC, some user-agents may present themselves as privacy-focused technology, in which case it may make sense for the signal to be defaulted to on, which, for example, is supported in California and Colorado for privacy-focused technology. Some user-agents may be generic, with no expectation for people setting defaults. Some user-agents may present GPC in different formats and devices and necessitate unique user interface requirements.
 
 This Guide presents examples of user-agent user interfaces for GPC as an aid to adopters who are interested in or required to implement GPC as to how it can be presented.
 

index.html

@@ -110,7 +110,7 @@
       <h2>Introduction</h2>
       <p>
         Building websites today often involves relying on services provided by businesses other than
-        the one with which a person choses to interact. This result is a consequence of the
+        the one with which a person chooses to interact. This result is a consequence of the
         increasing complexity of Web technology and of the division of labor between different
         services. While this architecture can be used in the service of better Web experiences,
         it can also be abused to violate privacy ([[?privacy-principles]]). While data can be shared
@@ -143,9 +143,17 @@ <h2>Introduction</h2>
         and other states to allow users to opt out of the sale of their information or its use for
         cross-organization targeted advertising.
       </p>
+      <p>
+        However, while the Global Privacy Control is designed to allow users to express a preference to opt out
+        of sharing and cross-context targeted advertising, the control is not intended to exercise every possible
+        privacy right, nor even every right to opt out of advertising or ad targeting. GPC is not designed to
+        exercise deletion rights, for example. GPC is also not designed to address [=same site=] data collection and
+        [=same site=] ad targeting. For more details, see the
+        <a href="https://w3c.github.io/gpc/explainer" target="_blank">Legal and Implementation Considerations Guide</a>
+      </p>
       <p>
         The specification should not be interpreted as an endorsement of the opt-out model of
-        regulation — or of cross-context tracking more broadly — or a rejecion of other models based on
+        regulation — or of cross-context tracking more broadly — or a rejection of other models based on
         consent or data minimization. It is instead designed to make it possible to exercise the affirmative rights
         granted to users in certain jurisdictions.
       </p>
@@ -403,7 +411,7 @@ <h2>Legal Effects</h2>
       </p>
       <h3>United States Privacy Law</h3>
       <p>
-        GPC was originally created to take advantage of new opt-out privacy laws in the United State.
+        GPC was originally created to take advantage of new opt-out privacy laws in the United States.
         Starting with the enactment of the California Consumer Privacy Act in 2018, several U.S. states
         have passed privacy laws that give consumers the legal right to opt out of the sale or share of
         their data, or the use of their data for cross-organization targeted advertising. Many of those state