Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify relationship to Global Privacy Control (GPC) in Centralized Consent API explainer #51

Open
SebastianZimmeck opened this issue Nov 14, 2020 · 2 comments
Open

Clarify relationship to Global Privacy Control (GPC) in Centralized Consent API explainer #51

SebastianZimmeck opened this issue Nov 14, 2020 · 2 comments
Assignees
@hober
Labels
consent api

Comments

@SebastianZimmeck
Copy link

SebastianZimmeck commented Nov 14, 2020
edited

Currently, the Centralized Consent API explainer reads:

GPC actively pushes the Sec-GPC value to all sites via HTTP header

While GPC can be applied to send signals to all sites users visit, they can select only individual sites as well. Also, in addition to the header, GPC defines a DOM property that can be used to indicate GPC preferences as well.

I am also not 100% sure if the following is really a difference as described in the Centralized Consent API explainer

The Centralized Consent API avoids adding a global fingerprinting bit by making per-site and global preferences indistinguishable

There should be only minor changes to clarify the relationship a bit. I can open a PR accordingly, but if anyone wants to weigh in ... .

(cc'ing GPC draft spec fellow co-authors @darobin, @asoltani, @dharb, @pes10k)
@SebastianZimmeck SebastianZimmeck added the text tracks TextTrackCue enhancements for programmatic subtitle and caption presentation label Nov 14, 2020
@pes10k
Copy link

pes10k commented Nov 17, 2020

Just to follow up on what @SebastianZimmeck is saying, theres nothing in the GPC spec requiring an implementation to have the same setting for all origins (or even to all parties on the page, an implementor could send a different signal to the 1p than to each different 3p, etc).

@SebastianZimmeck
Copy link
Author

My suggestion for the paragraph on the relationship between the Centralized Consent API and GPC would be:

Global Privacy Control (GPC) is a proposal to standardize 'Do Not Sell' and similar signals. This work has some overlap with our purpose, but differs in the following way.

  • GPC actively pushes the Sec-GPC value to a site via an HTTP header or a DOM property. It may be subject to legal enforcement under the CCPA, GDPR, and other laws. By contrast, the Centralized Consent API will rely on a site's incentive to create a better user experience and have more persistent storage for consent data. Though, just as GPC, it may use legal enforcement if applicable once a site obtains a user's preference.

The following could go under Make per-site and global preferences indistinguishable as I am not sure that there is a difference in terms of fingerprinting risks.

The Centralized Consent API avoids adding a global fingerprinting bit by making per-site and global preferences indistinguishable, and mitigates fingerprinting risks further by only revealing a user's preference in a first-party context with user interaction.

I am happy to discuss further or, given access, open a PR with the above changes.

@hober hober added consent api and removed text tracks TextTrackCue enhancements for programmatic subtitle and caption presentation labels Dec 11, 2020
@hober hober self-assigned this Aug 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hober hober

Labels
consent api
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hober @pes10k @eric-carlson @SebastianZimmeck