From 7e8457df628da36986b4bb9ee27ea275850096df Mon Sep 17 00:00:00 2001
From: SebastianZimmeck Legal Effects
For example, the use of the GPC signal by an individual will be intended to communicate the
individual's intention to invoke the following rights, as applicable:
- Under the CCPA, the GPC signal will be intended to communicate a Do Not Sell request - from a global privacy control, as per [[?CCPA-REGULATIONS]] §999.315 for that browser or - device, or, if known, the consumer. -
-- Where the GPC signal conflicts with the existing privacy settings a consumer has with - the business, the business shall respect the GPC signal but may notify the consumer of - the conflict and give the consumer an opportunity to confirm the business-specific - privacy setting or participation in the financial incentive program [[?CCPA-REGULATIONS]] - §999.315(c)(2). -
-- GPC could potentially be used to indicate rights in other jurisdictions as well. For example: + Under the CCPA, the GPC signal will be intended to communicate a Do Not Sell request + from a global privacy control, as per [[?CCPA-REGULATIONS]] §999.315 for that browser or + device, or, if known, the consumer. +
++ Where the GPC signal conflicts with the existing privacy settings a consumer has with + the business, the business shall respect the GPC signal but may notify the consumer of + the conflict and give the consumer an opportunity to confirm the business-specific + privacy setting or participation in the financial incentive program [[?CCPA-REGULATIONS]] + §999.315(c)(2). +
++ The CPA gives consumers the legal right to opt out of both the sale of their information + as well as the use of their data for cross-site targeted advertising, including through + the use of “universal opt-out mechanisms that clearly communicate a consumer’s affirmative, + freely given, and unambiguous choice to opt out.” Under the CPA, the GPC signal will be + intended to communicate a request to opt out of both the sale of their personal information + and the use of their personal information for targeted advertising. +
++ Similarly, the CDPA gives consumers separate opt-out rights for data sales and targeted + advertising, including through an “authorized agent by way of, among other things, a + technology, including, but not limited to, an Internet link or a browser setting, browser + extension or global device setting.” Under the CDPA, the GPC signal will be intended to + communicate a request to opt out of both the sale of their personal information and the + use of their personal information for targeted advertising. +
++ Under NRS 603A, a GPC signal will be intended to communicate a Do Not Sell My Personal + Information request [[?SB220]]. +
++ The GDPR requires that "Natural persons should have control of their own personal data" + ([[?GDPR]], Recital 7). The GPC signal is intended to convey a general request that data + controllers limit the sale or sharing of the person's personal data to other data + controllers ([[?GDPR]] Articles 7 & 21). This request is expressed with every + interaction that the user agent has with the server. +
++ Note that this request is not meant to withdraw a person's consent to local storage as per + the ePrivacy Directive ("cookie consent") ([[?EPRIVACY-DIRECTIVE]]) nor is it intended to + object to direct marketing under legitimate interest ([[?GDPR]]). +
++ GPC could potentially be used to indicate rights in other jurisdictions as well. +
++ Other US state privacy laws, such as those in Virginia and Utah, give consumers new opt-out + rights around data sales and targeted advertising but are silent on the legal effect of + global opt-out signals. Regulators enforcing those statutes may determine that a user + activating a signal such as GPC may be sufficient to legally exercise opt-out rights in + those jurisdictions.
-- Under NRS 603A, a GPC signal will be intended to communicate a Do Not Sell My Personal - Information request [[?SB220]]. -
-- The GDPR requires that "Natural persons should have control of their own personal data" - ([[?GDPR]], Recital 7). The GPC signal is intended to convey a general request that data - controllers limit the sale or sharing of the person's personal data to other data - controllers ([[?GDPR]] Articles 7 & 21). This request is expressed with every - interaction that the user agent has with the server. -
-- Note that this request is not meant to withdraw a person's consent to local storage as per - the ePrivacy Directive ("cookie consent") ([[?EPRIVACY-DIRECTIVE]]) nor is it intended to - object to direct marketing under legitimate interest ([[?GDPR]]). -
-
However, GPC is not necessarily intended to invoke every new privacy right in every
jurisdiction. For example, GPC is not intended to globally invoke data deletion rights on
From 862a36ed48ccc0c27a1bb05730744facd09d3268 Mon Sep 17 00:00:00 2001
From: SebastianZimmeck Nevada Revised Statutes Chapter 603A (NRS 603A)
Under NRS 603A, a GPC signal will be intended to communicate a Do Not Sell My Personal
Information request [[?SB220]].
The GDPR requires that "Natural persons should have control of their own personal data" ([[?GDPR]], Recital 7). The GPC signal is intended to convey a general request that data