From 7e8457df628da36986b4bb9ee27ea275850096df Mon Sep 17 00:00:00 2001
From: SebastianZimmeck <szimmeck@wesleyan.edu>
Date: Thu, 7 Mar 2024 17:50:59 -0500
Subject: [PATCH 1/2] Add section headers to identify laws and other editorial
 changes in this context

---
 index.html | 120 ++++++++++++++++++++++++++---------------------------
 1 file changed, 58 insertions(+), 62 deletions(-)

diff --git a/index.html b/index.html
index 2070180..6900e25 100644
--- a/index.html
+++ b/index.html
@@ -399,70 +399,66 @@ <h2>Legal Effects</h2>
         For example, the use of the GPC signal by an individual will be intended to communicate the
         individual's intention to invoke the following rights, as applicable:
       </p>
-      <ul>
-        <li>
-          <p>
-            Under the CCPA, the GPC signal will be intended to communicate a Do Not Sell request
-            from a global privacy control, as per [[?CCPA-REGULATIONS]] §999.315 for that browser or
-            device, or, if known, the consumer.
-          </p>
-          <p>
-            Where the GPC signal conflicts with the existing privacy settings a consumer has with
-            the business, the business shall respect the GPC signal but may notify the consumer of
-            the conflict and give the consumer an opportunity to confirm the business-specific
-            privacy setting or participation in the financial incentive program [[?CCPA-REGULATIONS]]
-            §999.315(c)(2).
-          </p>
-        </li>
-        <li>
-          The Colorado Privacy Act (CPA) gives consumers the legal right to opt out of both the sale
-          of their information as well as the use of their data for cross-site targeted advertising,
-          including through the use of “universal opt-out mechanisms that clearly communicate a
-          consumer’s affirmative, freely given, and unambiguous choice to opt out.” Under the CPA, the
-          GPC signal will be intended to communicate a request to opt out of both the sale of their
-          personal information and the use of their personal information for targeted advertising.
-        </li>
-        <li>
-          Similarly, the Connecticut Data Privacy Act (CDPA) gives consumers separate opt-out rights
-          for data sales and targeted advertising, including through an “authorized agent by way of,
-          among other things, a technology, including, but not limited to, an Internet link or a
-          browser setting, browser extension or global device setting.” Under the CDPA, the GPC signal
-          will be intended to communicate a request to opt out of both the sale of their personal
-          information and the use of their personal information for targeted advertising.
-        </li>
-      </ul>
+      <h3>Calfornia Consumer Privacy Act (CCPA)</h3>
       <p>
-        GPC could potentially be used to indicate rights in other jurisdictions as well. For example:
+        Under the CCPA, the GPC signal will be intended to communicate a Do Not Sell request
+        from a global privacy control, as per [[?CCPA-REGULATIONS]] §999.315 for that browser or
+        device, or, if known, the consumer.
+      </p>
+      <p>
+        Where the GPC signal conflicts with the existing privacy settings a consumer has with
+        the business, the business shall respect the GPC signal but may notify the consumer of
+        the conflict and give the consumer an opportunity to confirm the business-specific
+        privacy setting or participation in the financial incentive program [[?CCPA-REGULATIONS]]
+        §999.315(c)(2).
+      </p>
+      <h3>Colorado Privacy Act (CPA)</h3>
+      <p>
+        The CPA gives consumers the legal right to opt out of both the sale of their information 
+        as well as the use of their data for cross-site targeted advertising, including through 
+        the use of “universal opt-out mechanisms that clearly communicate a consumer’s affirmative, 
+        freely given, and unambiguous choice to opt out.” Under the CPA, the GPC signal will be 
+        intended to communicate a request to opt out of both the sale of their personal information
+        and the use of their personal information for targeted advertising.
+      </p>
+      <h3>Connecticut Data Privacy Act (CDPA)</h3>
+      <p>
+        Similarly, the CDPA gives consumers separate opt-out rights for data sales and targeted 
+        advertising, including through an “authorized agent by way of, among other things, a 
+        technology, including, but not limited to, an Internet link or a browser setting, browser 
+        extension or global device setting.” Under the CDPA, the GPC signal will be intended to 
+        communicate a request to opt out of both the sale of their personal information and the 
+        use of their personal information for targeted advertising.
+      </p>
+      <h3>Nevada Revised Statutes Chapter 603A (NRS 603A)</h3>
+      <p>
+        Under NRS 603A, a GPC signal will be intended to communicate a Do Not Sell My Personal
+        Information request [[?SB220]].
+      </p>
+      <h3>General Data Protection Regulation (GDPR)</h3>
+      <p>
+        The GDPR requires that "Natural persons should have control of their own personal data"
+        ([[?GDPR]], Recital 7). The GPC signal is intended to convey a general request that data
+        controllers limit the sale or sharing of the person's personal data to other data
+        controllers ([[?GDPR]] Articles 7 &amp; 21). This request is expressed with every
+        interaction that the user agent has with the server.
+      </p>
+      <p>
+        Note that this request is not meant to withdraw a person's consent to local storage as per
+        the ePrivacy Directive ("cookie consent") ([[?EPRIVACY-DIRECTIVE]]) nor is it intended to
+        object to direct marketing under legitimate interest ([[?GDPR]]).
+      </p>
+      <h3>Other Jurisdictions and Privacy Rights</h3>
+      <p>
+        GPC could potentially be used to indicate rights in other jurisdictions as well.
+      </p>
+      <p>
+        Other US state privacy laws, such as those in Virginia and Utah, give consumers new opt-out
+        rights around data sales and targeted advertising but are silent on the legal effect of
+        global opt-out signals. Regulators enforcing those statutes may determine that a user
+        activating a signal such as GPC may be sufficient to legally exercise opt-out rights in
+        those jurisdictions.
       </p>
-      <ul>
-        <li>
-          <p>
-            Under NRS 603A, a GPC signal will be intended to communicate a Do Not Sell My Personal
-            Information request [[?SB220]].
-          </p>
-        </li>
-        <li>
-          <p>
-            The GDPR requires that "Natural persons should have control of their own personal data"
-            ([[?GDPR]], Recital 7). The GPC signal is intended to convey a general request that data
-            controllers limit the sale or sharing of the person's personal data to other data
-            controllers ([[?GDPR]] Articles 7 &amp; 21). This request is expressed with every
-            interaction that the user agent has with the server.
-          </p>
-          <p>
-            Note that this request is not meant to withdraw a person's consent to local storage as per
-            the ePrivacy Directive ("cookie consent") ([[?EPRIVACY-DIRECTIVE]]) nor is it intended to
-            object to direct marketing under legitimate interest ([[?GDPR]]).
-          </p>
-        </li>
-        <li>
-          Other state privacy laws, such as those in Virginia and Utah, give consumers new opt-out
-          rights around data sales and targeted advertising but are silent on the legal effect of
-          global opt-out signals. Regulators enforcing those statutes may determine that a user
-          activating a signal such as GPC may be sufficient to legally exercise opt-out rights in
-          those jurisdictions.
-        </li>
-      </ul>
       <p>
         However, GPC is not necessarily intended to invoke every new privacy right in every
         jurisdiction. For example, GPC is not intended to globally invoke data deletion rights on

From 862a36ed48ccc0c27a1bb05730744facd09d3268 Mon Sep 17 00:00:00 2001
From: SebastianZimmeck <szimmeck@wesleyan.edu>
Date: Thu, 14 Mar 2024 14:33:47 -0400
Subject: [PATCH 2/2] Clarify that GDPR is an EU law in the heading (issue #69)

---
 index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.html b/index.html
index 6900e25..3fa9595 100644
--- a/index.html
+++ b/index.html
@@ -435,7 +435,7 @@ <h3>Nevada Revised Statutes Chapter 603A (NRS 603A)</h3>
         Under NRS 603A, a GPC signal will be intended to communicate a Do Not Sell My Personal
         Information request [[?SB220]].
       </p>
-      <h3>General Data Protection Regulation (GDPR)</h3>
+      <h3>EU General Data Protection Regulation (GDPR)</h3>
       <p>
         The GDPR requires that "Natural persons should have control of their own personal data"
         ([[?GDPR]], Recital 7). The GPC signal is intended to convey a general request that data