Is the user's request actually "except as permitted by law"?

[jyasskin]

https://w3c.github.io/gpc/#dfn-do-not-sell-or-share-interaction has

A do-not-sell-or-share interaction is an interaction with a website in which the person is requesting that their data not be sold to or shared with any party other than the one the person intends to interact with, or to have their data used for cross-site ad targeting, except as permitted by law.

I think the person is just requesting that their data not be sold, etc., and probably wants to make that request whether or not it's legally binding.

The exception would also make the legal situation circular if law were governed by formal logic: if you assume that sharing is permitted by law, then the user isn't requesting it not be shared, so it's still permitted; and if you assume the opposite, you get that it's not permitted.

[coolharsh55]

I think the likely intention of this statement could be to say the signal asks to stop all selling/sharing of data, except one where the org is legally obliged to do so. The phrasing to clarify this should be:

A do-not-sell-or-share interaction is an interaction with a website in which the person is requesting that their data not be sold to or shared with any party other than the one the person intends to interact with, or to have their data used for cross-site ad targeting, except as permitted where required as an obligation by law.

[jyasskin]

Saying "except when it's illegal to comply with the request" avoids causing logical problems, but it's still unnecessary words: this is just a request, so we wouldn't expect the target to comply in illegal cases. If there are cases where making the request itself is illegal, we might need to say something, but otherwise I'd just avoid mentioning the law in this definition.

[coolharsh55]

I think it's useful to have this be part of the spec itself to avoid situations where someone may claim they cannot support gpc because there's a specific edge case where they are required to do stuff by law (they may may have other cases where it's not legally required and gpc would be useful). The statement prevents this "loophole" by making it explicit that gpc isn't intended to interfere with legal obligations, so there's no excuse to not use it.

[mnot]

@jyasskin I share your unease about the phrasing here, but we shouldn't guess at its legal effect -- that's likely to be as successful as it is when policymakers guess as to what the best technical solution to a problem is.

[bvandersloot-mozilla]

Stepping back from circular logic concerns and how legal systems deal with that, this a nice clarification on the semantics of the header. Perhaps an expansion over the current written text, but I would argue one that makes sense here.

[j-br0]

I agree that GPC should be interpreted as a general preference not to have data shared or used for cross-context purposes --- I think we should just delete "except as permitted by law."

[coolharsh55]

Or, separate that into different sentences. E.g.

A do-not-sell-or-share interaction is an interaction with a website in which the person is requesting that their data not be sold to or shared with any party other than the one the person intends to interact with, or to have their data used for cross-site ad targeting. By supporting GPC, the recipient site respects and fulfils this request, except where it may conflict with legal obligations (i.e. GPC is not intended to override any legal requirement).