[low priority/informational] `usnat` and `usca` both have a field called SensitiveDataProcessing with overlapping "sub options", but some of the overlapping "sub options" are grouped differently

InteractiveAdvertisingBureau / Global-Privacy-Platform

IAB Tech Lab Global Privacy Platform specification

72 stars 36 forks source link

[low priority/informational] `usnat` and `usca` both have a field called SensitiveDataProcessing with overlapping "sub options", but some of the overlapping "sub options" are grouped differently #86

Open matt-martin opened 1 year ago

matt-martin commented 1 year ago

In the spec for the US National section, the SensitiveDataProcessing field has separate flags for:

(1) Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Racial or Ethnic Origin. ... (2) Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Religious or Philosophical Beliefs. ... (11) Consent to Process the Consumer’s Sensitive Data Consisting of Union Membership.

But in the spec for the California section, the SensitiveDataProcessing field combines all three of these into one:

(4) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Which Reveals a Consumer's Racial or Ethnic Origin, Religious or Philosophical Beliefs, or Union Membership.

It's not an issue for me personally (and maybe it isn't an issue for anybody else either), but I'm wondering why these are represented as three separate choices in usnat, but lumped together as one choice in theusca section?

matt-martin commented 1 year ago

Similarly confusing to me is the fact that the KnownChildSensitiveDataConsents field in the usnat section defines two flags:

(1) Consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers from Age 13 to 16. ... (2) Consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers Younger Than 13 Years of Age.

Whereas the field with the same name in the usca section defines two totally different flags:

(1) Consent to Sell the Personal Information of Consumers Less Than 16 years of Age ... (2) Consent to Share the Personal Information of Consumers Less Than 16 years of Age

It's entirely possible that I'm missing some obvious explanation for why these should be different, but at first glance these seem so different that I don't immediately know how to make sense of it. And more to the point, it makes me wonder if one (or both) are "incorrect" in some way I don't understand.

jaredmoscow commented 1 week ago

@matt-martin for SensitiveDataProcessing:

The usnat takes a highest bar approach across each state included in the GPP. Due to the definitions of individual state statutes, there is break out of the sensitive data categories/inputs.
In California, their structure matches the defintion in the state statute: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140. Cal Code defines the "(D) A consumer’s racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.", which is why the state section has this format specific for CA.

Similar application for the questions on known child sensitive data with the state vs. national section applicability.

HeinzBaumann commented 3 days ago

@lamrowena Perhaps something for your GPP working group to review.