Replace "consent" with "do not sell/share with Third Parties"

[coolharsh55]

Hi. Cool project : )

The GPC spec at https://globalprivacycontrol.github.io/gpc-spec/ states that the signal (only) "conveys a person's request to websites and services to not sell or share their personal information with third parties". This means that GPC should not be used to indicate 'consent', but only to indicate that the person has expressed they do not want their data shared with third parties. Expressing GPC as a consent on/off toggle is extremely misleading what it intends IMHO.

On a similar note, GPC only defines an on/set set, i.e. it is unary. For consent, we need at least a binary set given/refused or a tertiary if we include withdrawal as a separate set in given/refused/withdrawn. This means GPC on its own cannot be used to check if consent was given.

https://github.com/kasnder/gpc_android/blob/8dbb714bdabe53619a3df02fa45ab74b3a292534/Test_App/app/src/main/java/net/kollnig/consent/gpc_android/test/MainActivity.java#L38

Because the wording here is consent, it means consent = true has specific legal meaning, which is not supported by the GPC implementation. Instead, it would be better to check GPCset = true which has a clear definition in the spec. And GPCset = false does not lead to any loopholes or unknown interpretations i.e. consent is no assumed to be true.

[kasnder]

Thanks for the comment! I guess EU and California would need different wording. I've updated the README.md now to make clear that this proof of concept was trying to investigate technical feasibility rather than the exact legal wording.

[coolharsh55]

Hi. Thanks, but IMHO, it is still insufficient. I understand you want to focus on the technical capabilities but the root of the issue is that GPC does not define anything regarding giving consent. So at most, the EU terminology would be consent withdrawal rather than consent permission.

OR your goal is to create an app that also expresses a preference (not consent) regarding tracking - which would mean you're implementing DNT rather than GPC.

If it will help, I can draft some text and create a PR to clarify the wording implications.

[coolharsh55]

Or, on further thoughts, your goal is to investigate how signals can be developed for Android? In which case, the goal is to figure out how to transmit information from one app to another, and what can be transferred and how much usefulness it can provide?

[kasnder]

Sure, that'd be great!!

[coolharsh55]

Sure, that'd be great!!

Okay, will send something tomorrow. But what's your goal here? I see three possible approachew from above.

[kasnder]

Okay, will send something tomorrow. But what's your goal here? I see three possible approachew from above.

Since this is a proof of concept, anything that makes the most convincing case around introducing GPC on mobile would probably be good. I guess this would mean to align it more with the unitary approach and the wording within the CCPA / CPRA.

[coolharsh55]

Thanks. I'll work with the GPC spec wording for both CCPA and GDPR and you can review.