DPA is Mauritius Data Protection Act which includes section 23 & 24

[loganaden]

and includes provisions for signaling consent.

[AramZS]

Hi, after some review, we're concerned about the future of adding more laws into the future into the body of the spec. Changes, once this spec continues along the document lifecycle, will enter a longer timeline of review and feedback and we want the rapidly changing landscape of privacy to be quickly reflected to people who want to understand GPC. Since there are likely a lot of new privacy laws that are applicable coming in the future, we think the best place for them is in the explainer.

Would it be possible for you to put it into the explainer instead? https://github.com/privacycg/gpc-spec/blob/main/explainer.md or we can work on transforming it into there in this PR. Also, if you have any supporting documents or formal legal text that refers to privacy signals or GPC in particular, it would be useful to have it in the docs folder of this repository.

Thanks greatly for this contribution @loganaden - let us know what the best approach is to get it incorporated into the explainer!

[martinthomson]

On the general point of where to capture information about implementation in law, perhaps a separate document (or wiki page, if you were willing to tempt fate) is better. The section on laws is already fairly unwieldy and distracting. A separate document might lend itself to more structure, without distracting from the central message in the explainer.

[jyasskin]

Wherever this winds up, someone should check that the cited sections of the law actually address the effect of a GPC request. The text mentions Articles 23 and 24. Article 23 is

a controller shall not collect personal data unless (a) it is done for a lawful purpose connected with a function or activity of the controller; and (b) the collection of the data is necessary for that purpose.

(not about opt-outs)

the controller shall, at the time of collecting the personal data, ensure that the data subject concerned is informed of ...

(not about opt-outs)

Article 24 is

(1) The controller shall bear the burden of proof for establishing a data subject’s consent to the processing of his personal data for a specified purpose. (2) The data subject shall have the right to withdraw his consent at any time.

This is closer to being about opt-outs, but it doesn't say that a globally-configured opt-out wins over a direct consent to a specific sharing request on a specific site. Without that statement, a controller can pretty easily prove that the data subject consented to their particular processing even if they told their browser to object in general. ("We saw a Sec-GPC: 1 header, and then we asked if they wanted to override that for our site, and they said yes, and they never clicked this other button on our site withdrawing that consent.") At best, this winds up saying that if the user turns on GPC after some sites had gotten consent, those sites need to re-request consent. (Yay, more consent banners.)

I did snip some other bits of both articles that seemed unrelated to GPC, but if I snipped a critical one incorrectly, please paste it in here.

[loganaden]

I'll rework it for the explainer instead.

[SebastianZimmeck]

I'll rework it for the explainer instead.

Great, @loganaden! Here is the explainer that we are currently revising and in which we can include your language.

[loganaden]

@SebastianZimmeck I created a different PR: https://github.com/privacycg/gpc-spec/pull/71

[SebastianZimmeck]

I am closing this PR as it is superseded by #71.

@jyasskin, if you like to continue discussing your point above, please feel free to open a new issue or comment on an existing issue if you think your point fits there.