Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prefer "No Consent"/"Consent" to "Opted Out"/"Did Not Opt Out"? #95

Open
matt-martin opened this issue Sep 1, 2023 · 2 comments
Open

Prefer "No Consent"/"Consent" to "Opted Out"/"Did Not Opt Out"? #95

matt-martin opened this issue Sep 1, 2023 · 2 comments

Comments

@matt-martin
Copy link

matt-martin commented Sep 1, 2023
edited
Loading

In the specification, some fields define choices as:

0 Not Applicable

1 Opted Out

2 Did Not Opt Out

And in other places, the choices are defined as:

0 Not Applicable

1 No Consent

2 Consent

The descriptions, "Opted Out" and "Did Not Opt Out", seem to make unnecessary assumptions about how the user expressed their consent or lack thereof (i.e. it seems to assume that the users are opted in by default and must explicitly opt out). This can get a bit confusing if another state passes a law in the future where this field is also applicable but all users are set to "No Consent" by default. Somebody casually reading through the spec may not realize that "Opted Out" is actually equivalent to "No Consent". I may be splitting hairs here, but it seems like it would be more consistent and less error prone to always refer to "Consent"/"No Consent".
@jaredmoscow
Copy link
Collaborator

@matt-martin Thanks for raising this.

For the state sections of GPP, the terminology is derived directly from the relevant state statutes, which are also referenced in each spec. For example, in the California section, terms in the ‘description’ field that are capitalized align with defined terms in Cal. Civ. Code 1798.140.

Sticking with California, the descriptions "Opted Out" and "Did Not Opt Out" are intentionally used to align with CCPA/CPRA, which is an opt-out privacy regime. This means that, by default, data processing is allowed unless the consumer explicitly opts out (except in specific cases, such as minors or sensitive data under CPRA).

On the other hand, "Consent/No Consent" language makes sense in jurisdictions with opt-in frameworks (such as GDPR), where data processing requires affirmative consent by default. The variation in terminology reflects these different legal jurisdictions and their regulations.

@matt-martin
Copy link
Author

matt-martin commented Feb 20, 2025
edited
Loading

Thanks for the reply @jaredmoscow. I guess I don't understand how the distinction matters for the consumer of this data. Isn't the ultimate use of all this data to determine what is allowed or not allowed for a user (and not whether that user lives in an opt-out or opt-in state). If, hypothetically, a new state passes a law that's exactly the same as some other state, but with opt-in instead of opt-out would a new section be required? From a purely technical perspective, maintaining this distinction seems unnecessarily complex.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matt-martin @jaredmoscow