Clarifications and anchoring

index.html

@@ -7,7 +7,6 @@
     <script class="remove">
       var respecConfig = {
         specStatus: 'ED',
-        xref: ['html'],
         editors: [
           {
             name: 'Sebastian Zimmeck',
@@ -40,8 +39,8 @@
         formerEditors: [
           {
             name: 'Robin Berjon',
-            company: 'Protocol Labs',
-            companyURL: 'https://protocol.ai/',
+            company: 'Supramundane Agency',
+            companyURL: 'https://supramundane.agency/',
             url: 'https://berjon.com/',
             note: 'The New York Times until Sep 2022',
             w3cid: 34327,
@@ -62,7 +61,7 @@
         shortName: 'gpc',
         group: "wg/privacy",
         github: 'w3c/gpc',
-        xref: ['html', 'webdriver'],
+        xref: ['html', 'webdriver', 'privacy-principles'],
         localBiblio: {
           'CCPA-AG-FINAL-STATEMENT': {
             title: 'California Attorney General CCPA Final Statement of Reasons',
@@ -113,22 +112,22 @@ <h2>Introduction</h2>
         the one with which a person choses to interact. This result is a consequence of the
         increasing complexity of Web technology and of the division of labor between different
         services. While this architecture can be used in the service of better Web experiences,
-        it can also be abused to violate privacy ([[?privacy-principles]]). While data can be shared
-        with service providers for limited operational purposes, it can also be shared or used for
+        it can also be abused to violate <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-privacy">privacy</a> ([[?privacy-principles]]). While data can be shared
+        with <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-data-processor">service providers</a> for limited operational purposes, it can also be shared or used for
         behavioral targeting in ways that many users find objectionable.
       </p>
       <p>
         Several different legal frameworks have been proposed or enacted by jurisdictions around
         the world to address this concern. Some models rely upon user consent for tracking. Other
-        models based on the principle of data minimization simply prohibit certain data sharing or 
+        models based on the principle of data minimization simply prohibit certain data sharing or
         data processing entirely.
       </p>
       <p>
         Some laws and proposals grant users the right to request that their privacy be
-        protected, including "opt out" requests that their data not be sold or shared beyond the
+        protected, including "<a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-opt-out">opt out</a>" requests that their data not be sold or shared beyond the
         business with which they intend to interact. Requiring that people manually express their
-        rights for each and every site they visit is, however, impractical, and an imposition of 
-        "privacy labor" on people ([[?privacy-principles]]).
+        rights for each and every site they visit is, however, impractical, and an imposition of
+        "<a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-labor">privacy labor</a>" on people ([[?privacy-principles]]).
       </p>
       <p>
         This specification is designed for this last category of laws and addresses the problem of the
@@ -137,7 +136,7 @@ <h2>Introduction</h2>
         or the DOM, a person's assertion of their applicable rights to prevent the sale of their data,
         the sharing of their data with third parties, and the use of their data for cross-context targeted
         advertising. This signal allows users to take advantage of specific provisions in some of these
-        opt-out based laws, such as, for example, the provisions relating to "opt out preferences
+        <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-global-opt-out">global opt-out</a> based laws, such as, for example, the provisions relating to "opt out preferences
         signals" in the California Consumer Privacy Act to stop the sale of sharing of personal information,
         [[?CCPA-REGULATIONS]], or similar provisions for "universal opt-out mechanisms" in laws in Colorado
         and other states to allow users to opt out of the sale of their information or its use for
@@ -147,7 +146,9 @@ <h2>Introduction</h2>
         The specification should not be interpreted as an endorsement of the opt-out model of
         regulation — or of cross-context tracking more broadly — or a rejecion of other models based on
         consent or data minimization. It is instead designed to make it possible to exercise the affirmative rights
-        granted to users in certain jurisdictions.
+        granted to users in certain jurisdictions and intended to work with different legal architectures,
+        including those that support a [=right to withdraw consent=] or [=right to object=] to data
+        processing.
       </p>
     </section>
     <section>
@@ -156,7 +157,12 @@ <h2>Definitions</h2>
         A <dfn>do-not-sell-or-share interaction</dfn> is an interaction with a website in which the
         person is requesting that their data not be sold to or shared with any party other than the
         one the person intends to interact with, or to have their data used for cross-context ad targeting,
-        except as permitted by law.
+        except as permitted by law. In terms of the W3C's [[[privacy-principles]]], the person is at least
+        requesting that there be only one <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-data-controller">data controller</a>
+        and that the data not be used for ad targeting in another
+        <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-context">context</a>, even if
+        that <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-context">context</a> is owned by
+        the same business.
       </p>
       <p>
         A <dfn data-lt="preference">do-not-sell-or-share preference</dfn> is when a person requests
@@ -182,7 +188,7 @@ <h3>Expression Format</h3>
         <p>
           In the absence of regulatory, legal, or other requirements, websites MAY interpret an
           expressed Global Privacy Control [=preference=] as they find most appropriate for the given
-          person, particularly as considered in light of the person's privacy expectations, context, and
+          person, particularly as considered in light of the person's privacy expectations, <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-context">context</a>, and
           cultural circumstances. Likewise, websites might make use of other [=preference=] information
           outside the scope of this protocol, such as site-specific person [=preferences=] or third-party
           registration services, to inform or adjust their behavior when no explicit [=preference=] is
@@ -347,7 +353,7 @@ <h2>GPC Support Representation</h2>
           unknown.
         </p>
         <p>
-          The GPC support representation MUST be an
+          The GPC support representation MUST be a
           <a href="https://datatracker.ietf.org/doc/html/rfc8259#section-4">JSON object</a>, otherwise the
           origin's support is unknown. Members of this JSON object not in the list below have no
           meaning in this specification and MUST be ignored. Members include:
@@ -394,14 +400,20 @@ <h2>Legal Effects</h2>
         have legal effects, depending on factors such as the location of the individual sending the
         signal, the scope of the applicable law, as well as any separate agreement between the
         recipient of the signal and the individual. However, GPC is not necessarily intended to invoke
-        every new privacy right in every jurisdiction. For additional details on legal effects, 
+        every new privacy right in every jurisdiction. For additional details on legal effects,
         <a href="https://w3c.github.io/gpc/explainer" target="_blank">consult the Legal and
         Implementation Considerations Guide</a>.
       </p>
       <p>
         For example, the use of the GPC signal by an individual will be intended to communicate the
         individual's intention to invoke the following rights, as applicable:
       </p>
+      <p>
+        Regulators and implementers seeking to understand the best way to apply the GPC signal in a
+        given jurisdiction are invited to consult the semantics of <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-global-opt-out">global opt-out</a> mechanisms
+        detailed in the W3C's [[[privacy-principles]]] as the specifics may be unfamiliar to
+        people less familiar with expectations placed on user agents on the web.
+      </p>
       <h3>United States Privacy Law</h3>
       <p>
         GPC was originally created to take advantage of new opt-out privacy laws in the United State.
@@ -418,7 +430,7 @@ <h3>United States Privacy Law</h3>
       <h3>Other Jurisdictions and Privacy Rights</h3>
       <p>
         GPC could potentially be used to indicate rights in other jurisdictions as well. For example, the
-        GDPR potentially affords data subjects the right to limit the sharing of personal information under
+        GDPR affords data subjects the right to limit the sharing of personal information under
         Articles 7 and 21. Many other countries around the world have adopted affirmative privacy
         legislation — often modeled on the GDPR; a regulator in one of those countries could determine that
         GPC invokes a legal right that requires some response from a recipient.
@@ -433,16 +445,16 @@ <h3>Other Jurisdictions and Privacy Rights</h3>
       <p>
         However, GPC is not necessarily intended to invoke every new privacy right in every
         jurisdiction. For example, GPC is not intended to globally invoke data deletion rights on
-        every website visited by the user. GPC is also not intended to limit a first party’s use of
-        personal information within the first-party context (such as a publisher targeting ads to a
-        user on its website based on that user’s previous activity on that same site).
+        every website visited by the user. GPC is also not intended to limit a <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-first-party-0">first party</a>’s use of
+        personal information within the same <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-context">context</a> (such as a publisher targeting ads to a
+        user on its website based on that user’s previous activity in that same <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-context">context</a>).
       </p>
       <p>
         Given the complexities of existing consent frameworks, publishers who accept the GPC signal
         should disclose how they treat the GPC signal in that jurisdiction and how they deal with
         conflicts between the signal and other specific privacy choices that the person has already
-        made directly with the publisher, including instances where third party sharing may be
-        permitted such as sharing to service providers/processors, sharing at law or at the
+        made directly with the publisher, including instances where <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-third-parties">third party</a> sharing may be
+        permitted such as sharing to <a data-link-type="dfn" href="https://www.w3.org/TR/privacy-principles/#dfn-data-processor">service providers</a>/processors, sharing at law or at the
         direction of the individual.
       </p>
       <section>
@@ -451,7 +463,7 @@ <h2>User Interface Language</h2>
           This document does not specify what information must be presented to a user before activating
           GPC. When a user agent promotes a privacy feature or offers a privacy setting, it can make the
           determination if it is appropriate to send GPC based on what has been disclosed to the user.
-          
+
           User agents SHOULD strive to represent what the user agent best believes to be the person's
           preference for the Global Privacy Control value. While studies have shown that most people do not
           want their data sold or shared, some jurisdictions have enacted "opt-out" legal frameworks
@@ -496,10 +508,10 @@ <h2 id="privacy">Privacy Considerations</h2>
       <p>
         Exposing a user's preference (in the HTTP header field or {{Window/navigator}} object)
         potentially divides users into two groups in a way that might increase the information
-        available for browser or device fingerprinting. This additional information is available 
-        unless the signal perfectly correlates with other signals or is turned on in a 
-        non-configurable setting. Thus, depending on the implementation, the GPC signal may impose 
-        a privacy cost, though, one intended to be justified by the privacy benefit of sending the 
+        available for browser or device fingerprinting. This additional information is available
+        unless the signal perfectly correlates with other signals or is turned on in a
+        non-configurable setting. Thus, depending on the implementation, the GPC signal may impose
+        a privacy cost, though, one intended to be justified by the privacy benefit of sending the
         signal.
       </p>
     </section>