It seems like this PR undoes the impact of #109.

As discussed in PrivacyWG on 2025-09-04, we agreed to make clear that GPC's statements about "cross-context ad targeting" does not include same-site ad targeting. This PR rolls back that consensus clarity, again making the relevance to same-site ad targeting ambiguous.

Well, this PR predates #109, so it's not so much that it undoes anything rather than was authored earlier. (I volunteer to clean up conflicts of course.)

That being said, as far as I can tell this PR aligns completely with #109 and in fact clarifies it. #109 says "GPC is also not intended to limit a first party’s use of personal information within the first-party context" (emphasis mine). This is the same thing that #108 says, #108 only clarifies that context needs to be understood as defined in the Privacy Principles. Crucially, context isn't defined by the PSL or business ownership. Accordingly, GPC would not apply to a news publisher with multiple sections but would apply when a company provides completely unrelated services under the same domain.

Doing this differently would put GPC at odds with the PP, which would be problematic. But I don't think we have a problem because #109 was careful to word this in a context-dependent manner.

I feely acknowledge that 108 is a number that comes before 109 :-). I still don't want to undo our consensus.

The GPC spec currently reads: "GPC is also not designed to address same site data collection and same site ad targeting."

That's clear, because we know what "same site" means. It also acknowledges the reality that GPC is designed to trigger certain legal protections, including some that specifically have opinions about same-site vs cross-site advertising. For example, Colorado's (25)(b)(II) says that "Targeted advertising" does not include "ADVERTISEMENTS BASED ON ACTIVITIES WITHIN A CONTROLLER'S OWN WEBSITES OR ONLINE APPLICATIONS". (Sorry to yell; I don't know why the Colorado law is all caps.) (edit: should've used Connecticut's which is lower-case!)

As you say, the Privacy Principles doc is focused on contexts, not sites: "A context is a physical or digital environment in which people interact with other actors, and which the people understand as distinct from other contexts." I don't personally know whether https://nytimes.com/ and https://www.nytimes.com/wirecutter/ should be considered the same context; this "the people understand" standard seems like it requires looking into the souls of NYT visitors to make that determination.

Are there any examples where the GPC triggers a privacy law that invokes a standard for which advertising is covered that is based on the personal beliefs of website visitors? If there are zero in the world, then please let's not change the GPC spec to imply the contrary.

The PP is focused on contexts rather than sites because it's a boundary that aligns better with privacy. In some cases that means that we have to make imperfect trade-offs because it's hard to get computers to understand what context boundaries are in an automated fashion. Thankfully, GPC can apply to contexts without encountering that problem. Determining whether Wirecutter is distinct from the rest of NYT is the kind of judgement call that compliance or governance teams eat for breakfast. I know of people using guidance, criteria scoring, or user testing for this; peering into souls strikes me as somewhat unorthodox but maybe not out of line with industry standards.

I would point out that every privacy law in the world that I have ever looked at is based on the beliefs of visitors, that's specifically what things like notices and "reasonable expectations of privacy" are about. It's about as foundational as it gets.

At any rate, this is neither the place nor the time to revisit the PP. Centring on contexts was discussed extensively there. Relying on sites or on ownership are known to be inferior options, both because they don't correspond to privacy best practices but also because they give a bonus to concentration. Just because someone bought a lot of businesses and crammed them into the same domain doesn't mean that W3C should grant them a dispensation from the privacy rules that apply to similar services that happen not to be owned by the same entity. Choosing same site over same context would run afoul of the Vision for W3C prescription on avoiding centralisation, and we all know how central that document is to everything we do.

You are correct in pointing out that GPC talks interchangeably about sites and contexts as a result of #109, and that's clearly a bug. Those two notions overlap but aren't interchangeable. Thankfully, the insertion of "same site" is small. I've opened #127 to fix that and align GPC with what's expected of a W3C privacy-related spec.

I'm not going to object to the Principles document being aspirational. From a practical point of view, I don't know how you envision the focus on contexts-not-sites to work — browsers have a very large number of information-flow boundaries, and to the best of my knowledge, none of them reflect the distinction you're making, nor do I see any prospect for that changing.

But from a browser's point of view, we need to be realistic rather than aspirational about the information we present to users. The purpose of a system is what it does, and if GPC in practice has an effect on cross-site advertising, then I am not interested in misrepresenting it.

The browser has no way to know whether a given website is complying with GPC provisions or not. The way in which you represent its effect faithfully has to reflect that, and can therefore take contexts into account.

If you wish to take that further, you could design a system for a website to convey its context boundaries. That would be an interesting project and one I would encourage you to pursue, but outside the bounds of GPC.