Re: CCPA Do-Not-Sell

Excellent, I'd welcome this conversation as well.

--
Joey Salazar
Digital Sr. Programme Officer
ARTICLE 19
6E9C 95E5 5BED 9413 5D08 55D5 0A40 4136 0DF0 1A91

On 02-Apr-20 1:06 PM, Erik Anderson wrote:
>
> Hi everyone,
>
>  
>
> When you’re ready to discuss this in more detail, please file an issue
> in the Privacy CG meetings repo
> (https://github.com/privacycg/meetings) so that we can get it on the
> agenda for a future call to help gauge interest and potential next steps.
>
>  
>
> Thanks,
>
> Erik
>
>  
>
> *From:* Zucker-Scharff, Aram <Aram.Zucker-Scharff@washpost.com>
> *Sent:* Tuesday, March 31, 2020 6:30 AM
> *To:* Sam Tingleff <sam@iabtechlab.com>; Sebastian Zimmeck
> <szimmeck@wesleyan.edu>; David Dabbs <david.dabbs@epsilonconversant.com>
> *Cc:* public-privacycg@w3.org
> *Subject:* Re: CCPA Do-Not-Sell
>
>  
>
> Also, you may be thinking about the DAA solution, which is indeed
> dependent on 3p cookies to handle CCPA.
>
>  
>
> -- Aram Zucker-Scharff
>
> Ad Engineering Director, RED
>
> The Washington Post
>
> +1-703-829-0532
>
>  
>
>  
>
> *From: *Sam Tingleff <sam@iabtechlab.com <mailto:sam@iabtechlab.com>>
> *Date: *Monday, March 30, 2020 at 3:02 PM
> *To: *Sebastian Zimmeck <szimmeck@wesleyan.edu
> <mailto:szimmeck@wesleyan.edu>>, David Dabbs
> <david.dabbs@epsilonconversant.com
> <mailto:david.dabbs@epsilonconversant.com>>, "Zucker-Scharff, Aram"
> <Aram.Zucker-Scharff@washpost.com
> <mailto:Aram.Zucker-Scharff@washpost.com>>
> *Cc: *"public-privacycg@w3.org <mailto:public-privacycg@w3.org>"
> <public-privacycg@w3.org <mailto:public-privacycg@w3.org>>
> *Subject: *Re: CCPA Do-Not-Sell
>
>  
>
> Hello Sebastian,
>
> I’m not sure exactly which specification you are thinking of here. The
> TCF specification [iabtechlab.com]
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__iabtechlab.com_standards_gdpr-2Dtransparency-2Dand-2Dconsent-2Dframework_%26d%3DDwMGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3DkTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k%26s%3D5XPKY6dX3qCNzZXCQ5oQvyKeZtBY3xkPYH3BZFPFkgw%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783451932&sdata=jy%2BYtnW7jJHlsPb%2BXKXBgESbf%2BAsLzLSeiW9nNsI%2FQo%3D&reserved=0>
> for GDPR from IAB Europe / IAB Tech Lab does rely on cookies, however
> in practice most publishers seem to choose site-specific consent (not
> global) which relies only on a first party (publisher) cookie. The
> CCPA privacy string specification
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FInteractiveAdvertisingBureau%2FUSPrivacy%2Fblob%2Fmaster%2FCCPA%2FVersion%25201.0%2FUS%2520Privacy%2520String.md&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783451932&sdata=Q5fndHBs%2FTWdZx2DQExzwU1YJ092TfYwgLi6qpfgXMI%3D&reserved=0>
> does not dictate any particular storage mechanism, nor does the USP
> API
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FInteractiveAdvertisingBureau%2FUSPrivacy%2Fblob%2Fmaster%2FCCPA%2FVersion%25201.0%2FUSP%2520API.md&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783461933&sdata=LZqzgzWqcL0TggaPJk8dg4K%2Fe%2FVdRN%2FpOnO5ksloTFM%3D&reserved=0>
> (although this does have a recommendation to use a first party cookie,
> it does not dictate or require it).
>
>  
>
> Our expectation on the IAB Tech Lab side has been that first party
> publisher cookies are a long term viable storage mechanism for consent
> records... however the most recent ITP release seems to call that into
> question.
>
>  
>
> I too would welcome this conversation!
>
>  
>
> *From: *Sebastian Zimmeck <szimmeck@wesleyan.edu
> <mailto:szimmeck@wesleyan.edu>>
> *Date: *Saturday, March 28, 2020 at 11:28 AM
> *To: *David Dabbs <david.dabbs@epsilonconversant.com
> <mailto:david.dabbs@epsilonconversant.com>>, "Zucker-Scharff, Aram"
> <Aram.Zucker-Scharff@washpost.com
> <mailto:Aram.Zucker-Scharff@washpost.com>>
> *Cc: *"public-privacycg@w3.org <mailto:public-privacycg@w3.org>"
> <public-privacycg@w3.org <mailto:public-privacycg@w3.org>>
> *Subject: *Re: CCPA Do-Not-Sell
> *Resent-From: *<public-privacycg@w3.org <mailto:public-privacycg@w3.org>>
> *Resent-Date: *Saturday, March 28, 2020 at 11:28 AM
>
>  
>
> Thank you so much, David! It is great that the IAB is working on this
> standardization effort. What I especially like about the IAB approach
> is that it also covers mobile apps. Ideally, any opt out solution
> would cover both browsers as well as mobile apps. Maybe, even IoT
> devices and more. 
>
>  
>
> As I understand it, though, the IAB solution is HTTP cookie-based. I
> am not sure whether this is the best direction to move forward. There
> are the usual limitations of cookies: they work on a per-browser basis
> and require the user to have third party cookies enabled. Also, given
> that Google announced phasing out third party cookies
> [blog.chromium.org]
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__blog.chromium.org_2020_01_building-2Dmore-2Dprivate-2Dweb-2Dpath-2Dtowards.html%26d%3DDwMGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3DkTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k%26s%3D01kRGRDRL4VfHgvQrKOSWBmK38zw-M3pqzutQX2uTuA%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783461933&sdata=a7ix4Ekj0dyw8732EMEIwEehW4x6DmGTeLfjW6Vz1Bk%3D&reserved=0> and
> that Firefox is blocking third party cookies by default
> [blog.mozilla.org]
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__blog.mozilla.org_blog_2019_09_03_todays-2Dfirefox-2Dblocks-2Dthird-2Dparty-2Dtracking-2Dcookies-2Dand-2Dcryptomining-2Dby-2Ddefault_%26d%3DDwMGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3DkTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k%26s%3DhE9RN0Sf5SVOra4Marj_5bZzrywjyXl6AzKqxtotcVk%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783471932&sdata=R0eIDtGjN1GH%2FiP%2FazLVN%2FYwejtFcQjIHYgkkG8fHvs%3D&reserved=0> there
> is a trend against using cookies. Instead, an HTTP header-based
> solution (similar to DNT) may be a better alternative, at least, in
> the browser environment. One could also think more broadly of a
> privacy registry, similar to the Do-Not-Call registry.
>
>  
>
> Good to be in touch as well, Aram! It would be great to learn more
> about your approach. We are in the process of assembling a group of
> academics, company representatives, activists, and everyone else who
> is interested in developing specifications for the CCPA, particularly,
> a Do-Not-Sell signal. I see the opportunity to come up with a good
> specification.
>
>  
>
> Best regards,
>
>  
>
> Sebastian
>
>  
>
> _______________________________________________
>
> Check out PrivacyFlash Pro
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprivacy-tech-lab%2Fprivacyflash-pro&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783471932&sdata=kqWRrGhoiTP%2B%2FH4vRkFjwt%2FUoIUlfpJf8uFg%2FMkHLak%3D&reserved=0>
>
> Developed at the privacy-tech-lab [privacy-tech-lab.github.io]
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__privacy-2Dtech-2Dlab.github.io_%26d%3DDwMGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3DkTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k%26s%3DxreKAwUbOTaCR35BxcAk8Vp4qyUAq4zt-YhZHUJXvNU%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783481915&sdata=zHMrsyt%2BUqWi7AEQxEFLk%2BFtDSJeZY943U1FhFdwpBc%3D&reserved=0>,
> Wesleyan University
>
>  
>
>  
>
> On Fri, Mar 27, 2020 at 10:37 AM Zucker-Scharff, Aram
> <Aram.Zucker-Scharff@washpost.com
> <mailto:Aram.Zucker-Scharff@washpost.com>> wrote:
>
>     Hi Sebastian,
>
>     We're very interested in the CCPA conversation and have been
>     pushing for a browser level signal that works with the IAB's
>     proposed approach, as the law calls for such a signal to be
>     supported. We'd be glad to about the concerns we're looking at and
>     what our proposed solutions are and why. I'm not sure there's
>     enough interest in this group for one of our spun out stand alone
>     calls on this topic, but I'd be glad to talk via phone one on one
>     if no one else is interested in joining.
>
>     -- Aram Zucker-Scharff
>     Ad Engineering Director, RED
>     The Washington Post
>     +1-703-829-0532
>
>
>     On 3/27/20, 4:22 AM, "David Dabbs"
>     <david.dabbs@epsilonconversant.com
>     <mailto:david.dabbs@epsilonconversant.com>> wrote:
>
>         CAUTION: EXTERNAL SENDER
>
>         Hello Professor Zimmeck.
>
>         You should probably look into the signal specification created
>     by the IAB…
>
>              
>      https://urldefense.proofpoint.com/v2/url?u=https-3A__iabtechlab.com_standards_ccpa_&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=9WUzglVeY9rTvpHF0OkXkbiFklKS-c12YSRZcIefn5Y&e=
>     <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__iabtechlab.com_standards_ccpa_%26d%3DDwIGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3D6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU%26s%3D9WUzglVeY9rTvpHF0OkXkbiFklKS-c12YSRZcIefn5Y%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783481915&sdata=MaMTw6QAL1QuvnvEl1ipW4b49jLcJ9D4Ftk5bQ3eDL4%3D&reserved=0>
>
>         The TechLab's CCPA working group is currently working on a
>     signaling scheme for communicating "delete requests."
>
>
>         Best regards,
>
>         David
>
>
>
>         From: Sebastian Zimmeck <szimmeck@wesleyan.edu
>     <mailto:szimmeck@wesleyan.edu>>
>         Sent: Thursday, March 26, 2020 11:54 AM
>         To: public-privacycg@w3.org <mailto:public-privacycg@w3.org>
>         Subject: CCPA Do-Not-Sell
>
>         Hello,
>
>         I am an assistant professor of computer science at Wesleyan
>     University. I came across your
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__www.w3.org_community_privacycg_&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=wWpxtuDWP2HVeWw8HXfc_qRC-q8irITxjTG_8yiZ1WQ&e=
>     <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.w3.org_community_privacycg_%26d%3DDwIGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3D6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU%26s%3DwWpxtuDWP2HVeWw8HXfc_qRC-q8irITxjTG_8yiZ1WQ%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783491909&sdata=ijCJGHKS7LPOPkdcXZ9y5Q8JjRsWa3fpILiu7IspU9M%3D&reserved=0> 
>     as I am working with my students on software implementations for
>     the privacy rights in the California Consumer Privacy Act (CCPA).
>     In this context, we are particularly interested in protocols and
>     policies for standardizing the Do-Not-Sell signal. Is that an
>     issue of interest to your group as well?
>
>         Some background (that you already may be aware of): at the
>     beginning of this year the CCPA became effective. In addition to
>     the rights of data access and deletion, this new privacy law gives
>     consumers the right to opt out from the sale of personal
>     information. A "sale" is understood broadly and likely covers, for
>     example, a website or app disclosing location data or device
>     identifiers to an ad network for purposes of monetization. Now,
>     the most recent
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__www.oag.ca.gov_sites_all_files_agweb_pdfs_privacy_ccpa-2Dtext-2Dof-2Dsecond-2Dset-2Dmod-2D031120.pdf-3F&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=E9Rn89dzAxtR4eX9Jf2MPE-4y9waXtjkKIjLK4INp14&e=
>     <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.oag.ca.gov_sites_all_files_agweb_pdfs_privacy_ccpa-2Dtext-2Dof-2Dsecond-2Dset-2Dmod-2D031120.pdf-3F%26d%3DDwIGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3D6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU%26s%3DE9Rn89dzAxtR4eX9Jf2MPE-4y9waXtjkKIjLK4INp14%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783491909&sdata=Maph7rVKi8SK0r%2FxzCDbhe8XzYaeE4kPWL26N%2F%2BJTo0%3D&reserved=0> 
>     published by the California Attorney General specify that
>     automatic signals communicating a user's decision to opt out must
>     be respected. Here is the relevant language:
>
>         "If a business collects personal information from consumers
>     online, the business shall treat user-enabled global privacy
>     controls, such as a browser plugin or privacy setting, device
>     setting, or other mechanism, that communicate or signal the
>     consumer’s choice to opt-out of the sale of their personal
>     information as a valid request ... ."
>
>         We think that it would be worthwhile to have a discussion of
>     these developments. In particular, the Do-Not-Sell signal could be
>     similar to a Do-Not-Track (DNT) signal. However, the difference is
>     that recipients of the DNT signal were not required to comply with
>     the signal. Rather, they only needed to say whether they would
>     comply; per the California Online Privacy Protection Act (CalOPPA).
>
>         Also, the CCPA may have substantial impact beyond California
>     as some companies, e.g., Microsoft, already said that they would
>     apply the CCPA to all consumers in the US.
>
>         Beyond solutions for the browser we are also thinking about
>     what could be done for mobile apps.
>
>         It would be great to get a discussion started ...
>
>         Best regards,
>
>         Sebastian
>
>
>
>
>
>
>
>        
>     ------------------------------------------------------------------------
>         Disclaimer The information in this email and any attachments
>     may contain proprietary and confidential information that is
>     intended for the addressee(s) only. If you are not the intended
>     recipient, you are hereby notified that any disclosure, copying,
>     distribution, retention or use of the contents of this information
>     is prohibited. When addressed to our clients or vendors, any
>     information contained in this e-mail or any attachments is subject
>     to the terms and conditions in any governing contract. If you have
>     received this e-mail in error, please immediately contact the
>     sender and delete the e-mail.
>