Re: CCPA Do-Not-Sell from Sebastian Zimmeck on 2020-04-03 (public-privacycg@w3.org from April 2020)

From: Sebastian Zimmeck <szimmeck@wesleyan.edu>
Date: Thu, 2 Apr 2020 21:52:26 -0400
To: "public-privacycg@w3.org" <public-privacycg@w3.org>
Cc: Joey S <joeysalazar@article19.org>, Erik Anderson <Erik.Anderson@microsoft.com>, "Zucker-Scharff, Aram" <Aram.Zucker-Scharff@washpost.com>, Sam Tingleff <sam@iabtechlab.com>, David Dabbs <david.dabbs@epsilonconversant.com>
Message-ID: <CAD-GkkU_G35kLn2XUYm2Wm8a9M=D4DZmt85Htq78bDWdVhqYhw@mail.gmail.com>
This is a great discussion, indeed! I can open such issue within the next
few days. It may be worthwhile to review all the current approaches to get
a lay of the land.

Best regards,

Sebastian

_______________________________________________
Check out PrivacyFlash Pro
<https://github.com/privacy-tech-lab/privacyflash-pro>
Developed at the privacy-tech-lab <https://privacy-tech-lab.github.io/>,
Wesleyan University


On Thu, Apr 2, 2020 at 5:12 PM Joey S <joeysalazar@article19.org> wrote:

> Excellent, I'd welcome this conversation as well.
>
> --
> Joey Salazar
> Digital Sr. Programme Officer
> ARTICLE 19
> 6E9C 95E5 5BED 9413 5D08 55D5 0A40 4136 0DF0 1A91
>
> On 02-Apr-20 1:06 PM, Erik Anderson wrote:
> >
> > Hi everyone,
> >
> >
> >
> > When you’re ready to discuss this in more detail, please file an issue
> > in the Privacy CG meetings repo
> > (https://github.com/privacycg/meetings) so that we can get it on the
> > agenda for a future call to help gauge interest and potential next steps.
> >
> >
> >
> > Thanks,
> >
> > Erik
> >
> >
> >
> > *From:* Zucker-Scharff, Aram <Aram.Zucker-Scharff@washpost.com>
> > *Sent:* Tuesday, March 31, 2020 6:30 AM
> > *To:* Sam Tingleff <sam@iabtechlab.com>; Sebastian Zimmeck
> > <szimmeck@wesleyan.edu>; David Dabbs <david.dabbs@epsilonconversant.com>
> > *Cc:* public-privacycg@w3.org
> > *Subject:* Re: CCPA Do-Not-Sell
> >
> >
> >
> > Also, you may be thinking about the DAA solution, which is indeed
> > dependent on 3p cookies to handle CCPA.
> >
> >
> >
> > -- Aram Zucker-Scharff
> >
> > Ad Engineering Director, RED
> >
> > The Washington Post
> >
> > +1-703-829-0532
> >
> >
> >
> >
> >
> > *From: *Sam Tingleff <sam@iabtechlab.com <mailto:sam@iabtechlab.com>>
> > *Date: *Monday, March 30, 2020 at 3:02 PM
> > *To: *Sebastian Zimmeck <szimmeck@wesleyan.edu
> > <mailto:szimmeck@wesleyan.edu>>, David Dabbs
> > <david.dabbs@epsilonconversant.com
> > <mailto:david.dabbs@epsilonconversant.com>>, "Zucker-Scharff, Aram"
> > <Aram.Zucker-Scharff@washpost.com
> > <mailto:Aram.Zucker-Scharff@washpost.com>>
> > *Cc: *"public-privacycg@w3.org <mailto:public-privacycg@w3.org>"
> > <public-privacycg@w3.org <mailto:public-privacycg@w3.org>>
> > *Subject: *Re: CCPA Do-Not-Sell
> >
> >
> >
> > Hello Sebastian,
> >
> > I’m not sure exactly which specification you are thinking of here. The
> > TCF specification [iabtechlab.com]
> > <
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__iabtechlab.com_standards_gdpr-2Dtransparency-2Dand-2Dconsent-2Dframework_%26d%3DDwMGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3DkTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k%26s%3D5XPKY6dX3qCNzZXCQ5oQvyKeZtBY3xkPYH3BZFPFkgw%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783451932&sdata=jy%2BYtnW7jJHlsPb%2BXKXBgESbf%2BAsLzLSeiW9nNsI%2FQo%3D&reserved=0
> >
> > for GDPR from IAB Europe / IAB Tech Lab does rely on cookies, however
> > in practice most publishers seem to choose site-specific consent (not
> > global) which relies only on a first party (publisher) cookie. The
> > CCPA privacy string specification
> > <
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FInteractiveAdvertisingBureau%2FUSPrivacy%2Fblob%2Fmaster%2FCCPA%2FVersion%25201.0%2FUS%2520Privacy%2520String.md&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783451932&sdata=Q5fndHBs%2FTWdZx2DQExzwU1YJ092TfYwgLi6qpfgXMI%3D&reserved=0
> >
> > does not dictate any particular storage mechanism, nor does the USP
> > API
> > <
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FInteractiveAdvertisingBureau%2FUSPrivacy%2Fblob%2Fmaster%2FCCPA%2FVersion%25201.0%2FUSP%2520API.md&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783461933&sdata=LZqzgzWqcL0TggaPJk8dg4K%2Fe%2FVdRN%2FpOnO5ksloTFM%3D&reserved=0
> >
> > (although this does have a recommendation to use a first party cookie,
> > it does not dictate or require it).
> >
> >
> >
> > Our expectation on the IAB Tech Lab side has been that first party
> > publisher cookies are a long term viable storage mechanism for consent
> > records... however the most recent ITP release seems to call that into
> > question.
> >
> >
> >
> > I too would welcome this conversation!
> >
> >
> >
> > *From: *Sebastian Zimmeck <szimmeck@wesleyan.edu
> > <mailto:szimmeck@wesleyan.edu>>
> > *Date: *Saturday, March 28, 2020 at 11:28 AM
> > *To: *David Dabbs <david.dabbs@epsilonconversant.com
> > <mailto:david.dabbs@epsilonconversant.com>>, "Zucker-Scharff, Aram"
> > <Aram.Zucker-Scharff@washpost.com
> > <mailto:Aram.Zucker-Scharff@washpost.com>>
> > *Cc: *"public-privacycg@w3.org <mailto:public-privacycg@w3.org>"
> > <public-privacycg@w3.org <mailto:public-privacycg@w3.org>>
> > *Subject: *Re: CCPA Do-Not-Sell
> > *Resent-From: *<public-privacycg@w3.org <mailto:public-privacycg@w3.org
> >>
> > *Resent-Date: *Saturday, March 28, 2020 at 11:28 AM
> >
> >
> >
> > Thank you so much, David! It is great that the IAB is working on this
> > standardization effort. What I especially like about the IAB approach
> > is that it also covers mobile apps. Ideally, any opt out solution
> > would cover both browsers as well as mobile apps. Maybe, even IoT
> > devices and more.
> >
> >
> >
> > As I understand it, though, the IAB solution is HTTP cookie-based. I
> > am not sure whether this is the best direction to move forward. There
> > are the usual limitations of cookies: they work on a per-browser basis
> > and require the user to have third party cookies enabled. Also, given
> > that Google announced phasing out third party cookies
> > [blog.chromium.org]
> > <
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__blog.chromium.org_2020_01_building-2Dmore-2Dprivate-2Dweb-2Dpath-2Dtowards.html%26d%3DDwMGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3DkTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k%26s%3D01kRGRDRL4VfHgvQrKOSWBmK38zw-M3pqzutQX2uTuA%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783461933&sdata=a7ix4Ekj0dyw8732EMEIwEehW4x6DmGTeLfjW6Vz1Bk%3D&reserved=0
> > and
> > that Firefox is blocking third party cookies by default
> > [blog.mozilla.org]
> > <
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__blog.mozilla.org_blog_2019_09_03_todays-2Dfirefox-2Dblocks-2Dthird-2Dparty-2Dtracking-2Dcookies-2Dand-2Dcryptomining-2Dby-2Ddefault_%26d%3DDwMGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3DkTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k%26s%3DhE9RN0Sf5SVOra4Marj_5bZzrywjyXl6AzKqxtotcVk%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783471932&sdata=R0eIDtGjN1GH%2FiP%2FazLVN%2FYwejtFcQjIHYgkkG8fHvs%3D&reserved=0
> > there
> > is a trend against using cookies. Instead, an HTTP header-based
> > solution (similar to DNT) may be a better alternative, at least, in
> > the browser environment. One could also think more broadly of a
> > privacy registry, similar to the Do-Not-Call registry.
> >
> >
> >
> > Good to be in touch as well, Aram! It would be great to learn more
> > about your approach. We are in the process of assembling a group of
> > academics, company representatives, activists, and everyone else who
> > is interested in developing specifications for the CCPA, particularly,
> > a Do-Not-Sell signal. I see the opportunity to come up with a good
> > specification.
> >
> >
> >
> > Best regards,
> >
> >
> >
> > Sebastian
> >
> >
> >
> > _______________________________________________
> >
> > Check out PrivacyFlash Pro
> > <
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprivacy-tech-lab%2Fprivacyflash-pro&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783471932&sdata=kqWRrGhoiTP%2B%2FH4vRkFjwt%2FUoIUlfpJf8uFg%2FMkHLak%3D&reserved=0
> >
> >
> > Developed at the privacy-tech-lab [privacy-tech-lab.github.io]
> > <
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__privacy-2Dtech-2Dlab.github.io_%26d%3DDwMGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3DkTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k%26s%3DxreKAwUbOTaCR35BxcAk8Vp4qyUAq4zt-YhZHUJXvNU%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783481915&sdata=zHMrsyt%2BUqWi7AEQxEFLk%2BFtDSJeZY943U1FhFdwpBc%3D&reserved=0
> >,
> > Wesleyan University
> >
> >
> >
> >
> >
> > On Fri, Mar 27, 2020 at 10:37 AM Zucker-Scharff, Aram
> > <Aram.Zucker-Scharff@washpost.com
> > <mailto:Aram.Zucker-Scharff@washpost.com>> wrote:
> >
> >     Hi Sebastian,
> >
> >     We're very interested in the CCPA conversation and have been
> >     pushing for a browser level signal that works with the IAB's
> >     proposed approach, as the law calls for such a signal to be
> >     supported. We'd be glad to about the concerns we're looking at and
> >     what our proposed solutions are and why. I'm not sure there's
> >     enough interest in this group for one of our spun out stand alone
> >     calls on this topic, but I'd be glad to talk via phone one on one
> >     if no one else is interested in joining.
> >
> >     -- Aram Zucker-Scharff
> >     Ad Engineering Director, RED
> >     The Washington Post
> >     +1-703-829-0532
> >
> >
> >     On 3/27/20, 4:22 AM, "David Dabbs"
> >     <david.dabbs@epsilonconversant.com
> >     <mailto:david.dabbs@epsilonconversant.com>> wrote:
> >
> >         CAUTION: EXTERNAL SENDER
> >
> >         Hello Professor Zimmeck.
> >
> >         You should probably look into the signal specification created
> >     by the IAB…
> >
> >
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__iabtechlab.com_standards_ccpa_&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=9WUzglVeY9rTvpHF0OkXkbiFklKS-c12YSRZcIefn5Y&e=
> >     <
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__iabtechlab.com_standards_ccpa_%26d%3DDwIGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3D6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU%26s%3D9WUzglVeY9rTvpHF0OkXkbiFklKS-c12YSRZcIefn5Y%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783481915&sdata=MaMTw6QAL1QuvnvEl1ipW4b49jLcJ9D4Ftk5bQ3eDL4%3D&reserved=0
> >
> >
> >         The TechLab's CCPA working group is currently working on a
> >     signaling scheme for communicating "delete requests."
> >
> >
> >         Best regards,
> >
> >         David
> >
> >
> >
> >         From: Sebastian Zimmeck <szimmeck@wesleyan.edu
> >     <mailto:szimmeck@wesleyan.edu>>
> >         Sent: Thursday, March 26, 2020 11:54 AM
> >         To: public-privacycg@w3.org <mailto:public-privacycg@w3.org>
> >         Subject: CCPA Do-Not-Sell
> >
> >         Hello,
> >
> >         I am an assistant professor of computer science at Wesleyan
> >     University. I came across your
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.w3.org_community_privacycg_&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=wWpxtuDWP2HVeWw8HXfc_qRC-q8irITxjTG_8yiZ1WQ&e=
> >     <
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.w3.org_community_privacycg_%26d%3DDwIGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3D6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU%26s%3DwWpxtuDWP2HVeWw8HXfc_qRC-q8irITxjTG_8yiZ1WQ%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783491909&sdata=ijCJGHKS7LPOPkdcXZ9y5Q8JjRsWa3fpILiu7IspU9M%3D&reserved=0
> >
> >     as I am working with my students on software implementations for
> >     the privacy rights in the California Consumer Privacy Act (CCPA).
> >     In this context, we are particularly interested in protocols and
> >     policies for standardizing the Do-Not-Sell signal. Is that an
> >     issue of interest to your group as well?
> >
> >         Some background (that you already may be aware of): at the
> >     beginning of this year the CCPA became effective. In addition to
> >     the rights of data access and deletion, this new privacy law gives
> >     consumers the right to opt out from the sale of personal
> >     information. A "sale" is understood broadly and likely covers, for
> >     example, a website or app disclosing location data or device
> >     identifiers to an ad network for purposes of monetization. Now,
> >     the most recent
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.oag.ca.gov_sites_all_files_agweb_pdfs_privacy_ccpa-2Dtext-2Dof-2Dsecond-2Dset-2Dmod-2D031120.pdf-3F&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=E9Rn89dzAxtR4eX9Jf2MPE-4y9waXtjkKIjLK4INp14&e=
> >     <
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.oag.ca.gov_sites_all_files_agweb_pdfs_privacy_ccpa-2Dtext-2Dof-2Dsecond-2Dset-2Dmod-2D031120.pdf-3F%26d%3DDwIGaQ%26c%3DRAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg%26r%3D4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw%26m%3D6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU%26s%3DE9Rn89dzAxtR4eX9Jf2MPE-4y9waXtjkKIjLK4INp14%26e%3D&data=02%7C01%7CErik.Anderson%40microsoft.com%7C2a2b2792f525452fa60408d7d577badb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637212583783491909&sdata=Maph7rVKi8SK0r%2FxzCDbhe8XzYaeE4kPWL26N%2F%2BJTo0%3D&reserved=0
> >
> >     published by the California Attorney General specify that
> >     automatic signals communicating a user's decision to opt out must
> >     be respected. Here is the relevant language:
> >
> >         "If a business collects personal information from consumers
> >     online, the business shall treat user-enabled global privacy
> >     controls, such as a browser plugin or privacy setting, device
> >     setting, or other mechanism, that communicate or signal the
> >     consumer’s choice to opt-out of the sale of their personal
> >     information as a valid request ... ."
> >
> >         We think that it would be worthwhile to have a discussion of
> >     these developments. In particular, the Do-Not-Sell signal could be
> >     similar to a Do-Not-Track (DNT) signal. However, the difference is
> >     that recipients of the DNT signal were not required to comply with
> >     the signal. Rather, they only needed to say whether they would
> >     comply; per the California Online Privacy Protection Act (CalOPPA).
> >
> >         Also, the CCPA may have substantial impact beyond California
> >     as some companies, e.g., Microsoft, already said that they would
> >     apply the CCPA to all consumers in the US.
> >
> >         Beyond solutions for the browser we are also thinking about
> >     what could be done for mobile apps.
> >
> >         It would be great to get a discussion started ...
> >
> >         Best regards,
> >
> >         Sebastian
> >
> >
> >
> >
> >
> >
> >
> >
> >
>  ------------------------------------------------------------------------
> >         Disclaimer The information in this email and any attachments
> >     may contain proprietary and confidential information that is
> >     intended for the addressee(s) only. If you are not the intended
> >     recipient, you are hereby notified that any disclosure, copying,
> >     distribution, retention or use of the contents of this information
> >     is prohibited. When addressed to our clients or vendors, any
> >     information contained in this e-mail or any attachments is subject
> >     to the terms and conditions in any governing contract. If you have
> >     received this e-mail in error, please immediately contact the
> >     sender and delete the e-mail.
> >
>
>
>
Received on Friday, 3 April 2020 01:52:54 UTC