- From: Sebastian Zimmeck <szimmeck@wesleyan.edu>
- Date: Thu, 26 Mar 2020 12:54:25 -0400
- To: public-privacycg@w3.org
- Message-ID: <CAD-GkkW=oC0AV6Sh4crwHTXq2CiKAnWC5keVgrMLWKv91tBOOg@mail.gmail.com>
Hello, I am an assistant professor of computer science at Wesleyan University. I came across your group <https://www.w3.org/community/privacycg/> as I am working with my students on software implementations for the privacy rights in the California Consumer Privacy Act (CCPA). In this context, we are particularly interested in protocols and policies for standardizing the Do-Not-Sell signal. Is that an issue of interest to your group as well? Some background (that you already may be aware of): at the beginning of this year the CCPA became effective. In addition to the rights of data access and deletion, this new privacy law gives consumers the right to opt out from the sale of personal information. A "sale" is understood broadly and likely covers, for example, a website or app disclosing location data or device identifiers to an ad network for purposes of monetization. Now, the most recent regulations to the CCPA <https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-second-set-mod-031120.pdf?> published by the California Attorney General specify that automatic signals communicating a user's decision to opt out must be respected. Here is the relevant language: "If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request ... ." We think that it would be worthwhile to have a discussion of these developments. In particular, the Do-Not-Sell signal could be similar to a Do-Not-Track (DNT) signal. However, the difference is that recipients of the DNT signal were not required to comply with the signal. Rather, they only needed to *say* whether they would comply; per the California Online Privacy Protection Act (CalOPPA). Also, the CCPA may have substantial impact beyond California as some companies, e.g., Microsoft, already said that they would apply the CCPA to all consumers in the US. Beyond solutions for the browser we are also thinking about what could be done for mobile apps. It would be great to get a discussion started ... Best regards, Sebastian _______________________________________________ Check out PrivacyFlash Pro <https://github.com/privacy-tech-lab/privacyflash-pro> Developed at the privacy-tech-lab <https://privacy-tech-lab.github.io/>, Wesleyan University
Received on Friday, 27 March 2020 00:23:27 UTC