RE: CCPA Do-Not-Sell

Hello Professor Zimmeck.

You should probably look into the signal specification created by the IAB…

The TechLab's CCPA working group is currently working on a signaling scheme for communicating "delete requests."

Best regards,


From: Sebastian Zimmeck <>
Sent: Thursday, March 26, 2020 11:54 AM
Subject: CCPA Do-Not-Sell


I am an assistant professor of computer science at Wesleyan University. I came across your as I am working with my students on software implementations for the privacy rights in the California Consumer Privacy Act (CCPA). In this context, we are particularly interested in protocols and policies for standardizing the Do-Not-Sell signal. Is that an issue of interest to your group as well?

Some background (that you already may be aware of): at the beginning of this year the CCPA became effective. In addition to the rights of data access and deletion, this new privacy law gives consumers the right to opt out from the sale of personal information. A "sale" is understood broadly and likely covers, for example, a website or app disclosing location data or device identifiers to an ad network for purposes of monetization. Now, the most recent published by the California Attorney General specify that automatic signals communicating a user's decision to opt out must be respected. Here is the relevant language:

"If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request ... ."

We think that it would be worthwhile to have a discussion of these developments. In particular, the Do-Not-Sell signal could be similar to a Do-Not-Track (DNT) signal. However, the difference is that recipients of the DNT signal were not required to comply with the signal. Rather, they only needed to say whether they would comply; per the California Online Privacy Protection Act (CalOPPA).

Also, the CCPA may have substantial impact beyond California as some companies, e.g., Microsoft, already said that they would apply the CCPA to all consumers in the US.

Beyond solutions for the browser we are also thinking about what could be done for mobile apps.

It would be great to get a discussion started ...

Best regards,


Disclaimer The information in this email and any attachments may contain proprietary and confidential information that is intended for the addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, retention or use of the contents of this information is prohibited. When addressed to our clients or vendors, any information contained in this e-mail or any attachments is subject to the terms and conditions in any governing contract. If you have received this e-mail in error, please immediately contact the sender and delete the e-mail.

Received on Friday, 27 March 2020 08:21:35 UTC