Re: CCPA Do-Not-Sell from Zucker-Scharff, Aram on 2020-03-27 (public-privacycg@w3.org from March 2020)

From: Zucker-Scharff, Aram <Aram.Zucker-Scharff@washpost.com>
Date: Fri, 27 Mar 2020 14:37:23 +0000
To: David Dabbs <david.dabbs@epsilonconversant.com>, "public-privacycg@w3.org" <public-privacycg@w3.org>, Sebastian Zimmeck <szimmeck@wesleyan.edu>
Message-ID: <7477A757-DE31-43F2-82C6-7A60CB7B4ED1@washpost.com>
Hi Sebastian,

We're very interested in the CCPA conversation and have been pushing for a browser level signal that works with the IAB's proposed approach, as the law calls for such a signal to be supported. We'd be glad to about the concerns we're looking at and what our proposed solutions are and why. I'm not sure there's enough interest in this group for one of our spun out stand alone calls on this topic, but I'd be glad to talk via phone one on one if no one else is interested in joining. 

-- Aram Zucker-Scharff
Ad Engineering Director, RED
The Washington Post
+1-703-829-0532
 

On 3/27/20, 4:22 AM, "David Dabbs" <david.dabbs@epsilonconversant.com> wrote:

    CAUTION: EXTERNAL SENDER
    
    Hello Professor Zimmeck.
    
    You should probably look into the signal specification created by the IAB…
    
           https://urldefense.proofpoint.com/v2/url?u=https-3A__iabtechlab.com_standards_ccpa_&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=9WUzglVeY9rTvpHF0OkXkbiFklKS-c12YSRZcIefn5Y&e=

    
    The TechLab's CCPA working group is currently working on a signaling scheme for communicating "delete requests."
    
    
    Best regards,
    
    David
    
    
    
    From: Sebastian Zimmeck <szimmeck@wesleyan.edu>
    Sent: Thursday, March 26, 2020 11:54 AM
    To: public-privacycg@w3.org
    Subject: CCPA Do-Not-Sell
    
    Hello,
    
    I am an assistant professor of computer science at Wesleyan University. I came across your https://urldefense.proofpoint.com/v2/url?u=https-3A__www.w3.org_community_privacycg_&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=wWpxtuDWP2HVeWw8HXfc_qRC-q8irITxjTG_8yiZ1WQ&e=  as I am working with my students on software implementations for the privacy rights in the California Consumer Privacy Act (CCPA). In this context, we are particularly interested in protocols and policies for standardizing the Do-Not-Sell signal. Is that an issue of interest to your group as well?
    
    Some background (that you already may be aware of): at the beginning of this year the CCPA became effective. In addition to the rights of data access and deletion, this new privacy law gives consumers the right to opt out from the sale of personal information. A "sale" is understood broadly and likely covers, for example, a website or app disclosing location data or device identifiers to an ad network for purposes of monetization. Now, the most recent https://urldefense.proofpoint.com/v2/url?u=https-3A__www.oag.ca.gov_sites_all_files_agweb_pdfs_privacy_ccpa-2Dtext-2Dof-2Dsecond-2Dset-2Dmod-2D031120.pdf-3F&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=E9Rn89dzAxtR4eX9Jf2MPE-4y9waXtjkKIjLK4INp14&e=  published by the California Attorney General specify that automatic signals communicating a user's decision to opt out must be respected. Here is the relevant language:
    
    "If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request ... ."
    
    We think that it would be worthwhile to have a discussion of these developments. In particular, the Do-Not-Sell signal could be similar to a Do-Not-Track (DNT) signal. However, the difference is that recipients of the DNT signal were not required to comply with the signal. Rather, they only needed to say whether they would comply; per the California Online Privacy Protection Act (CalOPPA).
    
    Also, the CCPA may have substantial impact beyond California as some companies, e.g., Microsoft, already said that they would apply the CCPA to all consumers in the US.
    
    Beyond solutions for the browser we are also thinking about what could be done for mobile apps.
    
    It would be great to get a discussion started ...
    
    Best regards,
    
    Sebastian
    
    
    
    
    
    
    
    ------------------------------------------------------------------------
    Disclaimer The information in this email and any attachments may contain proprietary and confidential information that is intended for the addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, retention or use of the contents of this information is prohibited. When addressed to our clients or vendors, any information contained in this e-mail or any attachments is subject to the terms and conditions in any governing contract. If you have received this e-mail in error, please immediately contact the sender and delete the e-mail.
Received on Friday, 27 March 2020 14:37:42 UTC