Re: CCPA Do-Not-Sell from Sebastian Zimmeck on 2020-03-28 (public-privacycg@w3.org from March 2020)

From: Sebastian Zimmeck <szimmeck@wesleyan.edu>
Date: Sat, 28 Mar 2020 14:27:40 -0400
To: David Dabbs <david.dabbs@epsilonconversant.com>, "Zucker-Scharff, Aram" <Aram.Zucker-Scharff@washpost.com>
Cc: "public-privacycg@w3.org" <public-privacycg@w3.org>
Message-ID: <CAD-GkkWGWihU-+ApoA5Aw=VSgyt1+P7rPaSLE2vLpytD-i2KBg@mail.gmail.com>
Thank you so much, David! It is great that the IAB is working on this
standardization effort. What I especially like about the IAB approach is
that it also covers mobile apps. Ideally, any opt out solution would cover
both browsers as well as mobile apps. Maybe, even IoT devices and more.

As I understand it, though, the IAB solution is HTTP cookie-based. I am not
sure whether this is the best direction to move forward. There are the
usual limitations of cookies: they work on a per-browser basis and require
the user to have third party cookies enabled. Also, given that Google
announced phasing out third party cookies
<https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html>
and
that Firefox is blocking third party cookies by default
<https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/>
there
is a trend against using cookies. Instead, an HTTP header-based solution
(similar to DNT) may be a better alternative, at least, in the browser
environment. One could also think more broadly of a privacy registry,
similar to the Do-Not-Call registry.

Good to be in touch as well, Aram! It would be great to learn more about
your approach. We are in the process of assembling a group of academics,
company representatives, activists, and everyone else who is interested in
developing specifications for the CCPA, particularly, a Do-Not-Sell signal.
I see the opportunity to come up with a good specification.

Best regards,

Sebastian

_______________________________________________
Check out PrivacyFlash Pro
<https://github.com/privacy-tech-lab/privacyflash-pro>
Developed at the privacy-tech-lab <https://privacy-tech-lab.github.io/>,
Wesleyan University


On Fri, Mar 27, 2020 at 10:37 AM Zucker-Scharff, Aram <
Aram.Zucker-Scharff@washpost.com> wrote:

> Hi Sebastian,
>
> We're very interested in the CCPA conversation and have been pushing for a
> browser level signal that works with the IAB's proposed approach, as the
> law calls for such a signal to be supported. We'd be glad to about the
> concerns we're looking at and what our proposed solutions are and why. I'm
> not sure there's enough interest in this group for one of our spun out
> stand alone calls on this topic, but I'd be glad to talk via phone one on
> one if no one else is interested in joining.
>
> -- Aram Zucker-Scharff
> Ad Engineering Director, RED
> The Washington Post
> +1-703-829-0532
>
>
> On 3/27/20, 4:22 AM, "David Dabbs" <david.dabbs@epsilonconversant.com>
> wrote:
>
>     CAUTION: EXTERNAL SENDER
>
>     Hello Professor Zimmeck.
>
>     You should probably look into the signal specification created by the
> IAB…
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__iabtechlab.com_standards_ccpa_&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=9WUzglVeY9rTvpHF0OkXkbiFklKS-c12YSRZcIefn5Y&e=
>
>     The TechLab's CCPA working group is currently working on a signaling
> scheme for communicating "delete requests."
>
>
>     Best regards,
>
>     David
>
>
>
>     From: Sebastian Zimmeck <szimmeck@wesleyan.edu>
>     Sent: Thursday, March 26, 2020 11:54 AM
>     To: public-privacycg@w3.org
>     Subject: CCPA Do-Not-Sell
>
>     Hello,
>
>     I am an assistant professor of computer science at Wesleyan
> University. I came across your
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.w3.org_community_privacycg_&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=wWpxtuDWP2HVeWw8HXfc_qRC-q8irITxjTG_8yiZ1WQ&e=
> as I am working with my students on software implementations for the
> privacy rights in the California Consumer Privacy Act (CCPA). In this
> context, we are particularly interested in protocols and policies for
> standardizing the Do-Not-Sell signal. Is that an issue of interest to your
> group as well?
>
>     Some background (that you already may be aware of): at the beginning
> of this year the CCPA became effective. In addition to the rights of data
> access and deletion, this new privacy law gives consumers the right to opt
> out from the sale of personal information. A "sale" is understood broadly
> and likely covers, for example, a website or app disclosing location data
> or device identifiers to an ad network for purposes of monetization. Now,
> the most recent
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.oag.ca.gov_sites_all_files_agweb_pdfs_privacy_ccpa-2Dtext-2Dof-2Dsecond-2Dset-2Dmod-2D031120.pdf-3F&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=E9Rn89dzAxtR4eX9Jf2MPE-4y9waXtjkKIjLK4INp14&e=
> published by the California Attorney General specify that automatic signals
> communicating a user's decision to opt out must be respected. Here is the
> relevant language:
>
>     "If a business collects personal information from consumers online,
> the business shall treat user-enabled global privacy controls, such as a
> browser plugin or privacy setting, device setting, or other mechanism, that
> communicate or signal the consumer’s choice to opt-out of the sale of their
> personal information as a valid request ... ."
>
>     We think that it would be worthwhile to have a discussion of these
> developments. In particular, the Do-Not-Sell signal could be similar to a
> Do-Not-Track (DNT) signal. However, the difference is that recipients of
> the DNT signal were not required to comply with the signal. Rather, they
> only needed to say whether they would comply; per the California Online
> Privacy Protection Act (CalOPPA).
>
>     Also, the CCPA may have substantial impact beyond California as some
> companies, e.g., Microsoft, already said that they would apply the CCPA to
> all consumers in the US.
>
>     Beyond solutions for the browser we are also thinking about what could
> be done for mobile apps.
>
>     It would be great to get a discussion started ...
>
>     Best regards,
>
>     Sebastian
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>     Disclaimer The information in this email and any attachments may
> contain proprietary and confidential information that is intended for the
> addressee(s) only. If you are not the intended recipient, you are hereby
> notified that any disclosure, copying, distribution, retention or use of
> the contents of this information is prohibited. When addressed to our
> clients or vendors, any information contained in this e-mail or any
> attachments is subject to the terms and conditions in any governing
> contract. If you have received this e-mail in error, please immediately
> contact the sender and delete the e-mail.
>
>
>
Received on Saturday, 28 March 2020 18:28:08 UTC