W3C home > Mailing lists > Public > public-privacycg@w3.org > March 2020

Re: CCPA Do-Not-Sell

From: Zucker-Scharff, Aram <Aram.Zucker-Scharff@washpost.com>
Date: Tue, 31 Mar 2020 13:30:04 +0000
To: Sam Tingleff <sam@iabtechlab.com>, Sebastian Zimmeck <szimmeck@wesleyan.edu>, David Dabbs <david.dabbs@epsilonconversant.com>
CC: "public-privacycg@w3.org" <public-privacycg@w3.org>
Message-ID: <47304B9F-2E11-43A9-B148-29293C5C7423@washpost.com>
Also, you may be thinking about the DAA solution, which is indeed dependent on 3p cookies to handle CCPA.

-- Aram Zucker-Scharff
Ad Engineering Director, RED
The Washington Post

From: Sam Tingleff <sam@iabtechlab.com>
Date: Monday, March 30, 2020 at 3:02 PM
To: Sebastian Zimmeck <szimmeck@wesleyan.edu>, David Dabbs <david.dabbs@epsilonconversant.com>, "Zucker-Scharff, Aram" <Aram.Zucker-Scharff@washpost.com>
Cc: "public-privacycg@w3.org" <public-privacycg@w3.org>
Subject: Re: CCPA Do-Not-Sell

Hello Sebastian,
I’m not sure exactly which specification you are thinking of here. The TCF specification [iabtechlab.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__iabtechlab.com_standards_gdpr-2Dtransparency-2Dand-2Dconsent-2Dframework_&d=DwMGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=kTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k&s=5XPKY6dX3qCNzZXCQ5oQvyKeZtBY3xkPYH3BZFPFkgw&e=> for GDPR from IAB Europe / IAB Tech Lab does rely on cookies, however in practice most publishers seem to choose site-specific consent (not global) which relies only on a first party (publisher) cookie. The CCPA privacy string specification<https://github.com/InteractiveAdvertisingBureau/USPrivacy/blob/master/CCPA/Version%201.0/US%20Privacy%20String.md> does not dictate any particular storage mechanism, nor does the USP API<https://github.com/InteractiveAdvertisingBureau/USPrivacy/blob/master/CCPA/Version%201.0/USP%20API.md> (although this does have a recommendation to use a first party cookie, it does not dictate or require it).

Our expectation on the IAB Tech Lab side has been that first party publisher cookies are a long term viable storage mechanism for consent records... however the most recent ITP release seems to call that into question.

I too would welcome this conversation!

From: Sebastian Zimmeck <szimmeck@wesleyan.edu>
Date: Saturday, March 28, 2020 at 11:28 AM
To: David Dabbs <david.dabbs@epsilonconversant.com>, "Zucker-Scharff, Aram" <Aram.Zucker-Scharff@washpost.com>
Cc: "public-privacycg@w3.org" <public-privacycg@w3.org>
Subject: Re: CCPA Do-Not-Sell
Resent-From: <public-privacycg@w3.org>
Resent-Date: Saturday, March 28, 2020 at 11:28 AM

Thank you so much, David! It is great that the IAB is working on this standardization effort. What I especially like about the IAB approach is that it also covers mobile apps. Ideally, any opt out solution would cover both browsers as well as mobile apps. Maybe, even IoT devices and more.

As I understand it, though, the IAB solution is HTTP cookie-based. I am not sure whether this is the best direction to move forward. There are the usual limitations of cookies: they work on a per-browser basis and require the user to have third party cookies enabled. Also, given that Google announced phasing out third party cookies [blog.chromium.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__blog.chromium.org_2020_01_building-2Dmore-2Dprivate-2Dweb-2Dpath-2Dtowards.html&d=DwMGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=kTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k&s=01kRGRDRL4VfHgvQrKOSWBmK38zw-M3pqzutQX2uTuA&e=> and that Firefox is blocking third party cookies by default [blog.mozilla.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__blog.mozilla.org_blog_2019_09_03_todays-2Dfirefox-2Dblocks-2Dthird-2Dparty-2Dtracking-2Dcookies-2Dand-2Dcryptomining-2Dby-2Ddefault_&d=DwMGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=kTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k&s=hE9RN0Sf5SVOra4Marj_5bZzrywjyXl6AzKqxtotcVk&e=> there is a trend against using cookies. Instead, an HTTP header-based solution (similar to DNT) may be a better alternative, at least, in the browser environment. One could also think more broadly of a privacy registry, similar to the Do-Not-Call registry.

Good to be in touch as well, Aram! It would be great to learn more about your approach. We are in the process of assembling a group of academics, company representatives, activists, and everyone else who is interested in developing specifications for the CCPA, particularly, a Do-Not-Sell signal. I see the opportunity to come up with a good specification.

Best regards,


Check out PrivacyFlash Pro<https://github.com/privacy-tech-lab/privacyflash-pro>
Developed at the privacy-tech-lab [privacy-tech-lab.github.io]<https://urldefense.proofpoint.com/v2/url?u=https-3A__privacy-2Dtech-2Dlab.github.io_&d=DwMGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=kTQtZYskGtLcXehuqOqy5QhH-Zt3gLYoVvF1u8Pl50k&s=xreKAwUbOTaCR35BxcAk8Vp4qyUAq4zt-YhZHUJXvNU&e=>, Wesleyan University

On Fri, Mar 27, 2020 at 10:37 AM Zucker-Scharff, Aram <Aram.Zucker-Scharff@washpost.com<mailto:Aram.Zucker-Scharff@washpost.com>> wrote:
Hi Sebastian,

We're very interested in the CCPA conversation and have been pushing for a browser level signal that works with the IAB's proposed approach, as the law calls for such a signal to be supported. We'd be glad to about the concerns we're looking at and what our proposed solutions are and why. I'm not sure there's enough interest in this group for one of our spun out stand alone calls on this topic, but I'd be glad to talk via phone one on one if no one else is interested in joining.

-- Aram Zucker-Scharff
Ad Engineering Director, RED
The Washington Post

On 3/27/20, 4:22 AM, "David Dabbs" <david.dabbs@epsilonconversant.com<mailto:david.dabbs@epsilonconversant.com>> wrote:


    Hello Professor Zimmeck.

    You should probably look into the signal specification created by the IAB…


    The TechLab's CCPA working group is currently working on a signaling scheme for communicating "delete requests."

    Best regards,


    From: Sebastian Zimmeck <szimmeck@wesleyan.edu<mailto:szimmeck@wesleyan.edu>>
    Sent: Thursday, March 26, 2020 11:54 AM
    To: public-privacycg@w3.org<mailto:public-privacycg@w3.org>
    Subject: CCPA Do-Not-Sell


    I am an assistant professor of computer science at Wesleyan University. I came across your https://urldefense.proofpoint.com/v2/url?u=https-3A__www.w3.org_community_privacycg_&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=wWpxtuDWP2HVeWw8HXfc_qRC-q8irITxjTG_8yiZ1WQ&e=  as I am working with my students on software implementations for the privacy rights in the California Consumer Privacy Act (CCPA). In this context, we are particularly interested in protocols and policies for standardizing the Do-Not-Sell signal. Is that an issue of interest to your group as well?

    Some background (that you already may be aware of): at the beginning of this year the CCPA became effective. In addition to the rights of data access and deletion, this new privacy law gives consumers the right to opt out from the sale of personal information. A "sale" is understood broadly and likely covers, for example, a website or app disclosing location data or device identifiers to an ad network for purposes of monetization. Now, the most recent https://urldefense.proofpoint.com/v2/url?u=https-3A__www.oag.ca.gov_sites_all_files_agweb_pdfs_privacy_ccpa-2Dtext-2Dof-2Dsecond-2Dset-2Dmod-2D031120.pdf-3F&d=DwIGaQ&c=RAhzPLrCAq19eJdrcQiUVEwFYoMRqGDAXQ_puw5tYjg&r=4ydXbc7IBUz-Cc0XwXf-b8xnEAdZxMjj-0KISFR0cBw&m=6qbjQcgCoO1w5doFKczqF6IwUEZkqnl26ghgnkgOcAU&s=E9Rn89dzAxtR4eX9Jf2MPE-4y9waXtjkKIjLK4INp14&e=  published by the California Attorney General specify that automatic signals communicating a user's decision to opt out must be respected. Here is the relevant language:

    "If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request ... ."

    We think that it would be worthwhile to have a discussion of these developments. In particular, the Do-Not-Sell signal could be similar to a Do-Not-Track (DNT) signal. However, the difference is that recipients of the DNT signal were not required to comply with the signal. Rather, they only needed to say whether they would comply; per the California Online Privacy Protection Act (CalOPPA).

    Also, the CCPA may have substantial impact beyond California as some companies, e.g., Microsoft, already said that they would apply the CCPA to all consumers in the US.

    Beyond solutions for the browser we are also thinking about what could be done for mobile apps.

    It would be great to get a discussion started ...

    Best regards,


    Disclaimer The information in this email and any attachments may contain proprietary and confidential information that is intended for the addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, retention or use of the contents of this information is prohibited. When addressed to our clients or vendors, any information contained in this e-mail or any attachments is subject to the terms and conditions in any governing contract. If you have received this e-mail in error, please immediately contact the sender and delete the e-mail.

Received on Tuesday, 31 March 2020 13:30:24 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 31 March 2020 13:30:25 UTC