RE: Proposed California Law affecting DNT

Para (6) is clearly meant to cover UIDs in cookies and para (7) any collected data which is combined with that, 

(6) Any other identifier that permits the physical or online contacting of a specific individual.

(7)  Information concerning a user that the Web site or online line service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision. 


If you have a persistent cookie encoded ID it is trivially easy to connect that with other PII such as an email address. In fact it is widespread current practice. A unique ID stored in a user’s device, if it is persistent, can pinpoint an individual far more exactly than their name or many other widely recognised kinds of PII. IP addresses can also be reasonably specific (especially in IPv6) and, even when truncated to reduce entropy, are very often used in combination with cookie encoded UIDs in order to collect people’s online activity across multiple domains.


BTW this is why the current attempt by some to use the term “pseudonymous” to avoid explicit consent in the EU DPR  will not work. Not only that UIDs can be linked with other PII, but that this already occurs on a massive scale.



From: Ian Fette (イアンフェッティ) [] 
Sent: 29 March 2013 00:02
To: John Simpson
Cc: (
Subject: Re: Proposed California Law affecting DNT


Two thoughts,


1, it seems the language of the bill is a bit confused around who is doing what, specifically it talks about the first party honoring the request to not "track", with an added obligation to explicitly call out the special circumstance where the website somehow enforces restrictions on third parties (by technical or contractual means?!)


2, hey, it defines tracking! And the tracking seems to be defined as the collection of PII such as name, email, or social security number (specifically defined on page 3 line 19 forward).


On Thu, Mar 28, 2013 at 4:53 PM, John Simpson <> wrote:



The California Attorney General is sponsoring a bill that could be of interest to our working group. It is AB 370 introduced by Assemblyman Al Muratsuchi.  I've attached it as a PDF file.  I'm not sure that the current language exactly accomplishes what the AG's office tells me is their intent, but here is what I was told they want to do:


The bill would amend existing California law requiring privacy policies to require that a commercial website would have to include in its privacy policy whether or not it honors a Do-Not-Track message.  The intent, I was told, is to increase transparency and shift some of the responsibility for Do Not Track on to consumer-facing 1st party sites.


The idea is that a 1st party website could not claim it honored Do Not Track if it allowed or knew it had 3rd parties on its site that engaged in tracking.


The bill offers this definition of tracking:


"The term "online tracking" means the practice of collecting personally identifiable information about and individual consumer's online activities over time and across different Web sites and online services."


I thought you would be interested.


Best regards,





John M. Simpson

Privacy Project Director

Consumer Watchdog

2701 Ocean Park Blvd., Suite 112

Santa Monica, CA, 90405

Tel: 310-392-7041

Cell: 310-292-1902









Received on Friday, 29 March 2013 09:08:33 UTC