RE: CA AB375 from Mike O'Neill on 2018-06-30 (public-tracking@w3.org from June 2018)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sat, 30 Jun 2018 09:28:43 +0100
To: "'Aleecia M. McDonald'" <aleecia@aleecia.com>
Cc: <public-tracking@w3.org>, "'Thomas Roessler'" <roessler@does-not-exist.org>
Message-ID: <05ce01d4104c$5b8a5ba0$129f12e0$@baycloud.com>

Actually the UID cookie is unnecessary. The lobbyists will want verifiable request to be sending a copy of your birth certificate or something, but a header signal generated by your browser is a clear indication that it is you and you want (at last this) data deleted. A cookie would allow you to signal that data collected at other times should be deleted also, but if DNT is in every (HTPP) request data should always be immediately deleted.

If this interpretation became the norm it would avoid "administrative burden" and be consistent with ePrivacy/GDPR.


-----Original Message-----
From: Aleecia M. McDonald <aleecia@aleecia.com> 
Sent: 29 June 2018 00:04
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org) <public-tracking@w3.org>; Thomas Roessler <roessler@does-not-exist.org>
Subject: Re: CA AB375 

I cannot speak for the drafters of the bill, but I expect they were uninterested in using DNT headers.

 Aleecia

> On Jun 28, 2018, at 3:56 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote:
> 
> Great news!
> 
> One thought: if a "verifiable request" to delete personal data, in order to minimise the administrative burden, can be via a "password-protected account" i.e. the consumer can be identified via an authentication string in a cookie, then why not an HTTP request containing a UID cookies  along with DNT:1. 
> 
> -----Original Message-----
> From: Aleecia M. McDonald <aleecia@aleecia.com> 
> Sent: 28 June 2018 23:22
> To: public-tracking@w3.org
> Cc: Thomas Roessler <roessler@does-not-exist.org>
> Subject: CA AB375 
> 
> Today, after a colorful legislative history, California passed the California Consumer Privacy Act of 2018. The governor just signed it into law.  
> 
> I get no credit / blame for this one, but those reading the text will notice it looks familiar. No coincidence. Parts of DNT will live on in this legislation that covers 40 million people.
> 
> Unlike DNT, UI was not out of scope. Ah, I won’t spoil it, I’ll let you read the bill [1] yourselves. 
> 
> The law does not come into force until 2020. There will undoubtedly be a great deal of interest in “clean up” legislation. 
> 
> On Monday I join the faculty at Carnegie Mellon based at the Silicon Valley campus.
> 
> Be seeing you,
> 
>  Aleecia
> 
> [1] http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375
> 
> 
> 
> 
>

Received on Saturday, 30 June 2018 08:29:15 UTC