Re: CA AB375

[Moving Thomas to bcc]

The law distinguishes delete and opt out. 

IMHO, a header is a cleaner mechanism for on-going opt out, especially when the users who opt out are likely going to be the sort to block or clear cookies. But that is not the law that just passed.

That said… there were many things we could do with DNT as a voluntary standard that do not work with a state-wide law. For example, when Google pulled sending DNT headers from Chrome on iOS, stating it was not a policy decision but rather due to Apple’s technical changes, in DNT land that is a shrug and move on event. With a law, though, there is a problem. Is Apple compelled to weaken their security model to support Google sending a header? Is Google barred from offering Safari on iOS if they cannot send a header? These sorts of things become rather nasty questions of the sort we never had to deal with here in DNT land. 

Again, I did not draft the law. Those who did write it were certainly not ignorant of the existence of headers; DNT was a reference text. Choosing not to use headers was a deliberate decision. Beyond that I do not know.

 Aleecia

> On Jun 30, 2018, at 1:28 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote:
> 
> Actually the UID cookie is unnecessary. The lobbyists will want verifiable request to be sending a copy of your birth certificate or something, but a header signal generated by your browser is a clear indication that it is you and you want (at last this) data deleted. A cookie would allow you to signal that data collected at other times should be deleted also, but if DNT is in every (HTPP) request data should always be immediately deleted.
> 
> If this interpretation became the norm it would avoid "administrative burden" and be consistent with ePrivacy/GDPR.
> 
> 
> -----Original Message-----
> From: Aleecia M. McDonald <aleecia@aleecia.com> 
> Sent: 29 June 2018 00:04
> To: Mike O'Neill <michael.oneill@baycloud.com>
> Cc: public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org) <public-tracking@w3.org>; Thomas Roessler <roessler@does-not-exist.org>
> Subject: Re: CA AB375 
> 
> I cannot speak for the drafters of the bill, but I expect they were uninterested in using DNT headers.
> 
>  Aleecia
> 
>> On Jun 28, 2018, at 3:56 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote:
>> 
>> Great news!
>> 
>> One thought: if a "verifiable request" to delete personal data, in order to minimise the administrative burden, can be via a "password-protected account" i.e. the consumer can be identified via an authentication string in a cookie, then why not an HTTP request containing a UID cookies  along with DNT:1. 
>> 
>> -----Original Message-----
>> From: Aleecia M. McDonald <aleecia@aleecia.com> 
>> Sent: 28 June 2018 23:22
>> To: public-tracking@w3.org
>> Cc: Thomas Roessler <roessler@does-not-exist.org>
>> Subject: CA AB375 
>> 
>> Today, after a colorful legislative history, California passed the California Consumer Privacy Act of 2018. The governor just signed it into law.  
>> 
>> I get no credit / blame for this one, but those reading the text will notice it looks familiar. No coincidence. Parts of DNT will live on in this legislation that covers 40 million people.
>> 
>> Unlike DNT, UI was not out of scope. Ah, I won’t spoil it, I’ll let you read the bill [1] yourselves. 
>> 
>> The law does not come into force until 2020. There will undoubtedly be a great deal of interest in “clean up” legislation. 
>> 
>> On Monday I join the faculty at Carnegie Mellon based at the Silicon Valley campus.
>> 
>> Be seeing you,
>> 
>>  Aleecia
>> 
>> [1] http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375
>> 
>> 
>> 
>> 
>> 
> 
> 
> 
> 

Received on Saturday, 30 June 2018 19:54:00 UTC