[saag] CCPA Do-Not-Sell
Sebastian Zimmeck <szimmeck@wesleyan.edu> Thu, 26 March 2020 16:32 UTC
Return-Path: <szimmeck@wesleyan.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 599E63A03FC for <saag@ietfa.amsl.com>; Thu, 26 Mar 2020 09:32:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wesleyan.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nifb0qVfrYkC for <saag@ietfa.amsl.com>; Thu, 26 Mar 2020 09:32:07 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B7AD3A00D9 for <saag@ietf.org>; Thu, 26 Mar 2020 09:32:07 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id o3so1107670ioh.2 for <saag@ietf.org>; Thu, 26 Mar 2020 09:32:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wesleyan.edu; s=wesgmail; h=mime-version:from:date:message-id:subject:to; bh=uJa53zh2xqxQ/UGlzAXtfFwIg2xZJUvb6T0z28xGf1I=; b=ornjwTtTRYS/EbXUPKV6n0sKdG+7Ku5BInn0uR1zZZLPVJiZuN3twDMytPGJXlJrN5 suqv/kStA0LPEnhULZvGEBIqw22IKNOeUJZggRYJFGw7EVpvbgsHK2ADC6c/vHluztL3 NeVnYn30d8FHFf3OmtV0nDCi4AJZi7d1R61/I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=uJa53zh2xqxQ/UGlzAXtfFwIg2xZJUvb6T0z28xGf1I=; b=Liut2CQGDEaAsYZiIEckvSYiBR7VBKgq85bL7qeUfxDy6vJb8WNuf5I1z+H6vWh8qY +sUyviRjfmPCjWFPQRU0RXoeUhhBPTkYmXjRmbolYCWbZEXR5WBvKckpX/YTQPFZaKwD liGfBclED4kH7t9dN9MAFhUTIuF1GTfUe8msPvbPvRCwo0yCm88rVcxZ6HuHGB/zNJt7 1dpLahpyT5c/L/cF5CBQW8XfmzcjGXNPyX+Gk7vha9N/Mdz3ACI2dlIyYojTfLiJOn8n 4JjgT4qv9SqMa2y4JsJ2jQwotnnRi0+Zk0aD2BgxDy4FebWOpUxmd2zKSnAFKX+TmU5q GkRg==
X-Gm-Message-State: ANhLgQ2qV0qmkZBnwSJ6jI7361CiPI20GvFRJjRnaPm3jw4DfxlQc875 XaBhANiYFmr9kAyqzdgVMXRHoE0bAJeU2h1n0UEDUcSuWn0=
X-Google-Smtp-Source: ADFU+vuXzrgQ1uDQSmyQG75TrXUpU4eLJwt0ux3zPy6eaBhvm8JmzZzdUBm/AM75HvwfSWSbfjwLoAKcb9tW5MQC21Y=
X-Received: by 2002:a02:cbb6:: with SMTP id v22mr8069095jap.78.1585240325978; Thu, 26 Mar 2020 09:32:05 -0700 (PDT)
MIME-Version: 1.0
From: Sebastian Zimmeck <szimmeck@wesleyan.edu>
Date: Thu, 26 Mar 2020 12:31:55 -0400
Message-ID: <CAD-GkkWkq7wL3F141_n1tfgzuXoHxnGFn9A1e3kkCLM9uw3NNw@mail.gmail.com>
To: saag@ietf.org
Content-Type: multipart/alternative; boundary="000000000000838bf205a1c486d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/TgJbn2CQ4bQ0FZf3hu3kCaeiHlk>
Subject: [saag] CCPA Do-Not-Sell
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2020 16:32:10 -0000
At the beginning of this year the California Consumer Privacy Act (CCPA) became effective. In addition to the rights of data access and deletion, this new privacy law gives consumers the right to opt out from the sale of personal information. A "sale" is understood broadly and likely covers, for example, a website or app disclosing location data or device identifiers to an ad network for purposes of monetization. Now, the most recent regulations to the CCPA <https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-second-set-mod-031120.pdf?> published by the California Attorney General specify that automatic signals communicating a user's decision to opt out must be respected. Here is the relevant language: "If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request ... ." I am interested in setting up a working group on such device controls. The Do-Not-Sell signal could be similar to a Do-Not-Track (DNT) signal. However, the difference is that recipients of the DNT signal were not required to comply with the signal. Rather, they only needed to *say* whether they would comply; per the California Online Privacy Protection Act (CalOPPA). Also, the CCPA may have substantial impact beyond California as some companies, e.g., Microsoft, already made clear that they would apply the CCPA to all consumers in the US. It would be great to get a discussion started ... Best regards, Sebastian _______________________________________________ Check out PrivacyFlash Pro <https://github.com/privacy-tech-lab/privacyflash-pro> Developed at the privacy-tech-lab <https://privacy-tech-lab.github.io/>, Wesleyan University
- [saag] CCPA Do-Not-Sell Sebastian Zimmeck
- Re: [saag] CCPA Do-Not-Sell Sebastian Zimmeck