[Secdispatch] CCPA Do-Not-Sell
Sebastian Zimmeck <szimmeck@wesleyan.edu> Sun, 22 March 2020 00:08 UTC
Return-Path: <szimmeck@wesleyan.edu>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 652323A080A for <secdispatch@ietfa.amsl.com>; Sat, 21 Mar 2020 17:08:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wesleyan.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yv22GjqXmTdi for <secdispatch@ietfa.amsl.com>; Sat, 21 Mar 2020 17:08:52 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AB603A0805 for <secdispatch@ietf.org>; Sat, 21 Mar 2020 17:08:52 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id l14so9594437ilj.8 for <secdispatch@ietf.org>; Sat, 21 Mar 2020 17:08:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wesleyan.edu; s=wesgmail; h=mime-version:from:date:message-id:subject:to; bh=unw0pjq9vJp98bPU9TMXc8AfwLTBTe8VBRhSn2bw7aI=; b=g0go/C9/xOyMQmeL589IOk2MD+p7Sd4SNcXvCKdmhynAQilvN0Q94F2U1ng2BmftrV 0CWNTCIV5r7/aD53YlqY3YODVwzdXt3G56Mc7LxfAulRC+aPc2Q7Jz7J4Vf6IjaAAx2q Ve1k2VmfBiwXss+t56Q09oDCaiAPCiAI61ijw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=unw0pjq9vJp98bPU9TMXc8AfwLTBTe8VBRhSn2bw7aI=; b=NmOltcOrW0464g8kVroqYHntEKnE6cpIbPSv+4sMhb1IgShHBTQ/NSjWjUYGE27VLH XXw86R3vwtZ7ml4fWY0aDfUueyu1oDM0x3alhnOKUE3iSY7jjOYcEwxtyVJCZgX06rzC iFjSkY5QK30LkmtOEyrltny2PU8JqFPKNHxoJbRiBgCwR6omOJJeRdX12w6hk5LmzymJ 2FAFTdZLl4zZKR+kZI4XaXeZxrk/3ZEgikNts78qw6bBaN4EGXoS/IVkC4jVCokfqf1z 1q/pAJHEFXbwvbyHpzBrOFrz5Kwn/uoLdcAjVWrbt85xkHWTOiYnZmbB5RmJwjjsQ4C0 TSBg==
X-Gm-Message-State: ANhLgQ12Kml6QPuIzxtJPIlB+E+QIDoR0iLjimTm+qCAI/NJjR7TlsQZ Ri5AlzhqzcXOyHZHxw5/geCeHhlsZqryXuaMLSpn/No8t7E=
X-Google-Smtp-Source: ADFU+vv760HOjnkzK2NyWIhe/T4n/OlW2FVJul5m+XBU0ZELo3DSP20SPGmOfDVmUCODo2ITB022zGRDEfFX0E4dEJU=
X-Received: by 2002:a92:6501:: with SMTP id z1mr15294249ilb.235.1584835730934; Sat, 21 Mar 2020 17:08:50 -0700 (PDT)
MIME-Version: 1.0
From: Sebastian Zimmeck <szimmeck@wesleyan.edu>
Date: Sat, 21 Mar 2020 20:08:40 -0400
Message-ID: <CAD-GkkVSkS63pvMG7g355xLX3MDO10Mg0nrVgj1dh33JNymvpw@mail.gmail.com>
To: secdispatch@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c5485505a16652bf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/ugnV1sFAMSdBHsd6OWssUu8XSCc>
Subject: [Secdispatch] CCPA Do-Not-Sell
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2020 01:15:22 -0000
At the beginning of this year the California Consumer Privacy Act (CCPA) became effective. In addition to the rights of data access and deletion, this new privacy law gives consumers the right to opt out from the sale of personal information. A "sale" is understood broadly and likely covers, for example, a website or app disclosing location data or device identifiers to an ad network for purposes of monetization. Now, the most recent regulations to the CCPA <https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-second-set-mod-031120.pdf?> published by the California Attorney General specify that automatic signals communicating a user's decision to opt out must be respected. Here is the relevant language: "If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request ... ." I am interested in setting up a working group on such device controls. The Do-Not-Sell signal could be similar to a Do-Not-Track (DNT) signal. However, the difference is that recipients of the DNT signal were not required to comply with the signal. Rather, they only needed to *say* whether they would comply; per the California Online Privacy Protection Act (CalOPPA). Also, the CCPA may have substantial impact beyond California as some companies, e.g., Microsoft, already made clear that they would apply the CCPA to all consumers in the US. It would be great to get a discussion started ... Best regards, Sebastian _______________________________________________ Check out PrivacyFlash Pro <https://github.com/privacy-tech-lab/privacyflash-pro> Developed at the privacy-tech-lab <https://privacy-tech-lab.github.io/>, Wesleyan University
- [Secdispatch] CCPA Do-Not-Sell Sebastian Zimmeck
- Re: [Secdispatch] CCPA Do-Not-Sell Benjamin Kaduk
- Re: [Secdispatch] CCPA Do-Not-Sell Sebastian Zimmeck