The California Consumer Privacy Act and Impact for Network - - PowerPoint PPT Presentation

the california consumer privacy act and impact for
SMART_READER_LITE
LIVE PREVIEW

The California Consumer Privacy Act and Impact for Network - - PowerPoint PPT Presentation

Dec 17, 2022 287 likes •460 views

The California Consumer Privacy Act and Impact for Network Measurement and Research Scott Jordan University of California, Irvine Who has responsibilities? CCPA (California) GDPR (Europe) business: controller: for

slide-1
SLIDE 1

The California Consumer Privacy Act and Impact for Network Measurement and Research

Scott Jordan University of California, Irvine

slide-2
SLIDE 2

Who has responsibilities?

CCPA (California) GDPR (Europe)

  • “business”:

 for profit  does business in California  collects personal information  determines the purposes and means of

processing of personal information

 is large:  >$25M gross revenues, or  buys or sells personal information for >50k consumers

  • “controller”:

 determines the purposes and means of

processing of personal information

 of consumers in Europe

CCPA & GDPR / Scott Jordan

2

slide-3
SLIDE 3

What constitutes an identifier?

CCPA (California) GDPR (Europe)

  • a persistent identifier that can be used to recognize

a consumer

a device that is linked to a consumer

  • includes

device identifier

IP address

cookie

ad identifier

customer number

telephone number

email address

  • also includes

a combination of personal data that probabilistically identifies an individual or device

  • (similar)

CCPA & GDPR / Scott Jordan

3

slide-4
SLIDE 4

What constitutes personal information?

CCPA (California) GDPR (Europe)

  • information that

is linked (via an identifier) with a particular consumer, or

is reasonably linkable (via a join with other data) with a particular consumer

  • includes:

identifiers themselves

Internet activity information

 browsing history  search history  interaction with a website or app 

geolocation

inferences to create a consumer profile

  • (similar)

CCPA & GDPR / Scott Jordan

4

slide-5
SLIDE 5

Notice requirements

CCPA (California) GDPR (Europe)

  • collection / use:

 categories of personal information  purposes  categories of sources

  • sharing:

 categories of personal information  purposes  categories of parties with whom shared

  • (similar)

CCPA & GDPR / Scott Jordan

5

slide-6
SLIDE 6

Data minimization requirements

CCPA (California) GDPR (Europe)

  • collection and use limited to that

provided in notice

  • (similar)

+

  • limited to what is necessary in

relation to stated purposes

CCPA & GDPR / Scott Jordan

6

slide-7
SLIDE 7

Consent requirements

CCPA (California) GDPR (Europe)

  • No consent requirements for collection &

use.

  • Consent requirements for sharing:

terms & conditions for business purposes

 reasonably necessary and proportionate to achieve the operational purpose:

 transient use, auditing, customer service, billing,

  • rder fulfilment, …

 security, debugging  internal R&D

  • pt-out consent for personal information of

adults

  • pt-in consent for personal information of

minors

  • Consent requirements for collection, use,

& sharing:

terms & conditions for user-contracted services

  • pt-in consent for anything else

CCPA & GDPR / Scott Jordan

7

slide-8
SLIDE 8

Deletion requirements

CCPA (California) GDPR (Europe)

  • upon verifiable request, a business

shall delete the consumer’s personal information and direct any service providers to similarly do so

  • Exceptions:

 when needed to complete a transaction,

provide service requested by consumer

 security, debugging  free speech  research

  • erasure of personal data if no longer

necessary for purpose collected or consent withdrawn

CCPA & GDPR / Scott Jordan

8

slide-9
SLIDE 9

Who qualifies as a Researcher?

  • academic?
  • within a company?
  • for profit?

CCPA & GDPR / Scott Jordan

9

slide-10
SLIDE 10

What qualifies as Research?

For what purpose?

  • network security?
  • networking?
  • R&D?
  • ther?

CCPA:

  • scientific, systematic study and observation, including basic research or applied research that is in the public

interest

  • compatible with the business purpose for which the personal information was collected
  • used solely for research purposes that are compatible with the context in which the personal information was

collected

  • not be used for any commercial purpose

GDPR:

  • archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes

CCPA & GDPR / Scott Jordan

10

slide-11
SLIDE 11

Protections: De-identified / Anonymous

CCPA (California) GDPR (Europe)

  • De-identified if and only if:

 not linked (via an identifier) with a

particular consumer, and

 not reasonably linkable (via a join with

  • ther data) with a particular consumer

 “subsequently pseudonymized and

deidentified, or deidentified and in the aggregate”

  • Pseudonymisation:

 not linked  linkable, but requires additional

safeguarded information

CCPA & GDPR / Scott Jordan

11

slide-12
SLIDE 12

Protections: re-identification

Re-identification:

  • technical safeguards
  • protected from any reidentification attempts
  • business processes that specifically prohibit reidentification

Data security:

  • limit access to the research data
  • prevent inadvertent release

CCPA & GDPR / Scott Jordan

12

slide-13
SLIDE 13

Protections: IRB

CCPA:

  • adheres to all other applicable ethics laws

Current bills

  • IRB

CCPA & GDPR / Scott Jordan

13

slide-14
SLIDE 14

Research exception (to what?)

CCPA (California) GDPR (Europe)

  • Research exempt from deletion

requirements

  • De-identified data exempt from

collection, use, and consent requirements

  • Research exempt from deletion

requirements

  • Non-PII exempt from all

requirements?

CCPA & GDPR / Scott Jordan

14

slide-15
SLIDE 15

WHOIS

GDPR ICANN response

  • ICANN and Registrars are likely joint

controllers

  • Personal information includes

information linked to consumers

  • Notice includes purposes
  • Consent from domain name holders

required:

terms & conditions for user-contracted services, or

  • pt-in consent
  • Trying to figure out the WHOIS purpose

  • Response to query will only contain:

sponsoring Registrar, status, and creation and expiration dates

no personal data

  • Registrars not required by ICANN to
  • btain consent

Pushes the issue down to Registrars:

 Is the personal data required for the Registrar provided service?

CCPA & GDPR / Scott Jordan

15

slide-16
SLIDE 16

DNS

Comcast Mozilla

  • Privacy Policy:

Collection:

 network traffic data 

Use:

 marketing and advertising. 

Sharing:

 Opt-in consent required for sharing of personally identifiable web browsing information  No consent required for de-identified information

 but de-identified not defined here …

  • Public Statement:

we do not track the websites you visit …

  • DoH Resolver Policy:

 Collection:  Resolver may collect identifiable user data  Use:  Only for the purpose of operating the resolver service  No combining of collected data with other data to identify users  Sharing:  No sharing of personal information

CCPA & GDPR / Scott Jordan

16