Me2B CCPA SIG, in formation.

Outrageous! The Me2B Alliance says that carbon-based persons matter more than corporate charter-based persons, a dubious heritage from 1886.

Me2B: Me-to-a-Business, inverting the tech industry’s dominance model:

1️⃣ B2B, Business-to-Business.
2️⃣ B2C, Business-to-Consumer.

Me2B has the resources and determination to elevate human rights above the “B2X” stack: that crippling assumption that a business should hold all the cards and deal from wherever in the deck it chooses to, literally Wrethinking the Internet.

The tireless Lisa LeVasseur has organized a Me2B webinar, CCPA Through a Me2B Lens; Thursday, Dec 19, 2019 8:30-9:30 AM Los Angeles (PST)

The California Consumer Privacy Act (“CCPA”) takes effect on January 1, 2020 — the first comprehensive consumer privacy law enacted in the United States. It creates new obligations for businesses and new rights for consumers.

But does it really get at the heart of the issues that consumers ought to be worried about when they share data with businesses and online services and platforms? This webinar will look at the key provisions of the CCPA from the perspective of the Me2B Alliance, asking what the law does — and doesn’t — do to advance consumer interests and agency in their online interactions with businesses.

Speaker: Christopher W. Savage, Partner, Davis Wright Tremaine LLP

Chris Savage, CIPP/US and CIPT/US, helps companies in communications and data-centric industries navigate legal and regulatory issues involving communications, privacy, and data security. For clients with immediate problems, when compromise is possible, he negotiates solutions that work. When it isn’t, he litigates — against the government or private parties, as needed. For clients who can take a longer view, Chris works with regulators and legislators to help build a legal ecosystem where clients can flourish.

Chris brings nearly four decades of diverse experience to every client problem He has handled issues about competitors entering established markets; technical and economic aspects of network interconnection; deployment of new technology and infrastructure; data security and privacy; and complex issues of cost allocation, financial accounting, and contract interpretation.

Chris Savage is the authority on Managing the Ambient Trust Commons: The Economics of Online Consumer Information Privacy, Stanford Technical Law Review, so who better to advise us?

Chris & Me and the Bethesda Original Pancake House

Chris Savage is also the lawyer for the League of Technical Voters, which I chair, with Chris serving on the board along with Phil Windley and Doc Searls. From 2012 to 2018, Chris and I had breakfast about once a month, teasing out the question, “If we had a League of Technical Voters, what would it do?”

It took a lot of pancakes to find the answer, and it’s based on principles laid out by Clay Shirky in 2012: How the Internet will (one day) transform government, when he explained that lawmakers and codemakers do the same thing: Draft, Edit & manipulate blocks of arcane text which, when added to the existing code base, have real effects in the real world, usually unexpected. Shirky says legislators should use GitHub, which they don’t, mostly because:

Linus, we have a problem.

To apply this “Shirky Method”, technical voters need to influence legislative committees by connecting with the constituents of the members of those committees.

That’s what the GEOvoter API is for, 61 lines of code that verify 6–7 political jurisdictions for any U.S. lat-long. Phil Windley described it in Verifying Constituency, a Sovrin Use Case.

Chris Savage offices at 1919 Pennsylvania Avenue NW in Washington, DC, so he understands how his neighbors see the world. But a key difference is that he’s required to fix real problems for telecom clients whose businesses are driven by technology as much as regulation: they must constantly maintain their code base.

The Internet and everything that followed is based on the Internet Engineering Task Force mantra, “rough consensus and running code”. “Rough consensus” being an interest group’s broad strategic vision and “running code” the set of affordances that produce the desired results.

Important movements like Me2B start with broad conversations seeking consensus but rarely get around to the tactical legislative actions that deliver the results they seek, and that’s a problem because a non-lobbyist initiative rarely survives first contact with a legislature.

Me2B has the opportunity to be the leading architect driving updates to the CCPA, by thinking strategically AND acting tactically. If it does, Me2B can take a dramatically new, direct, and powerful role in crowdsourcing improvements to the CCPA.

As a direct result of all our breakfasts, the League of Technical Voters has slowly developed a reproducible set of methods applicable to the CCPA’s legislative context: mobilizing Californians who live in the few California Assembly districts whose representatives produced the CCPA.

On first hearing, the process sounds complex, arduous and too granular. But those are the things that the Internet is good at. It takes a single click for Amazon to send you a TV, and some day it will be as non-miraculous to order up new laws and policies. Like Amazon services, there are a lot of moving parts, but the good news is that OutreachCircle.com, a Los Altos company, is mastering the complexities of Peer-to-Peer (P2P) outreach so that Me2B members can identify and reach out to friends who are constituents of the Assembly committee members Me2B needs to influence.

The place to go to Crowdsource policy, in specific committees, on specific schedules

That’s a big deal. It means that Me2B can host a meaningful ecosystem to repeatedly update the CCPA, demonstrating to other states, and even DC, the only activism that matters:

Pass specific bills, in specific committees, on specific schedules.

CCPA History

The California Consumer Privacy Act was introduced on February 9th, 2017, and referred to two California State Assembly committees for drafting. Other committees were later involved, but they’re enough for today’s example:

• The 11-member California Committee on Privacy and Consumer Protection, chaired by Ed Chau, (916) 319–2049.
• The 13-member Committee on Communications and Conveyance, chaired by Miguel Santiago, (916) 319–2053.

Therefore, Me2B’s CCPA Special Interest Group needs only to mobilize voters in 23 of California’s 80 Assembly districts to start amending the CCPA. (Not 24, because Assemblymember Jay Obernolte, serves on both committees). Better yet, the powerful chairs of both committees serve two small districts, 49 & 53, a few blocks apart on I-10 in Los Angeles:

We’ll need F2F & dim sum to get to Me2B. The Luminarias Restaurant seems handy.

Here’s the full list of the current committee members:

The people who want to help Me2B crowdsource the CCPA

That’s great, but there’s nothing more important than building a rapport with the committees’ staffs:

Staff: Committee on Privacy and Consumer Protection

Chief Consultant: Ronak Daylami
Consultant: Nichole Rapier Rocha
Committee Secretary: Lorreen Pryor
916.319.2200 phone
916.319.3222 fax

Staff: Committee on Communications and Conveyance

Edmond Cheung, Chief Consultant
Kala Tailor, Committee Secretary
State Capitol, Room 6027
Sacramento, California 95814
916.319.2637 phone
916.319.3560 fax

GitHub’s Notice: conforming to the California Consumer Privacy Act

• GitHub’s Notice to California Residents
• We do not sell your personal information
• Your rights under the CCPA
• 1. Right to know what personal information is being collected, for what purposes and with whom it is shared
• 2. Right to know whether your personal information is sold or disclosed for a business purpose and to whom
• 3. Right to say no to the sale of your personal information
• 4. Right to non-discrimination of service or price if you exercise your privacy rights
• 5. Right to deletion
• Our Handling of Personal Information
• Exemptions under the CCPA

An Excellent Explainer from the GitHub blog

Github’s tl;dr for California’s new privacy law: Do not sell
Tyler Fuller, November 11, 2019

Developers know that guarding privacy is key to building trust. A positive development in privacy regulation is the California Consumer Privacy Act (CCPA), which goes into effect in January 2020. This law requires businesses to make tough choices about how they handle user information, including to publicly declare whether they sell users’ personal information. In line with our standing commitment to preserving user privacy, GitHub has chosen a clear pro-privacy path, and we encourage other internet platforms to follow in our footsteps for the benefit of users. GitHub does NOT sell our users’ personal information. While CCPA only covers California residents, GitHub will voluntarily extend its core rights for people to control their data to all of our users across the United States, not just those who live in California.

GitHub and the CCPA

Like the European Union’s landmark privacy law, the General Data Protection Regulation (GDPR), the CCPA gives users control of their personal information. The CCPA provides users with the right to access their personal information that a business collects, uses, or sells. It also provides users the rights to ask businesses to delete their personal information and protects users from discriminatory treatment if they exercise their CCPA rights. But unlike GDPR, this law only imposes requirements on businesses and only gives rights to California residents. Although that is the extent of the law, GitHub will voluntarily extend the core rights for people to control their data under CCPA when it takes effect to all of our users in the U.S., not just those who live in California.

The CCPA also requires businesses that sell user information to post a button or logo that says “Do Not Sell My Personal Information” clearly on their homepage as a way to allow users to opt out of the sale of their personal information. This law uses a broad definition of “sale” — the act of disclosing personal information “for monetary or other valuable consideration.” In other words, selling doesn’t require the exchange of money — anything of value counts under the CCPA. GitHub does not sell our users’ personal information, so you won’t see a “Do Not Sell” button on our website or any of our services.

Learn more from the CCPA page for California residents

What this means for developers

The CCPA goes into effect in January 2020. Businesses whose activity falls within the definition of “sale” either need to display a “Do Not Sell” button prominently on their website or change their business practices so they no longer fall within that definition.

The GDPR and CCPA aren’t the only data protection laws that developers shipping to a global audience will need to consider. At least 107 countries have data protection laws, with many expected to work on new or updated legislation in the coming year. The US Congress will likely consider federal legislation, which may or may not preempt state laws — and we’re looking forward to robust privacy protections it may establish for users. In addition, the US state of Washington’s legislature is considering a similar privacy act to the CCPA.

In order to determine what data protection laws are applicable and what specific actions are necessary for compliance, many developers will work with an in-house legal team or outside counsel. However, there are several general principles and practices that developers can keep in mind to help prepare for compliance with the CCPA or other new data protection laws, and more importantly, help protect the users of whatever developers are building. The following sections cover a few ways you can prepare.

Understand, map, and document data flows

Data inventory: To adequately protect your users’ data, you need to make sure you’re tracking data flows to know who has access to what data, where it goes, and where it’s stored.

Internal documentation: Make sure you have clear rules and explanations for anyone who handles or touches user data in any way.

External documentation: Revisit your privacy policy to see whether you need to update it, for example, with additional disclosures about when and with whom you share user information.

Track data so you can respond to user requests

Mapping your data flows isn’t only to help you better understand how you can protect it. It will also help you respond to requests from users to access their data, or, in some cases, delete it.

Keep in mind, the CCPA law uses a different framework along with different definitions and has a different scope than GDPR. This means that it’s not as simple as just doing whatever you’re already doing for GDPR compliance. For example, the CCPA law requires certain disclosures that GDPR doesn’t and it structures user information requests differently. You’ll need to alter your system for responding to those requests accordingly.

Make sure that businesses who have access to your users’ data protect it

Like GDPR, the CCPA requires you to disclose who you share information with. The CCPA also requires you to say what categories of data you share both at the time you collect it and in response to user requests. To make sure vendors or anyone else you share user information with is adequately protecting it, it’s a good idea to sign an agreement on data protection. Since we’re not your lawyers, that’s about as far as we’ll go — but it’s probably a good idea to get one to help you with that.

And that’s why the Me2B CCP SIG is lucky to learn from Chris Savage tomorrow.