Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[low priority/informational] usnat and usca both have a field called SensitiveDataProcessing with overlapping "sub options", but some of the overlapping "sub options" are grouped differently #86

Open
matt-martin opened this issue Jul 6, 2023 · 3 comments
Open

[low priority/informational] usnat and usca both have a field called SensitiveDataProcessing with overlapping "sub options", but some of the overlapping "sub options" are grouped differently #86

matt-martin opened this issue Jul 6, 2023 · 3 comments

Comments

@matt-martin
Copy link

In the spec for the US National section, the SensitiveDataProcessing field has separate flags for:

(1) Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Racial or Ethnic Origin.
...
(2) Consent to Process the Consumer’s Sensitive Data Consisting of Personal Data Revealing Religious or Philosophical Beliefs.
...
(11) Consent to Process the Consumer’s Sensitive Data Consisting of Union Membership.

But in the spec for the California section, the SensitiveDataProcessing field combines all three of these into one:

(4) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Which Reveals a Consumer's Racial or Ethnic Origin, Religious or Philosophical Beliefs, or Union Membership.

It's not an issue for me personally (and maybe it isn't an issue for anybody else either), but I'm wondering why these are represented as three separate choices in usnat, but lumped together as one choice in theusca section?
@matt-martin
Copy link
Author

matt-martin commented Jul 6, 2023
edited
Loading

Similarly confusing to me is the fact that the KnownChildSensitiveDataConsents field in the usnat section defines two flags:

(1) Consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers from Age 13 to 16.
...
(2) Consent to Process the Consumer’s Personal Data or Sensitive Data for Consumers Younger Than 13 Years of Age.

Whereas the field with the same name in the usca section defines two totally different flags:

(1) Consent to Sell the Personal Information of Consumers Less Than 16 years of Age
...
(2) Consent to Share the Personal Information of Consumers Less Than 16 years of Age

It's entirely possible that I'm missing some obvious explanation for why these should be different, but at first glance these seem so different that I don't immediately know how to make sense of it. And more to the point, it makes me wonder if one (or both) are "incorrect" in some way I don't understand.

@jaredmoscow
Copy link
Collaborator

@matt-martin for SensitiveDataProcessing:

  1. The usnat takes a highest bar approach across each state included in the GPP. Due to the definitions of individual state statutes, there is break out of the sensitive data categories/inputs.
  2. In California, their structure matches the defintion in the state statute: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140. Cal Code defines the "(D) A consumer’s racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.", which is why the state section has this format specific for CA.

Similar application for the questions on known child sensitive data with the state vs. national section applicability.

@HeinzBaumann
Copy link
Collaborator

@lamrowena Perhaps something for your GPP working group to review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matt-martin @HeinzBaumann @jaredmoscow