New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Data Deletion Request Handing spec #6
Conversation
if(typeof (json) === 'object' && json !== null && '__uspapiCall' in json) | ||
{ | ||
var i = json.__uspapiCall; | ||
window.__uspapi(i.command, i.version, function (retValue, success) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need the extra optional parameter ('identifiers') used in non-web contexts as a placeholder?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, probably
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you show exactly where that would go?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's already there I think. I may have missed it in my original comment or it may have been added (not honestly sure which). It's on line 229 below.
Co-authored-by: lon-pilot-mpf <36295845+lon-pilot-mpf@users.noreply.github.com> Co-authored-by: Andrea Giannangelo <facens@gmail.com>
@Facens and @lon-pilot-mpf there are two more questions on the code example that I myself cannot resolve. Ideally we could publish this this week (as I'm already a week behind my artificial deadline). How do you suggest we resolve? If we did resolve those questions would you both give an official approval? Would like to have two from the group here! |
@alextcone I don't have the competence to respond. I think you should loop in Jan or someone else who's savvy on the JS side. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the part from
// find the __uspapi frame
untill the end of the script needs to be wrapped into a
if(!('__uspapi' in window))
{
....
}
|
||
``` | ||
// find the __uspapi frame | ||
if(!('__uspapi' in window)){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@janwinkler did I do this correctly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks correct to me, though I think best practice would wrap the whole thing in an anonymous script block.
So at the top you put:
(function(window, document) {
And at the end of the file add this:
}(window, document));
Publishers working with any services provided by these vendors consume the exposed JavaScript and embed it on their properties where consumers can request deletion of their personal data. If data deletion is requested, all vendor javascript on the publisher property is notified. Vendors then respond by deleting the relevant personal data and signaling any affected vendors downstream. | ||
|
||
|
||
### Multiple Services |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the blurb above in the CCPA Regulation:
direct any service providers to delete the consumer's personal information from their records
The relationship is consumer to service provider not consumer to service. So, therefore, no matter how many services a Vendor provides, there is only one request to be made to that Vendor and therefore no need to support multiple services. There is nothing prohibiting a Vendor from doing this either, but it shouldn't be specified in this document.
The technical solution detailed in this specification provides the means to signal consumer requests for data deletion. Companies supporting the US Privacy Framework (i.e., service providers) will respond to the signals by deleting the consumer's relevant personal data to the extent required by CCPA. The process for deletion depends on the company's technology and operational practices in place. _How_ a vendor deletes a consumer's personal data is out of scope for this specification. | ||
|
||
|
||
### Non-web Environments |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"In-App" is correct term here. "In-App" was created specifically for this use case. I understand it has a Mobile-only feel but that's only because Mobile is the biggest use case. If a clarifying statement is needed then add that.
My problem with Non-web is that it then proceeds to tell us to use a web page in the non-web environment. It sounds like there is no Internet connection or something.
|
||
When operating in a non-web environment, data deletion requests are handled by sending the user to a web page where they can complete the request to have their data deleted. Vendors need certain information to correctly identify the data to delete: the platform name, the unique app identifier used in the app store, and the device identifier for that platform / store. | ||
|
||
The `performDeletion` command includes a parameter for identifiers. Using the `identifiers` parameter, publishers can pass multiple items, each with the required fields: `platform`, `app_identifier`, and `user_identifier`. These details should be passed from the app context to the delete webpage and then along with the request from the page. Below are a few examples of that information: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it is ever possible to have more than one platform
, app_identifier
, or user_identifier
in a single app.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may need to pass the deletion for multiple apps at the same time?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Facens this software only runs in one App at a time
``` | ||
|
||
``` | ||
Note: For purposes of this explanation, a "bundle id" is used for (iOS) and a "package" for (Android). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for which property?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
app_identifier I believe @chrispaterson
|
||
### Common Platform / Stores identifiers | ||
|
||
These identifiers can be used for the "platform" field where applicable. Otherwise, the platform field can include an arbitrary value. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How can platform
contain an arbitrary value? If a Vendor is meant to interpret this information to be able to identify a user, this can not be arbitrary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've decided to keep it open in order to support additional platforms that aren't listed (knowing that we can't possibly list them all)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Facens if it's arbitrary it's not usable because this information enables a Vendor script to interpret the other two values. For example: If I'm a Vendor and I receive a "platform"
value of "foo-bar-23"
and it's not a platform I recognize, what do I do? It won't match any user identifier information I have on record and I can not delete the relevant data.
Publisher site setup: | ||
|
||
``` | ||
<html> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This whole section is WAY too much. There is already a specification that defines how to set up the __usapiLocator
frame and stub. There is too much repeated information and it's too easy to get lost in all of this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks closer!
``` | ||
|
||
``` | ||
Note: For purposes of this explanation, a "bundle id" is used for (iOS) and a "package" for (Android). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
app_identifier I believe @chrispaterson
if(typeof (json) === 'object' && json !== null && '__uspapiCall' in json) | ||
{ | ||
var i = json.__uspapiCall; | ||
window.__uspapi(i.command, i.version, function (retValue, success) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's already there I think. I may have missed it in my original comment or it may have been added (not honestly sure which). It's on line 229 below.
* Readability / simplification changes * fix typo Co-authored-by: lon-pilot-mpf <36295845+lon-pilot-mpf@users.noreply.github.com> * linting sample code * Adding italics to CCPA Section quote * removing sampleCode.js * fixing italics Co-authored-by: Alex <alextcone@gmail.com> Co-authored-by: lon-pilot-mpf <36295845+lon-pilot-mpf@users.noreply.github.com>
For CCPA/US Privacy Technical Working Group approval before merge