> Whenever we share data with our partners, we put a lot of work into making sure that the data that we share is stripped of potentially identifying information, or shared only in the aggregate, or is put through our privacy preserving technologies (like OHTTP).
But if the data was fully stripped of potentially identifying information, then it should not count as "personal information" under the California Consumer Privacy Act, therefore it should not trigger the "sale of personal information" requirement, regardless of how it's transmitted or what kind of compensation is involved.
The CCPA defines "personal information" as follows:
> “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
(It also includes a list of examples [1], but the examples are conditional on the same "linked, directly or indirectly, with a particular consumer or household" requirement.)
So, which is it? Is the data deidentified or is it not?
Is Mozilla just trying to reduce risk in case someone argues their deidentification isn't good enough? If so, I'd call that a cowardly move.
How about don't send ANYONE's personal information, anonymized or not, to anyone including themselves? I think that's what people want. But that will never happen because you can't make money from it.
This is about Mozilla's Terms of Use for Firefox, not Firefox Sync and Mozilla VPN. Those services need their own Terms of Use that doesn't apply to using Firefox without using those add-on services.
Legal is there to advise you. Sometimes what legal tells you is not in the best interests of your company. A good legal team will work with you to identify when maximal risk-averseness is not the right strategy.
Yes, so you claim you can do whatever you want with everything you can get your hands on and then social media blows up because it's batshit insane, but don't worry because you're _legally in the clear_.
You're acting like they didn't have the 2nd option of just not selling the data so the current wording is accurate...
But if the data was fully stripped of potentially identifying information, then it should not count as "personal information" under the California Consumer Privacy Act, therefore it should not trigger the "sale of personal information" requirement, regardless of how it's transmitted or what kind of compensation is involved.
The CCPA defines "personal information" as follows:
> “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
(It also includes a list of examples [1], but the examples are conditional on the same "linked, directly or indirectly, with a particular consumer or household" requirement.)
So, which is it? Is the data deidentified or is it not?
Is Mozilla just trying to reduce risk in case someone argues their deidentification isn't good enough? If so, I'd call that a cowardly move.
[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...