[License-discuss] GDPR/CCPA and CAL

Ben Tilly btilly at gmail.com
Tue Feb 18 20:04:03 UTC 2020


I have a similar question.

The Constitution gives regulation of interstate commerce to Congress, not
the states.  Suppose that I am a Delaware company that does business in
California but is headquartered in New Jersey.  If I sell personal data to
a New York company where some of the IP addresses and cookies are
associated with Californians, what gives California authority to regulate
that commercial transaction?

I am not a lawyer, but this sure feels like overreach.

On Sun, Feb 16, 2020 at 6:59 PM Lawrence Rosen <lrosen at rosenlaw.com> wrote:

> I would appreciate a more complete answer to Brian’s question. GDPR and
> CCPA deal with “personal information” under statutory authority in various
> jurisdictions. Neither relies on copyright law to control access to or use
> of personal information. So is CAL relying only on contractual law stated
> in the license agreement to provide restrictions on the use or distribution
> of such data? Where is the constitutional or statutory authority to control
> *data* used by a copyrighted or patented work of software? Is this in
> principle like the attempt of software licenses to control the uses of
> APIs? Both may be an overreach. Strong wishes and heartfelt goals may not
> be sufficient authority to do something with intellectual “property,” if
> property it actually is short of trade secrets or personal information.
>
>
>
> This reveals how little I understand about this topic and about CAL.
>
>
>
> /Larry
>
>
>
> *From:* License-review <license-review-bounces at lists.opensource.org> *On
> Behalf Of *VanL
> *Sent:* Thursday, February 13, 2020 12:03 PM
> *To:* License submissions for OSI review <
> license-review at lists.opensource.org>
> *Subject:* Re: [License-review] For approval: The Cryptographic Autonomy
> License (Beta 4)
>
>
>
> Hi Brian,
>
>
>
> On Thu, Feb 13, 2020 at 1:56 PM Brian Behlendorf <brian at behlendorf.com>
> wrote:
>
>
> Has anyone considered the PII and GDPR/CCPA/etc implications of the CAL?
> Could there be scenarios where the CAL requires behavior that the GDPR
> prevents?
>
>
>
> The CAL was written with particular care to be compatible with the GDPR
> and CCPA, and carefully use similar language. In fact, the first version
> had a interpretive aid specifying that complying with specific paragraphs
> of the GDPR would also result in a compliant delivery of user data under
> the CAL. That paragraph was removed due to misunderstandings about its
> effects, but it is still true.
>
>
>
> Thanks,
> Van
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> License-discuss mailing list
> License-discuss at lists.opensource.org
>
> http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20200218/978266aa/attachment.html>


More information about the License-discuss mailing list