As already said, this is purely about personal data processing, so the relevant regulation applies. I don't see need for the Root Programs to deal with this, as compliance with privacy regulations is already a requisite for Webtrust and other audits.
In countries affected by GDPR, which is the one I'm more familiar, incorporating in a DB the email address and use it for unsolicited email wouldn't be permitted. This would be OK only if the contact comes from a web form where the sender can see the privacy notice and explicitly accepts been contacted for marketing purposes. Implicit consent is not allowed anymore. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
