- Businesses must disclose what information they collect, what business purpose they do so for and any third parties they share that data with.
- Businesses would be required to comply with official consumer requests to delete that data.
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
- Businesses can, however, offer “financial incentives” for being allowed to collect data.
- California authorities are empowered to fine companies for violations.
I totally understand that this will impact a lot of tech companies' profits...but that's to be expected if you're making money selling people's data to third parties without their permission.
> - Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
This is something I object to. It's just fundamentally stupid and doesn't make sense. The entire premise of free exchange is that I give you my services in exchange for something of value of yours. Making it illegal to withhold services if you don't give up your data is crazy. The only reason those services are being provided at all is to get that data. That's effectively a requirement that people provide services for free.
EDIT: I'll also add that it strongly favors incumbent tech companies, by explicitly carving out "selling to third parties" as a disfavored tactic. Google can monetize your data internally. Your average startup may not be able to. Specifically carving out "selling to third parties" favors large, incumbent players over small startups. But then, regulation always does.
I think the idea is that regulation always has unexpected side effects, some of which can be abused to actually do the perverse inverse of what they're intended to protect against.
This is intuitive because regulation + law can really put a competitive barrier for established incumbents who (and arguably, they would be the target for lawsuits here) have resources to implement and comply with these regulations.
The law does sound great as a consumer, but I think the question is still up in the air about how will it be enforced and what will be the unexpected side effects?
Definitely something to watch for.
P.S. We've been working on a developer-friendly SaaS that helps companies automatically comply with jurisdictional controls + data security / privacy controls. Feel free to email me: mahmoud - @ - https://verygoodsecurity.com and I can dive deeper to answer any questions.
I've commented in the past that the privacy community is diverse. I divide the community into (at least) two major groups:
- People who believe that privacy means being able to anonymously use services.
- People who believe that privacy means being able to control what other people do with data about you.
These are not compatible views, and they often conflict with each other -- both philosophically and practically.
If you believe you should be able to compel a business to delete data you gave them, then necessarily there needs to be a way for that business to confirm your identity and link you to that data. You become more concerned with this idea of "owning" information about yourself.
If you believe you should be able to do everything anonymously, then it becomes much harder to control information after it's been leaked. You can't implement things like geo-locking users because what you do with the information doesn't matter -- just collecting it is a problem.
If you're in the "everything should be anonymous" crowd, you're also less likely to agree with efforts like Right to Be Forgotten; you may even reject the idea of data ownership entirely. For someone in the "I control my own data" crowd, the Right to Be Forgotten is absolutely critical -- it's one of the most important safeguards we have against a future where everything is permanently indexed forever.
I'm oversimplifying, but at the moment, the majority of pure-tech solutions for privacy are on the "everything should be anonymous" side, and (at least for the moment) most legislative solutions are falling into the "you should control your own data" side. That leads to conflict. Not always, but sometimes.
It's important to keep in mind that even though the privacy movement is aligned on many issues, there is no binary "pro" or "anti" privacy, because there's disagreement from privacy advocates on both where we're going and how to get there. In this case, California's law is very much a "control my data" law. Points like, "Businesses would be required to comply with official consumer requests to delete that data" conflict with the way that "be anonymous" privacy advocates see the world.
I don't think lawmakers have thought through the ramifications. Here are a few:
Way too hard to enforce, the definition of 'customer data' is going to be a constantly moving target. Does every click count? How about aggregated clicks important for general product optimization?
What constitutes 'selling' user data? Very few companies actually sell your data, instead they place ads based on your data. Will that be banned as well? Many companies, including Google would have to significantly change their pricing model if so.. yet that is apparently illegal.
They’re not bad for the consumer. They’re just hard to implement in practice. I’m going through this right now at a well known tech co. Nobody, including the lawyers on both sides of the table, knows exactly what to do to be compliant because a lot of the bill is pretty vague on details.
And for some companies doing shit like selling customer data is the only reason they’re in business. Good riddance to them though.
I think there are a lot of people here whose employment depends on being able to sell and buy peoples data freely.
Many of the people here who work for these companies truly and honestly believe the online services they are offering are/will change the world for the better.
As such, they view hindrances to this as threatening to the progress they are trying to help bring about.
Personally, I support this privacy initiative and think SV companies are many times viewed through rose tinted glasses by their employees, but that's just my perspective.
I can totally see how viewed through the lens of a hindrance to progress, some people would feel very strongly that I'm wrong in supporting such legislation.
- How do you identify what is customer data? There may be information stored in logs somewhere. Do you now have to write log parsers to extract personal data for everything that previously you just stored for general debugging and security purposes? How do you even know all the permutations of personal data that came be stored in the logs. There are possibly infinite possible ways personal information can manifest in logs. How do you ensure compliance with something when you don't fully understand what can come out of it? Any engineers now must fully understand the consequences of anything they log and design delete mechanisms for it. This extends to any 3rd party software you use that generates logs. You must now fully and deterministically understand your entire system just to comply with this law. Such a request is essentially NP-complete.
- How do you prune said data from logs?
- How do you delete data that are archived in write only media formats and/or that are in cold storage somewhere? You'd have to physically destroy the media and make a copy of everything minus the part you want to exclude. This dramatically increases archive storage complexity and cost.
Regulations that don’t achieve anything create a massive drag on innovation and commerce. Every regulation is a compliance check that needs to be paid for, a lawyer that needs to be hired, etc. which advantages incumbents.
It’s like lines of code in a program — each one makes the application worse, so each one should have a purpose that it achieves.
It makes it extremely difficult to legally be a tech firm unless you're already a tech giant, just like the FDAs procedures make it impossible to invent a new drug unless you're already an established, giant pharma company.
None of the big names in tech will have any trouble at all complying with this; I'd be very surprised if any at all are not already compliant today.
At the same time, the percentage of tech startups that are already compliant with this law is likely around zero, and few will ever become so. Unless this is precisely what your startup is about, small firms, especially with venture funding, can't afford to invest anything at all into privacy beyond the surface. If your startup fails because it gets sued into oblivion, that's no worse (and way less likely) than it failing because nobody actually wanted a chat app for dogs.
Good way to make sure all companies support scrubbing of evidence of crimes so wikileaks or government investigators can't get at the evidence.
Basically Hillary's private email server getting bleachbitted, but for everyone now. Makes running an organized crime gang, political corruption graft ring or chinese espionage ring much easier. Same with banning facial recognition. Makes getting away with crime a lot easier than it would otherwise be. If you are a corrupt politician, this is really important stuff.
These laws may be targeted at companies that deal in advertising data relating to consumers, but the laws as written affect all of us.
Are these the right laws to regulate SaaS companies that build business software? Should a consumer be allowed to request that data about them be deleted if that data are records of legitimate business transactions? If you buy a car from a dealership, do you "own" the data in their systems about your transaction and should you be able to request its deletion?
> I totally understand that this will impact a lot of tech companies' profits...but that's to be expected if you're making money selling people's data to third parties without their permission.
Yes, it is also subsidizing what would normally be paid services. Before online advertising, people would pay for services like email. Sure, $5 / month is cheap for us, but what about the developing world and the lower class?
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
If the price of the service is based on the ability to sell data, how is it reasonable to disallow the business from changing the price of the service for those who opt out?
Also, how can you reconcile this with being allowed to offer financial incentives for being allowed to collect it?
If you favor an idea that a private company should be compelled to provide a service for free, even if you don't share your data, would you also agree to the idea that a private company should be compelled to respect freedom of speech on their platform even if they don't benefit from it?
It's pretty presumptious of people to assume that when they visit a website that it's just "their" data. The website receives the user, just as much as the user comes to the website. The data of visiting a website belongs to both the company and the user. To simply assume that it entirely belongs to the user is just wrong.
Lot's of (mis)information floating around regarding CCPA. I recommend taking the time to read the actual text[1]. The text is not particularly long or dense. There has been a lot of speculation about complex compliance procedures, but the main thrust of the bill is to provide users with information about how their data is collected, who it is shared with, and the rights to prevent certain types of selling or sharing of said data. The leginfo site also includes non-partisan analysis (under the "Bill Analysis" tab) of the bill and amendments as it moves through the legislature, which is useful for getting an understanding of how specific issues are being considered and addressed. Something to consider is that bills change substantially through the amendment process, so often critiques you read are based off old versions of the text that have already been addressed.
> (4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
Well, thanks for the link. For example, informing people that a user is located in a dormitory in The Netherlands sounds like free speech to me. So is location tracking information exempt from deletion?
Yep. This law is nothing like the draconian extremes of GDPR. One can even say it's good because it weeds out the really shady businesses but allows the ad ecosystem to work.
We need to have a conversation about jurisdictions in the digital age. The way governments have decided that having a website accessible in a country makes you liable to respect the law of this country is a convulted and hacky notion that has been accepted way too fast.
The physical establishment rule was the only sound approach. The fact that some countries started to lose shouldn't have allowed them to rewrite the rules (especially in such a hacky manner).
Can you imagine owning a grocery store and having to ask every customer their nationality to check which law you must follow to do business with them? Then multiply this hell by 10 and soon 1000 considering new laws created left and right and you have the environment these dishonest politicians have created.
So the author would rather see each state/country implement it’s own laws so that a small startup needs to ensure they comply with hundreds of regulatory jurisdictions... awesome.
Each state can choose to be as restrictive as they like in their laws, and each startup can chose to invest in compliance on a wide scale or in the narrow scale as they'd like.
It'd be nice if this was unified but it ain't because:
1. Tech companies lobby like hell at a national level
2. The national government is sort of broken right now
so that's how the cookie crumbles. The fact that a number of companies have skirted local regulations and abused data usage so much is why this is happening, so don't blame the victims of this activity that want sane privacy laws - blame the bad actors that have forced this issue to need to be dealt with.
It’s jarring to see such headlines on TechCrunch. They fed the valley by giving every little news a place and are ne of the original hype masters for startups. They profit off the area by hosting the disrupt conference as well, which is again a huge pat each other on the back event. So now they turn around and post a headline like that is just somehow ugly to me. It’s absolutely in their right obviously.
I'm pretty concerned about it, and we are a tiny political digital agency. My reading is that basically any small sized email list, website, service etc that 'receives for the business’ commercial purposes' data on more than 50k 'devices' or 'consumers' must be compliant which is a very low bar. Like small business email lists would hit this, though maybe burden falls onto Mailchimp for most.
It should be fairly easy to add a contact us address for delete and info requests to the bottom of websites. A lot harder and would take development time to automate a UI for a person to see all data associated automatically (e.g. lots of separate analytics; would have to build api to lookup ip/device/user data match across tables/dbs, and then how do I verify a user is requesting their data and not someone else's). Also harder to 'block' new data collection of device/consumer post delete request.
What I'm less sure about is 'inform consumers before the point of collection.'
Does a privacy policy link in footer count? If not what is required for compliance? What about advertising?
Another big concern for me is that this is going to be weaponized in my industry (politics). I think a political campaign wont fit the bill's definition of 'business' (profit seeking for shareholders) but I think it will still be weaponized by opposition campaigns and service providers.
Does anyone know the real implications of the CCPA for things like Sift Science, Google's Recaptcha, and maybe even Cloudflare?
All of these are based on many companies contributing information about users to create profiles which curb abuse. And Sift/Google/etc. get commercial benefit from this data sharing, which might trigger the CCPA. But you can't give bad actors the ability to opt out of this kind of data sharing without crippling them.
I think these kind of companies are really important to a functioning internet. I hope there are carve outs of some sort, but seems like they're living on the edge right now.
How is this not a violation to the first amendment? Does the first amendment not extend as follows: (?)
As a citizen don't I have the right to create a business and privately take notes on whatever I'd like to about my customers? If i run a dry cleaners and take notes about my customers, should I be obligated to disclose these notes or even the existence of these notes to my customers? I don't see why extending the dry cleaning business to a mobile app or website effects anything. What about journalists, are they required to disclose what data they're collecting about people as they do their job?
I feel like the state constitution granted right to privacy does not supersede the federally mandated right to freedom of speech both the right to take internal notes and documentation and the violation of one's speech rights by forcing this disclosure.
however IANAL and I don't live in California. Could someone share some insights onto the first amendment side of this?
Many comments here make the false dichotomy of paying for a service with money vs paying with your data. That ship has sailed. In the current market selling user data will win every time. Only laws can make sure that a company you pay for “premium service” or “no ads” won't turn around and sell your data anyway.
As much as most browsers have implemented a standardised payment API, a generic, browser-level Privacy related GUI would be helpful. By that I mean something less repetitive than the multitude of consent screens people have to deal with (not to mention dark UX patterns in the existing solutions).
People keep comparing this to the GDPR. I have lived in the UK pre and post GDPR and the US. I like the GDPR a lot. It isn’t just internet businesses either. Because it was such a crazy bogeyman, plenty of brick and mortar businesses have paid a bit more attention to their data security. I like being told what’s gonna happen with my PII, and having the right to control my data. Most people seem to like the effects of the GDPR in my (anecdotal) experience. Yeah you have people using it as some bizarre bogeyman to stop you doing normal things, but it makes you think about it. From a business perspective, the ICO provides great advice to people and companies when they need it. It’s not as though what you need to do is a secret. You just need to do business in accordance with peoples’ rights.
This just seems like poorly written legislation with the purpose of pandering to the populist public. I guess if it makes you all at least feel better.
> Since the law passed, tech giants have pulled out their last card: pushing for an overarching federal bill.
>In doing so, the companies would be able to control their messaging through their extensive lobbying efforts, allowing them to push for a weaker statute that would nullify some of the provisions in California’s new privacy law. In doing so, companies wouldn’t have to spend a ton on more resources to ensure their compliance with a variety of statutes in multiple states.
Is it really that much easier to control a federal vs. state legislator?
I wonder if the idea might actually be to prevent the likely future scenario in which 50+ different privacy regulations need compliance. Setting a national standard could prevent such an outcome.
Privacy advocates should favor the state-by-state solution, though. The more difficult it is to comply with regulations, the more expensive it becomes to collect the data in the first place.
As the cost of compliance increases, the alternative of simply not collecting the data in the first place becomes more attractive.
But that itself can lead to unintended consequences. It would mean that only the biggest companies could afford the regulatory burden of collecting the data. And these are the very companies that have received the most negative attention.
All of which makes me wonder whether at some point we could see a private data settlement along the lines of the tobacco settlement:
> The bill would authorize businesses to offer financial incentives for collection of personal information.
Means it's nothing like the GDPR. This might actually be a sane law. And it doesnt implement punitive fines if you get hacked. Nor does it bring about a massive cookie alert insanity.
The right to delete may work in europe , but i think in the US it is going to clash with free speech laws. So it might not work at all.
This law is a step in the right direction, although in its current form it's toothless and uses disgustingly submissive language (e.g. the user may not out or the user needs to be informed about how theur data is going to be abused). The final goal of such laws should be to poison user data: so that collecting it and storing would open all sorts of legal and criminal troubles and that no company would want to touch user data with even 10 foot pole. This will open more ethical business opportunities that currently can't compete with data mining model. An analogy in real world. If theft and robberry was legal, no other business model could exist: if you sell gas for 3 bucks a gallon and your neighbor sells it for a negative price, but sells user address to theft agencies, you'd be out of business long before everybody realises the true cost of that "free" gas.
I can't help but view it with disgust just at the headline of having the wrong kind of mentality. It is a spiteful logical fallacy of the worst kind. "Soviets terrified of plan to nuclear first strike whole world - good!" Just because even the vilest foe dislikes it doesn't mean it is a good idea.
The whole article seems to be about shutting down thinking and manipulation via playing with emotions.
I am probably an outlier but I view that as an active sign that is terrible because otherwise they would lead on better points. The article made me /less/ supportive of it. It is perhaps unduly harsh but I would call it an outright propaganda piece not because of the message but how it was delivered.
While I think CCPA is a step in the right direction from the status quo, which is basically a free-for-all, it's still a mediocre privacy law. GDPR remains the gold standard because it's opt-in, CCPA is opt-out.
The only reason it was even passed was because some guy was going to force the issue with a ballot initiative so lawmakers scrambled to do something. If not for that, California would be the last state to pass meaningful privacy regulation.
In short: laws against things that never sbould have been.
One can only hope they make sure it hits big actors more than any other ones, because they are what makes this kind of data collection dangerous for societies.
LMAO, Google should just make itself unavailable in California due to 'involuntary violation' of this law to see it repealed real quick. Those who complain can use bing.
[+] [-] nabnob|6 years ago|reply
- Businesses must disclose what information they collect, what business purpose they do so for and any third parties they share that data with.
- Businesses would be required to comply with official consumer requests to delete that data.
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
- Businesses can, however, offer “financial incentives” for being allowed to collect data.
- California authorities are empowered to fine companies for violations.
I totally understand that this will impact a lot of tech companies' profits...but that's to be expected if you're making money selling people's data to third parties without their permission.
[+] [-] darawk|6 years ago|reply
This is something I object to. It's just fundamentally stupid and doesn't make sense. The entire premise of free exchange is that I give you my services in exchange for something of value of yours. Making it illegal to withhold services if you don't give up your data is crazy. The only reason those services are being provided at all is to get that data. That's effectively a requirement that people provide services for free.
EDIT: I'll also add that it strongly favors incumbent tech companies, by explicitly carving out "selling to third parties" as a disfavored tactic. Google can monetize your data internally. Your average startup may not be able to. Specifically carving out "selling to third parties" favors large, incumbent players over small startups. But then, regulation always does.
[+] [-] mahmoudimus|6 years ago|reply
This is intuitive because regulation + law can really put a competitive barrier for established incumbents who (and arguably, they would be the target for lawsuits here) have resources to implement and comply with these regulations.
The law does sound great as a consumer, but I think the question is still up in the air about how will it be enforced and what will be the unexpected side effects?
Definitely something to watch for.
P.S. We've been working on a developer-friendly SaaS that helps companies automatically comply with jurisdictional controls + data security / privacy controls. Feel free to email me: mahmoud - @ - https://verygoodsecurity.com and I can dive deeper to answer any questions.
[+] [-] danShumway|6 years ago|reply
- People who believe that privacy means being able to anonymously use services.
- People who believe that privacy means being able to control what other people do with data about you.
These are not compatible views, and they often conflict with each other -- both philosophically and practically.
If you believe you should be able to compel a business to delete data you gave them, then necessarily there needs to be a way for that business to confirm your identity and link you to that data. You become more concerned with this idea of "owning" information about yourself.
If you believe you should be able to do everything anonymously, then it becomes much harder to control information after it's been leaked. You can't implement things like geo-locking users because what you do with the information doesn't matter -- just collecting it is a problem.
If you're in the "everything should be anonymous" crowd, you're also less likely to agree with efforts like Right to Be Forgotten; you may even reject the idea of data ownership entirely. For someone in the "I control my own data" crowd, the Right to Be Forgotten is absolutely critical -- it's one of the most important safeguards we have against a future where everything is permanently indexed forever.
I'm oversimplifying, but at the moment, the majority of pure-tech solutions for privacy are on the "everything should be anonymous" side, and (at least for the moment) most legislative solutions are falling into the "you should control your own data" side. That leads to conflict. Not always, but sometimes.
It's important to keep in mind that even though the privacy movement is aligned on many issues, there is no binary "pro" or "anti" privacy, because there's disagreement from privacy advocates on both where we're going and how to get there. In this case, California's law is very much a "control my data" law. Points like, "Businesses would be required to comply with official consumer requests to delete that data" conflict with the way that "be anonymous" privacy advocates see the world.
[+] [-] jakelazaroff|6 years ago|reply
> - Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
> - Businesses can, however, offer “financial incentives” for being allowed to collect data.
Seems to me that it’s a distinction without a difference. Is there something I’m missing?
[+] [-] aeternum|6 years ago|reply
Way too hard to enforce, the definition of 'customer data' is going to be a constantly moving target. Does every click count? How about aggregated clicks important for general product optimization?
What constitutes 'selling' user data? Very few companies actually sell your data, instead they place ads based on your data. Will that be banned as well? Many companies, including Google would have to significantly change their pricing model if so.. yet that is apparently illegal.
[+] [-] briffle|6 years ago|reply
Jeff Hammerbacher: ‘The best minds of my generation are thinking about how to make people click ads… That sucks.’
Those best minds are now having to change the way they generate revenue..
[+] [-] rco8786|6 years ago|reply
And for some companies doing shit like selling customer data is the only reason they’re in business. Good riddance to them though.
[+] [-] 4ntonius8lock|6 years ago|reply
Many of the people here who work for these companies truly and honestly believe the online services they are offering are/will change the world for the better.
As such, they view hindrances to this as threatening to the progress they are trying to help bring about.
Personally, I support this privacy initiative and think SV companies are many times viewed through rose tinted glasses by their employees, but that's just my perspective.
I can totally see how viewed through the lens of a hindrance to progress, some people would feel very strongly that I'm wrong in supporting such legislation.
[+] [-] bcheung|6 years ago|reply
- How do you identify what is customer data? There may be information stored in logs somewhere. Do you now have to write log parsers to extract personal data for everything that previously you just stored for general debugging and security purposes? How do you even know all the permutations of personal data that came be stored in the logs. There are possibly infinite possible ways personal information can manifest in logs. How do you ensure compliance with something when you don't fully understand what can come out of it? Any engineers now must fully understand the consequences of anything they log and design delete mechanisms for it. This extends to any 3rd party software you use that generates logs. You must now fully and deterministically understand your entire system just to comply with this law. Such a request is essentially NP-complete.
- How do you prune said data from logs?
- How do you delete data that are archived in write only media formats and/or that are in cold storage somewhere? You'd have to physically destroy the media and make a copy of everything minus the part you want to exclude. This dramatically increases archive storage complexity and cost.
[+] [-] paggle|6 years ago|reply
It’s like lines of code in a program — each one makes the application worse, so each one should have a purpose that it achieves.
[+] [-] tylerl|6 years ago|reply
None of the big names in tech will have any trouble at all complying with this; I'd be very surprised if any at all are not already compliant today.
At the same time, the percentage of tech startups that are already compliant with this law is likely around zero, and few will ever become so. Unless this is precisely what your startup is about, small firms, especially with venture funding, can't afford to invest anything at all into privacy beyond the surface. If your startup fails because it gets sued into oblivion, that's no worse (and way less likely) than it failing because nobody actually wanted a chat app for dogs.
[+] [-] chooseaname|6 years ago|reply
If you're ad dependent, would this basically mean you have to give your service to this user for free after this?
[+] [-] narrator|6 years ago|reply
Basically Hillary's private email server getting bleachbitted, but for everyone now. Makes running an organized crime gang, political corruption graft ring or chinese espionage ring much easier. Same with banning facial recognition. Makes getting away with crime a lot easier than it would otherwise be. If you are a corrupt politician, this is really important stuff.
[+] [-] andrewmutz|6 years ago|reply
Are these the right laws to regulate SaaS companies that build business software? Should a consumer be allowed to request that data about them be deleted if that data are records of legitimate business transactions? If you buy a car from a dealership, do you "own" the data in their systems about your transaction and should you be able to request its deletion?
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] chaostheory|6 years ago|reply
Yes, it is also subsidizing what would normally be paid services. Before online advertising, people would pay for services like email. Sure, $5 / month is cheap for us, but what about the developing world and the lower class?
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] the_watcher|6 years ago|reply
If the price of the service is based on the ability to sell data, how is it reasonable to disallow the business from changing the price of the service for those who opt out?
Also, how can you reconcile this with being allowed to offer financial incentives for being allowed to collect it?
[+] [-] hkai|6 years ago|reply
[+] [-] thorwasdfasdf|6 years ago|reply
[+] [-] domnomnom|6 years ago|reply
[+] [-] rodgerd|6 years ago|reply
“It is difficult to get a man to understand something, when his salary depends on his not understanding it.”
[+] [-] morganherlocker|6 years ago|reply
[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
[+] [-] notfromhere|6 years ago|reply
source: CCPA and its potential compliance has been a big PITA
[+] [-] SamReidHughes|6 years ago|reply
Well, thanks for the link. For example, informing people that a user is located in a dormitory in The Netherlands sounds like free speech to me. So is location tracking information exempt from deletion?
[+] [-] buboard|6 years ago|reply
[+] [-] throawayuk55po|6 years ago|reply
The physical establishment rule was the only sound approach. The fact that some countries started to lose shouldn't have allowed them to rewrite the rules (especially in such a hacky manner).
Can you imagine owning a grocery store and having to ask every customer their nationality to check which law you must follow to do business with them? Then multiply this hell by 10 and soon 1000 considering new laws created left and right and you have the environment these dishonest politicians have created.
[+] [-] rdlecler1|6 years ago|reply
[+] [-] munk-a|6 years ago|reply
It'd be nice if this was unified but it ain't because:
1. Tech companies lobby like hell at a national level
2. The national government is sort of broken right now
so that's how the cookie crumbles. The fact that a number of companies have skirted local regulations and abused data usage so much is why this is happening, so don't blame the victims of this activity that want sane privacy laws - blame the bad actors that have forced this issue to need to be dealt with.
[+] [-] mitchdoogle|6 years ago|reply
[+] [-] katabatic|6 years ago|reply
As for every country making their own laws - well, yeah? That's what sovereignty is all about?
[+] [-] badrequest|6 years ago|reply
[+] [-] TazeTSchnitzel|6 years ago|reply
[+] [-] yalogin|6 years ago|reply
[+] [-] dillondoyle|6 years ago|reply
It should be fairly easy to add a contact us address for delete and info requests to the bottom of websites. A lot harder and would take development time to automate a UI for a person to see all data associated automatically (e.g. lots of separate analytics; would have to build api to lookup ip/device/user data match across tables/dbs, and then how do I verify a user is requesting their data and not someone else's). Also harder to 'block' new data collection of device/consumer post delete request.
What I'm less sure about is 'inform consumers before the point of collection.'
Does a privacy policy link in footer count? If not what is required for compliance? What about advertising?
Another big concern for me is that this is going to be weaponized in my industry (politics). I think a political campaign wont fit the bill's definition of 'business' (profit seeking for shareholders) but I think it will still be weaponized by opposition campaigns and service providers.
[+] [-] milesskorpen|6 years ago|reply
All of these are based on many companies contributing information about users to create profiles which curb abuse. And Sift/Google/etc. get commercial benefit from this data sharing, which might trigger the CCPA. But you can't give bad actors the ability to opt out of this kind of data sharing without crippling them.
I think these kind of companies are really important to a functioning internet. I hope there are carve outs of some sort, but seems like they're living on the edge right now.
[+] [-] calithrowaway|6 years ago|reply
As a citizen don't I have the right to create a business and privately take notes on whatever I'd like to about my customers? If i run a dry cleaners and take notes about my customers, should I be obligated to disclose these notes or even the existence of these notes to my customers? I don't see why extending the dry cleaning business to a mobile app or website effects anything. What about journalists, are they required to disclose what data they're collecting about people as they do their job?
I feel like the state constitution granted right to privacy does not supersede the federally mandated right to freedom of speech both the right to take internal notes and documentation and the violation of one's speech rights by forcing this disclosure.
however IANAL and I don't live in California. Could someone share some insights onto the first amendment side of this?
[+] [-] tempodox|6 years ago|reply
[+] [-] tspike|6 years ago|reply
[+] [-] rpastuszak|6 years ago|reply
[+] [-] noodlesUK|6 years ago|reply
[+] [-] codesushi42|6 years ago|reply
This just seems like poorly written legislation with the purpose of pandering to the populist public. I guess if it makes you all at least feel better.
[+] [-] aazaa|6 years ago|reply
>In doing so, the companies would be able to control their messaging through their extensive lobbying efforts, allowing them to push for a weaker statute that would nullify some of the provisions in California’s new privacy law. In doing so, companies wouldn’t have to spend a ton on more resources to ensure their compliance with a variety of statutes in multiple states.
Is it really that much easier to control a federal vs. state legislator?
I wonder if the idea might actually be to prevent the likely future scenario in which 50+ different privacy regulations need compliance. Setting a national standard could prevent such an outcome.
Privacy advocates should favor the state-by-state solution, though. The more difficult it is to comply with regulations, the more expensive it becomes to collect the data in the first place.
As the cost of compliance increases, the alternative of simply not collecting the data in the first place becomes more attractive.
But that itself can lead to unintended consequences. It would mean that only the biggest companies could afford the regulatory burden of collecting the data. And these are the very companies that have received the most negative attention.
All of which makes me wonder whether at some point we could see a private data settlement along the lines of the tobacco settlement:
https://en.wikipedia.org/wiki/Tobacco_Master_Settlement_Agre...
[+] [-] buboard|6 years ago|reply
> The bill would authorize businesses to offer financial incentives for collection of personal information.
Means it's nothing like the GDPR. This might actually be a sane law. And it doesnt implement punitive fines if you get hacked. Nor does it bring about a massive cookie alert insanity.
The right to delete may work in europe , but i think in the US it is going to clash with free speech laws. So it might not work at all.
[+] [-] jkp56|6 years ago|reply
[+] [-] Nasrudith|6 years ago|reply
The whole article seems to be about shutting down thinking and manipulation via playing with emotions.
I am probably an outlier but I view that as an active sign that is terrible because otherwise they would lead on better points. The article made me /less/ supportive of it. It is perhaps unduly harsh but I would call it an outright propaganda piece not because of the message but how it was delivered.
[+] [-] Despegar|6 years ago|reply
The only reason it was even passed was because some guy was going to force the issue with a ballot initiative so lawmakers scrambled to do something. If not for that, California would be the last state to pass meaningful privacy regulation.
[+] [-] atoav|6 years ago|reply
One can only hope they make sure it hits big actors more than any other ones, because they are what makes this kind of data collection dangerous for societies.
[+] [-] Aperocky|6 years ago|reply