Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form. Then make data customers (e.g. marketing agencies, major retailers) and data collectors (e.g. those that collect telemetry data from libraries included in their app, auto manufacturers, wireless providers) civilly liable for any privacy violations dealing with uncertified brokers, making sure there’s an uncapped modifier based on the company’s annual revenue. That seems like it puts the bulk of the compliance responsibility on the parties that can do the most wide-scale damage with unethical and dodgy practices, while leaving some out there for others that need incentive to not ignore the rules.
Haven’t really thought this through and I’m not a policy wonk… just spitballin’.
I would hope for something stronger. Put a currency value on some kinds of info. To store my SSN and full name and military ID totals 20 units. Maybe a full name and home address is 15 units. If I agree to give you my info, you agree that I can keep the CEOs home address, stored as safely and hygienically as I can. Part of our contract mandates when we mutually delete. Because of course we trust each other.
Excited to see this! Because completing the CCPA "delete my data" process for 300+ data brokers just isn't feasible.
Though I wonder what the second order effects of this might be. Imagine a service that vets tenants for landlords. If I've had all my data deleted, might I start failing background checks because the sketchy data brokers have no records of me? I fear a future where the complete absence of my data leads to bad side effects.
Not all data brokers are sketchy, some are very good. Data brokers help assess who is creditworthy and lowers rates for more trustworthy people, and allow the creation of more specialty lending products.
> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.
Does this apply to political lists too? I know political calls/text are excluded from Do Not Call and hence I get a crap ton of political spam texts (most recently from "Adam Miller for Congress OH-15", despite never living in Ohio). I'd really, really like to remove myself from all these political lists.
I've had that, though it was from a different state. Also recently started getting texts from some MAGA related organization, though I'm about as far from MAGA as it's possible to be. How does my number get on these lists, anyway?
Absolutely. What sound pretty cool, and different, here is CalPrivacy would be required to build a request mechanism that's one request sent to every data broker.
> Sounds an awful like The Right to be Forgotten under GPDR Article 17
Does DROP let you censor search records?
I’d encourage anyone in Europe to compare California’s CCPA to the EU’s GDPR. It was inspired by the latter, and fixes a lot of its problem. (The Swiss referendum system was based on learning from and improving on California’s.)
According to that page Texas also requires data brokers to register. As a Texan it seems unlikely that they do this to protect consumers. It feels more like they want to know who their market is as they surveil their citizens and rake in as much moola as possible. Identifying which broker will pay the highest premiums for real-time information about Texans' travel from license plate and traffic cameras, which businesses they visit, etc will allow them to get sweet kickbacks from the industry lobbyists who can openly pass around envelopes of cash on the floor of the legislature.
>information about Texans' travel from license plate and traffic cameras, which businesses they visit
Texas is already doing this to track women seeking out-of-state healthcare. Whatever "side" you're on (for that argument): THIS. IS. WRONG.
In addition to ditching your cell phone, consider ditching Texas, too (as a Native™, I did so almost a decade ago). Still toying with the idea of expatriation, but honestly I feel too old for that, now =P
----
We seem to have a lot in common, fellow retired Xeon user. My PO Box is in my profile.
Texas has robust laws against facial recognition (and biometrics in general), including winning a major lawsuit against Facebook. Texas also has pretty good privacy laws in general. Right now, flock cameras are still permitted - but there's been talk about cracking down on them. There are also a first set of restrictions on ALPRs - not as restrictive as I would like, but generally data can only be retained for people suspected of committing a crime.
If you are a Texas resident, you also have a right to request data deletion (or correction) from brokers or other sellers of data, and permanently opt out of personal data profiling for a wide swath of industries including insurance and finance purposes.
Texas is one of the best states for privacy laws, even though we can obviously do better. I'd still like to see a general prohibition on things like flock and more restrictions on ALPRs, but much better than most states.
I wonder how well this will work without other the states not being in on it and what other unintended consequences this may bring. sounds like a good start though.
One of the ways federal legislation gets passed is by state's passing their own laws, eventually industry gets fed up with having to comply with a dozen or more variations of the same law and starts harassing congress to take care of it.
California represents 12% of USA population, 14% of US GDP. Effectively that means CA can throw its weight around and companies are forced to at least pretend to comply. Whether they actually comply depends on enforcement.
Now if Delaware were to adopt such a law for every company “headquartered” there …
I get the same error today (13 days later). However, it seems to work if I just navigate directly to https://consumer.drop.privacy.ca.gov/ – I was able to submit my DROP request.
When the CCPA launched in 2018 companies had to comply when a consumer requested a Data Subject Access Request (DSAR). Because the consumer had to request a DSAR not all companies felt this compliance pain acutely (e.g. it was mostly big companies with A LOT of users that got more DSARs, so they adopted workflows and tools to alleviate the pain).
The Delete Act has more teeth. Independent compliance audits begin in 2028 with penalties of $200 per day for failing to register or for each consumer deletion request that is not honored. GDPR spurred organizations to compliance, partly because of the steep penalty (up to €20 million or 4% of revenue, whichever is higher), maybe The Delete Act (and its much smaller penalty) will also spark organizations to comply.
They define data broker as someone who collects and sells your data. Companies like Facebook and Google do not sell data they collect, contrary to what a lot of people assume.
The page refers to 500 data brokers, but I’d like to find the complete list they use.
> 1798.99.80. (c) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. [1]
If you want to be both obtuse and pedantic about it, the answer is yes to all three.
Only tangentially releated but I thought the EU required that you can delete selective data. Example: Being able to delete a single email vs having to delete all emails.
And yet, Gemini does not seem to let me delete queries. This is unusual for Google who provides ways to delete pretty much all data on selective basis. Maybe I just can't find the option. Or maybe this option only exists if I'm in the EU
The gist of the GDPR in that respect is it allows someone to request a record of what data a particular business has gathered about them as well as request deletion of that data. It also introduced a lot of restrictions around what can be done with a particular subject's data, like sharing with third parties.
I don't know why this is downvoted, it's a great question.
1st Amendment: Congress shall make No Law
14th Amendment: Due process... incorporate the Bill of Rights against the states
I often wondered whether the next case after MacDonald vs Chicago and Heller would do the same for the 2nd amendment, i.e. wipe away the ability of cities to require gun licensing and registration.
It seems anti-free speech. If the same thing were done via physical media, would we still support this? I am definitely no fan of data brokers, but I also am no fan or suppressing speech. This seems like the equivalent of banning old phone books before the internet.
DrewADesign|2 months ago
Haven’t really thought this through and I’m not a policy wonk… just spitballin’.
dredmorbius|2 months ago
Make this cost and practices will change.
sigwinch|1 month ago
JumpCrisscross|2 months ago
Why is this better than requiring deletion?
varenc|2 months ago
Though I wonder what the second order effects of this might be. Imagine a service that vets tenants for landlords. If I've had all my data deleted, might I start failing background checks because the sketchy data brokers have no records of me? I fear a future where the complete absence of my data leads to bad side effects.
satvikpendem|2 months ago
unknown|2 months ago
[deleted]
arpinum|2 months ago
cormorant|1 month ago
-- https://consumer.drop.privacy.ca.gov/
MetaWhirledPeas|1 month ago
WD-42|2 months ago
Unfortunately following the link results in an infinite redirect.
toomuchtodo|2 months ago
varenc|2 months ago
wdr1|1 month ago
amanaplanacanal|1 month ago
tylerchilds|2 months ago
1. Getting a list of everyone that bought my records from data brokers 2. Reverse record linking to know who joined me, when, where, and how
Just deleting myself from 500 of these databases is a good start that’s decades over due.
Time to flip the scripts.
hackable_sand|1 month ago
firesteelrain|2 months ago
scsh|2 months ago
JumpCrisscross|2 months ago
Does DROP let you censor search records?
I’d encourage anyone in Europe to compare California’s CCPA to the EU’s GDPR. It was inspired by the latter, and fixes a lot of its problem. (The Swiss referendum system was based on learning from and improving on California’s.)
userbinator|2 months ago
doodlebugging|2 months ago
ProllyInfamous|2 months ago
Texas is already doing this to track women seeking out-of-state healthcare. Whatever "side" you're on (for that argument): THIS. IS. WRONG.
In addition to ditching your cell phone, consider ditching Texas, too (as a Native™, I did so almost a decade ago). Still toying with the idea of expatriation, but honestly I feel too old for that, now =P
----
We seem to have a lot in common, fellow retired Xeon user. My PO Box is in my profile.
vorpalhex|2 months ago
If you are a Texas resident, you also have a right to request data deletion (or correction) from brokers or other sellers of data, and permanently opt out of personal data profiling for a wide swath of industries including insurance and finance purposes.
Texas is one of the best states for privacy laws, even though we can obviously do better. I'd still like to see a general prohibition on things like flock and more restrictions on ALPRs, but much better than most states.
Antwan|2 months ago
nrhrjrjrjtntbt|2 months ago
Yes only CA residents can use this.
weaksauce|2 months ago
RiverCrochet|2 months ago
ofalkaed|2 months ago
Swizec|2 months ago
California represents 12% of USA population, 14% of US GDP. Effectively that means CA can throw its weight around and companies are forced to at least pretend to comply. Whether they actually comply depends on enforcement.
Now if Delaware were to adopt such a law for every company “headquartered” there …
userbinator|2 months ago
A "right to rewrite history" that will distort reality for historians in the future.
How did HN become effectively pro-DRM?
unknown|2 months ago
[deleted]
blobbers|1 month ago
This auth.cdt.ca.gov page can’t be found
-- blank page from Chrome.
Imagine that, a government website that's broken. Wait, and I just put in all my personally identifiable info. Grrrrrreat.
quinncom|1 month ago
guessmyname|2 months ago
petesergeant|2 months ago
This does feel like an area where there could be useful bipartisan agreement if packaged properly.
nineteen999|2 months ago
smurda|2 months ago
The Delete Act has more teeth. Independent compliance audits begin in 2028 with penalties of $200 per day for failing to register or for each consumer deletion request that is not honored. GDPR spurred organizations to compliance, partly because of the steep penalty (up to €20 million or 4% of revenue, whichever is higher), maybe The Delete Act (and its much smaller penalty) will also spark organizations to comply.
metabagel|2 months ago
Aurornis|2 months ago
The page refers to 500 data brokers, but I’d like to find the complete list they use.
nipponese|2 months ago
amelius|2 months ago
throwup238|2 months ago
If you want to be both obtuse and pedantic about it, the answer is yes to all three.
[1] https://legiscan.com/CA/text/SB362/id/2845350
sonu27|2 months ago
oaiey|2 months ago
I hope this is good and turns global. We need this, because consent banners do not work.
Dwedit|1 month ago
socalgal2|2 months ago
And yet, Gemini does not seem to let me delete queries. This is unusual for Google who provides ways to delete pretty much all data on selective basis. Maybe I just can't find the option. Or maybe this option only exists if I'm in the EU
scsh|2 months ago
nee1r|2 months ago
UpstairsEmpire|2 months ago
[deleted]
UpstairsEmpire|2 months ago
iwontberude|2 months ago
Meneth|2 months ago
sigwinch|1 month ago
EGreg|2 months ago
1st Amendment: Congress shall make No Law
14th Amendment: Due process... incorporate the Bill of Rights against the states
I often wondered whether the next case after MacDonald vs Chicago and Heller would do the same for the 2nd amendment, i.e. wipe away the ability of cities to require gun licensing and registration.
diogenescynic|2 months ago
owisd|1 month ago