Good to hear! Glad to see that some state is going to stand up for consumer protections.
> Facebook initially supported the opposition initiative, but pulled out publicly in April, a month after news broke that a political consulting firm called Cambridge Analytica amassed data on tens of millions of American Facebook users for political purposes without their knowledge.
Hilarious.
> [] lobbyists affiliated with the group TechNet were working behind the scenes to change crucial parts of the bill, as well, including the stipulation that businesses include a clear button on their websites giving people the ability to opt out of data collection.
> The law goes into effect on January 1, 2020. The Internet Association has already hinted at efforts to modify the legislation before implementation.
A year and a half before it goes live; the fight's not over yet. Gotta make sure they don't completely gut it before then, like the net neutrality bill.
Idiocy. The motive is to hamstring some of our most innovative companies which by itself is baffling and of course the collateral damage is the extra overhead and lawyers inflicted on all businesses big and small.
The desire to imitate the euros in their efforts in making it as hard as possible for our companies to operate there is beyond stupid.
California ballot initiatives like all referendums must be eradicated and the fact that a california real estate developer (the source of all that is wrong in the state) straight after killing recent zoning reform is using a ballot initiative to blackmail the assembly into passing this law makes it worse.
The abuse goes much further than merely serving people ads.
Harassment, intimidation, stalking, identity theft, profiling, targeting based on political opinions or interests, blackmail, evisceration of privacy, and subversion of democracy are all enabled by such "innovation".
As more people become victims of these, and such abuses are publicized, the opposition to such surveillance will grow.
I find in myself a very human desire to not have every private action subject to registration & scrutiny by unknown entities. No further justification is needed.
I think quite a bit further justification is needed. That's why I asked the question. You're proposing companies have their rights circumscribed. You need to justify that.
All justifications must ultimately rest on some axiom or set of axioms. You want to recurse down some more levels, that's fine. I don't feel the need. My answer satisfies in itself. It is an answer which recognizes human dignity.
You believe it's axiomatic that you are entitled to the services of Google and Facebook and they are not entitled to save the information that you willingly send them during the use of their services?
Even if we assume that everyone involved in processing your data is trustworthy (and that’s a very big if), there’s always the risk of an accidental data breach.
If you think Equifax was bad enough, think for a second what would be the consequences of a breach at Google or Facebook who literally have your entire online history, private messages (Facebook Messenger, Google Hangouts, etc) and a good overview of your offline life (Google Calendar, emails, Android device location history, etc).
Because I'm not naive. The purpose of business is to manipulate and monetize me. Wring every cent from me that they can. I don't mind, this is called capitalism. But I don't want to be a powerless victim. I have my own interests after all.
You're a 'powerless victim' here? It seems to me that you could just not use these services. You could use alternative services. But you don't want to, and apparently not wanting to is worth more to you than your privacy.
The problem with not using the services is that stalking becomes ubiquitous.
You can choose to not use Facebook, but when every single company starts stalking you (like your mobile carrier) you no longer have a way out. This is why we need regulations to make sure this doesn’t spread even more.
That would be true. Except that if people cared enough about it, it would be a competitive advantage to not do this. In some contexts, people do care, for instance. Companies like DuckDuckGo and Apple make privacy a selling point.
Telecoms are a bit of a special case, since they're a regulated monopoly. I'm all in favor of them being forced to respect privacy, since consumers don't have choice there. But in the case of internet giants like Google/FB, i'm much less on board.
How do they define what "selling personal data" means? Does that mean the the law affects equifax and not facebook for example? and what if a company which collects data is sold to another company or its assets were sold during bankruptcy does that count as selling personal data?
I don't know why this dissenting opinion is being downvoted into oblivion.
I have no reason to trust the government or its judgement. So I don't know why people think this is necessarily great news. Now we'll have to get more green lights from .gov. And that is costly. And that is why business are tempted to leave CA.
> Most important part of the tldr; is this law does not take effect until 2020. Lots of time to be amended before then.
Yeah, and it looks like the process has already started:
> And yet, a report by The Intercept revealed that lobbyists affiliated with the group TechNet were working behind the scenes to change crucial parts of the bill, as well, including a stipulation that businesses must include a clear button on their websites giving people the ability to opt out of data collection.
Only seems to apply to companies with 50k+ California-resident users, or $25mm+ in revenue. So there's likely much less of a chilling effect on small businesses than GDPR. (IANAL, though, and with the speed this was pushed through, lawyers should take a much closer look in the coming days before anyone jumps to conclusions.)
Watered down useless bill as a ballot initative would have given stronger protection vs the $750 fine limit with this bill. As usual big tech purchased the politicians, the last minute negotiations were about their price.
It's better than nothing. Until personal information is the property of the individual, and not resold/shared without permission, the "genie" is out of the "bottle;" lists and databases of personal information will continue to be trafficked by corporations of all sorts.
That’s one of the most valid ideas I’ve heard - define private data as personal property.
When one looks deeper into laws like GDPR and this one, at the heart of it lies the fact that a company cannot do as it pleases with an individual’s data without said individuals consent. But given the nature of the legislation, it is not too hard for a company to simply bypass it in ways that adhere to the letter of the law but not the spirit.
If instead there were laws that defined private data as the personal property of the respective individual, the need for all this convoluted legislation would be rendered moot, since such a law would open the grounds for a variety of class action lawsuits against companies perceived to be egregiously abusive. The case law itself would set numerous precedents and eliminate the need for varied “interpretations” of one piece of legislation. IMO, this is what we should be pushing for, not more GDPR-clones which can be watered down by lobbyists.
I'd love to see private data as personal property, but in practice that's likely to run into a lot of contradictions.
The biggest problem is that most of the interesting private data is actually about relationships between multiple private individuals. If you're having a conversation with a friend on Whatsapp, is that conversation property of you, your friend, or do you each own your own messages? If it's a group conversation, is the whole conversation owned by all of the participants, or only parts of it? What if some people in the group chat aren't actually participating, but are just lurking? If you mention a company's product, does that mention belong to the company or the person mentioning it? What if instead of a product, you mention another person? What if you're quoting gossip they told you in person?
This is why Hacker News doesn't let you delete or edit posts after 2 hours, BTW. Once people have read them and replied and referenced them elsewhere, it's not really fair to other participants in the conversation to remove the words they were replying to.
Other social networks have run into real problems where people have edited their posts after many replies have been added to take the replies out of context and make them mean something totally the opposite of what their authors intended. If you own your own words, this is your right, but it's also a dickish and disruptive thing to do.
The same applies to many other types of personal data. A credit report is a list of transactions between you and various creditors. The credit bureau didn't just snoop on everything you do, that information was reported to them by the other party of the transaction. If they own the data about them, this is within their rights, but it certainly doesn't feel about it when it's used to deny the borrower further credit.
I think the current situation, where data is owned by the company or individual that collects it, is the most absurd alternative possible. But that's because our legal system is poorly structured to handle property rights where the "property" is owned by multiple firms, can be transferred easily (and surreptitiously) without the original owner losing rights, and may eventually come to harm one of the original owners.
> The biggest problem is that most of the interesting private data is actually about relationships between multiple private individuals. If you're having a conversation with a friend on Whatsapp, is that conversation property of you, your friend, or do you each own your own messages? If it's a group conversation, is the whole conversation owned by all of the participants, or only parts of it?
To me, not addressing this one of the biggest flaws of the GDPR.
As a practical example: I've talked to numerous other banks, and with regards to data portability (article 20 GDPR), there is nothing even close to a consensus as to what you are allowed to give the customer with regards to his own transactions, because there are numerous parties involved.
It gets even worse: the text of the "right of access" (article 15 GDPR), in a wide interpretation, grants access to far more information than the data subject would otherwise have access to.
If person A and person B confidentially process data of C, is it really the intention of the GDPR to grant person C access to this confidential processing?
There's two ways to look at compromised legislation:
1. It doesn't go far enough, and sells-out to the opposition.
2. It's better than nothing, and future legislation can address it.
Holding out exclusively for 1. or settling for 2. are bad strategies. There's nothing wrong with trying to get as much in a bill as possible, but the damn corporations push back on everything for the people.
Until, as Larry Lessig / Aaron Schwartz noticed, either the political OS gets changed (unlikely) or it crashes and burns.
AFAICT, the opt-out stuff only applies to selling data, and not using it internally for ads or whatever. Seems like this won’t hit Google or FB very hard.
The disaster is going to be when/as every state adopts unique privacy legislation.
It's going to be necessary for the US Congress to override these state-based rules using the Commerce Clause, FCC, and FTC, to takeover responsibility for legislating all digital privacy matters on the basis of its impact on interstate commerce and the FCC's overarching control of nearly anything involving electronic communication.
It won't be practical or reasonable to track users across every state and their movements at all times. People that happen to cross a state line and the need to somehow magically identify their location of origin, and all the blah blah shit that goes with that nightmare. California (or any given state) will probably claim their law applies to California residents at all times, and states will claim their laws apply if you're in their state at any point, enter the conflicting nightmare.
Here's also where GDPR's global enforcement proponents should get pretty excited: being consistent with that premise, now all of the EU has to comply with all privacy laws of all 50 US states, to the extent that they have users from the states. So EU companies will have to implement and maintain dozens of privacy schemes to fit all of the US states (as they each roll out unique privacy legislation). That glorious global enforcement. The world must now adopt all US policies. That's how it works according to GDPR proponents, right?
Instead of the Web of insanity that that 50 state disaster will spin, the Feds will ideally smother all state attempts at establishing their own privacy frameworks, establish Federal regulations on the matter and overrule the states aggressively.
That's how car emissions are and the world isn't collapsing. Auto manufacturers know if they want access to California they're going to have to deal with the toughest pollution regulations.
> It’s similar to the General Data Protection Regulation that went into effect in the European Union last month, but adds to it in crucial ways. Under the GDPR, businesses are required to get users' permission before collecting and storing their data. But the way most companies have designed those opt-in pop-ups, "you really don't have a choice," says Ashkan Soltani
Those opt-in dialogs that don't actually leave you a choice are not legal under the GDPR. So, you cannot add to the GDPR in crucial ways and somehow make these more illegal.
In fact, the GDPR even requires that revoking once given consent is just as easy as giving it. So, companies that have no problem interpreting a single click as consent for something that you need a team of lawyers and tech experts to actually understand the implications of, will have to also somehow present users with a one-click process for revoking this consent.
Companies like Google and Facebook just don't adhere to the GDPR and there's no reason to assume that they will adhere to this new law either. They've placed these clearly illegal dialogs and are now waiting for lawsuits to follow through, requiring them to actually adhere to the law then. They're gambling for the punishment to not be as high as the profit that they'll turn in the time that the lawsuit is not yet settled.
53 comments
[ 3.0 ms ] story [ 111 ms ] thread> Facebook initially supported the opposition initiative, but pulled out publicly in April, a month after news broke that a political consulting firm called Cambridge Analytica amassed data on tens of millions of American Facebook users for political purposes without their knowledge.
Hilarious.
> [] lobbyists affiliated with the group TechNet were working behind the scenes to change crucial parts of the bill, as well, including the stipulation that businesses include a clear button on their websites giving people the ability to opt out of data collection.
> The law goes into effect on January 1, 2020. The Internet Association has already hinted at efforts to modify the legislation before implementation.
A year and a half before it goes live; the fight's not over yet. Gotta make sure they don't completely gut it before then, like the net neutrality bill.
The desire to imitate the euros in their efforts in making it as hard as possible for our companies to operate there is beyond stupid.
California ballot initiatives like all referendums must be eradicated and the fact that a california real estate developer (the source of all that is wrong in the state) straight after killing recent zoning reform is using a ballot initiative to blackmail the assembly into passing this law makes it worse.
If that innovation is about stalking people online & offline to serve them ads then no thanks.
Not saying I’m happy with that (I wish I could just pay Google a fair price and trust them not to stalk me) but I don’t have much choice I’m afraid.
Harassment, intimidation, stalking, identity theft, profiling, targeting based on political opinions or interests, blackmail, evisceration of privacy, and subversion of democracy are all enabled by such "innovation".
As more people become victims of these, and such abuses are publicized, the opposition to such surveillance will grow.
If you think Equifax was bad enough, think for a second what would be the consequences of a breach at Google or Facebook who literally have your entire online history, private messages (Facebook Messenger, Google Hangouts, etc) and a good overview of your offline life (Google Calendar, emails, Android device location history, etc).
You can choose to not use Facebook, but when every single company starts stalking you (like your mobile carrier) you no longer have a way out. This is why we need regulations to make sure this doesn’t spread even more.
Telecoms are a bit of a special case, since they're a regulated monopoly. I'm all in favor of them being forced to respect privacy, since consumers don't have choice there. But in the case of internet giants like Google/FB, i'm much less on board.
tip: company has to either
(1) make more than $25m/year, or
(2) buy or sell personal information of 50k+ consumers/devices;
(3) make 50% of rev from selling personal data
to be subject.
ps -- passing laws popular with constituents is not exactly a reasonable definition of "blackmail."
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
What's innovative about sucking up user data and selling it to advertisers?
Wouldn't it be far more innovative to come up with something new, something that respects user privacy?
Both medicinal and recreational marijuana were passed via ballot initiative.
I have no reason to trust the government or its judgement. So I don't know why people think this is necessarily great news. Now we'll have to get more green lights from .gov. And that is costly. And that is why business are tempted to leave CA.
Anyone have a link to the actual legislature?
Yeah, and it looks like the process has already started:
> And yet, a report by The Intercept revealed that lobbyists affiliated with the group TechNet were working behind the scenes to change crucial parts of the bill, as well, including a stipulation that businesses must include a clear button on their websites giving people the ability to opt out of data collection.
Only seems to apply to companies with 50k+ California-resident users, or $25mm+ in revenue. So there's likely much less of a chilling effect on small businesses than GDPR. (IANAL, though, and with the speed this was pushed through, lawyers should take a much closer look in the coming days before anyone jumps to conclusions.)
When one looks deeper into laws like GDPR and this one, at the heart of it lies the fact that a company cannot do as it pleases with an individual’s data without said individuals consent. But given the nature of the legislation, it is not too hard for a company to simply bypass it in ways that adhere to the letter of the law but not the spirit.
If instead there were laws that defined private data as the personal property of the respective individual, the need for all this convoluted legislation would be rendered moot, since such a law would open the grounds for a variety of class action lawsuits against companies perceived to be egregiously abusive. The case law itself would set numerous precedents and eliminate the need for varied “interpretations” of one piece of legislation. IMO, this is what we should be pushing for, not more GDPR-clones which can be watered down by lobbyists.
The biggest problem is that most of the interesting private data is actually about relationships between multiple private individuals. If you're having a conversation with a friend on Whatsapp, is that conversation property of you, your friend, or do you each own your own messages? If it's a group conversation, is the whole conversation owned by all of the participants, or only parts of it? What if some people in the group chat aren't actually participating, but are just lurking? If you mention a company's product, does that mention belong to the company or the person mentioning it? What if instead of a product, you mention another person? What if you're quoting gossip they told you in person?
This is why Hacker News doesn't let you delete or edit posts after 2 hours, BTW. Once people have read them and replied and referenced them elsewhere, it's not really fair to other participants in the conversation to remove the words they were replying to.
Other social networks have run into real problems where people have edited their posts after many replies have been added to take the replies out of context and make them mean something totally the opposite of what their authors intended. If you own your own words, this is your right, but it's also a dickish and disruptive thing to do.
The same applies to many other types of personal data. A credit report is a list of transactions between you and various creditors. The credit bureau didn't just snoop on everything you do, that information was reported to them by the other party of the transaction. If they own the data about them, this is within their rights, but it certainly doesn't feel about it when it's used to deny the borrower further credit.
I think the current situation, where data is owned by the company or individual that collects it, is the most absurd alternative possible. But that's because our legal system is poorly structured to handle property rights where the "property" is owned by multiple firms, can be transferred easily (and surreptitiously) without the original owner losing rights, and may eventually come to harm one of the original owners.
To me, not addressing this one of the biggest flaws of the GDPR.
As a practical example: I've talked to numerous other banks, and with regards to data portability (article 20 GDPR), there is nothing even close to a consensus as to what you are allowed to give the customer with regards to his own transactions, because there are numerous parties involved.
It gets even worse: the text of the "right of access" (article 15 GDPR), in a wide interpretation, grants access to far more information than the data subject would otherwise have access to.
If person A and person B confidentially process data of C, is it really the intention of the GDPR to grant person C access to this confidential processing?
1. It doesn't go far enough, and sells-out to the opposition.
2. It's better than nothing, and future legislation can address it.
Holding out exclusively for 1. or settling for 2. are bad strategies. There's nothing wrong with trying to get as much in a bill as possible, but the damn corporations push back on everything for the people.
Until, as Larry Lessig / Aaron Schwartz noticed, either the political OS gets changed (unlikely) or it crashes and burns.
It's going to be necessary for the US Congress to override these state-based rules using the Commerce Clause, FCC, and FTC, to takeover responsibility for legislating all digital privacy matters on the basis of its impact on interstate commerce and the FCC's overarching control of nearly anything involving electronic communication.
It won't be practical or reasonable to track users across every state and their movements at all times. People that happen to cross a state line and the need to somehow magically identify their location of origin, and all the blah blah shit that goes with that nightmare. California (or any given state) will probably claim their law applies to California residents at all times, and states will claim their laws apply if you're in their state at any point, enter the conflicting nightmare.
Here's also where GDPR's global enforcement proponents should get pretty excited: being consistent with that premise, now all of the EU has to comply with all privacy laws of all 50 US states, to the extent that they have users from the states. So EU companies will have to implement and maintain dozens of privacy schemes to fit all of the US states (as they each roll out unique privacy legislation). That glorious global enforcement. The world must now adopt all US policies. That's how it works according to GDPR proponents, right?
Instead of the Web of insanity that that 50 state disaster will spin, the Feds will ideally smother all state attempts at establishing their own privacy frameworks, establish Federal regulations on the matter and overrule the states aggressively.
Those opt-in dialogs that don't actually leave you a choice are not legal under the GDPR. So, you cannot add to the GDPR in crucial ways and somehow make these more illegal.
In fact, the GDPR even requires that revoking once given consent is just as easy as giving it. So, companies that have no problem interpreting a single click as consent for something that you need a team of lawyers and tech experts to actually understand the implications of, will have to also somehow present users with a one-click process for revoking this consent.
Companies like Google and Facebook just don't adhere to the GDPR and there's no reason to assume that they will adhere to this new law either. They've placed these clearly illegal dialogs and are now waiting for lawsuits to follow through, requiring them to actually adhere to the law then. They're gambling for the punishment to not be as high as the profit that they'll turn in the time that the lawsuit is not yet settled.