This is good and all States should adopt some. Eventually I’d like to see one at the federal level that supersedes state level ones so that we don’t have to deal the the mess that is taxation across 50 states. A nice uniform privacy bill at the Fed level would be nice.
No, we specifically DO NOT want uniformity. We want a minimum that states can go beyond.
In the current environment, tech companies have to bribe 50 states plus the federal legislature in order to block privacy bills. If you have federal preemption, then you just have to bribe Congress, because states can't pass ANY privacy laws whatsoever. And we already know the feds do not want a privacy law: the entire legality of the federal surveillance apparatus hinges on the fact that buying your data from third parties does not trip constitutional scrutiny. Preemption freezes the requirements in time so they will always be a few steps behind the TLAs[0].
The ideal is that every sovereign entity passes their own privacy law that applies to their territory, with a private right of action, and adtech companies are forced to adopt a "50 states legal" posture. This is, deliberately, a ratchet: it's easy for any state to require a higher standard but hard to get every state to reduce it, so privacy laws cannot be walked back in secret.
> The ideal is that every sovereign entity passes their own privacy law that applies to their territory, with a private right of action, and adtech companies are forced to adopt a "50 states legal" posture. This is, deliberately, a ratchet: it's easy for any state to require a higher standard but hard to get every state to reduce it, so privacy laws cannot be walked back in secret.
You put this so well it kind of dislodged where I was coming from on my other comment you had responded to. I don't want to be disheartened and cynical. It's just hard to have seen this privacy issue openly festering for over two decades now, and think that things are ever going to change.
I think a private right of action with a two year delay would be great. And perhaps county DA's should be able to bring actions as well as the AG (legal policy adjacent actions aren't really in their wheelhouse, but it could help nudge the AG into action). I think the time period is a balance between giving the AG enough time to act (or be pressured into action), versus not making it too long so that illegal businesses can simply lobby to neuter the whole law before it actually goes into effect.
I can imagine loopholes to this... nothing stops facebook/google from buying this data from companies not in Massachusetts? and facebook/google don't have to give advertisers the location information but can still use that information when determining the advertisement to return, right? In theory the big silicon valley "targets" of this bill don't actually have a huge incentive to give this data away, do they? They just need to be able to read/access it, which I don't think this law stops? Assuming the data broker is not doing business in Massachusetts itself
The intent of the law is probably to prevent the data from being sold*, so if the big Silicon Valley ad companies aren’t selling it, they are already complying with the law, right? The goal isn’t to destroy companies that are already not doing the thing.
* to the extent to which MA can do that… I mean it’s one state, so we should judge it’s accomplishments by that standard. One possibility could be that the rest of them get their act together, or at least, every state that engineers are willing to live in does.
A good first step, but the harm is already done when the data is gathered. Stalking should be illegal even if you don't sell the information you gathered, I don't want Toyota or GM or Google knowing where I've been either, not just their "partners", and it's long past the time the EULA loophole was closed. Contracts exist to serve society, not the other way around.
Feels like the word 'sale' may actually turn into a loophole. It should have probably been worded to use 'exchange' or 'transfer' instead. But this is progress.
SECTION 1. The General Laws are hereby amended by inserting after chapter 93L the following chapter:-
Chapter 93M. Massachusetts Data Privacy Act
Section 1. As used in this chapter, the following words shall have the following meanings unless the context otherwise requires:
...
“Sale of personal data”, the transfer of personal data in exchange for monetary or other valuable consideration by the controller to a third party; provided, however, that “sale of personal data” shall not include: (i) the disclosure of personal data to a processor that processes the personal data on behalf of the controller if limited to the purposes of the processing; (ii) the disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer; (iii) the disclosure or transfer of personal data to an affiliate of the controller; (iv) the disclosure of personal data with the consumer’s affirmative consent, where the consumer affirmatively directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party; (v) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets; or (vi) the disclosure of personal data that the consumer: (A) intentionally made available to the general public via a channel of mass media; and (B) did not restrict to a specific audience.
More importantly, many companies will follow California rules even outside California. My car was built to California emissions spec at a time when very few states had stricter rules.
(The one major exception seems to be the "sell my data" opt-out and such privacy rules, that industry is sleazy enough that they'll go through extra trouble to keep screwing over non-CA residents.)
The FTC settlement with GM allows GM to sell precise location as long as it's anonymized by attaching it to anonymous identifiers rather than personal info. It also allows non-precise location (e.g. zipcode/census-block) attached to identifying information.
Apparently no one at the FTC is smart enough to realize if Bob and anonid both move through the same sequence of approximate locations that the anonid is Bob. Or maybe they aren't that ignorant and just wanted to look like they were doing their job while protecting the surveillance status quo.
What prevents law enforcement from collecting this data/other signals and anonymizing it and then running models against it? Are there any laws against this?
27 comments
[ 3.0 ms ] story [ 61.4 ms ] threadIn the current environment, tech companies have to bribe 50 states plus the federal legislature in order to block privacy bills. If you have federal preemption, then you just have to bribe Congress, because states can't pass ANY privacy laws whatsoever. And we already know the feds do not want a privacy law: the entire legality of the federal surveillance apparatus hinges on the fact that buying your data from third parties does not trip constitutional scrutiny. Preemption freezes the requirements in time so they will always be a few steps behind the TLAs[0].
The ideal is that every sovereign entity passes their own privacy law that applies to their territory, with a private right of action, and adtech companies are forced to adopt a "50 states legal" posture. This is, deliberately, a ratchet: it's easy for any state to require a higher standard but hard to get every state to reduce it, so privacy laws cannot be walked back in secret.
[0] Three Letter Agencies: CIA, FBI, NSA
You put this so well it kind of dislodged where I was coming from on my other comment you had responded to. I don't want to be disheartened and cynical. It's just hard to have seen this privacy issue openly festering for over two decades now, and think that things are ever going to change.
I think a private right of action with a two year delay would be great. And perhaps county DA's should be able to bring actions as well as the AG (legal policy adjacent actions aren't really in their wheelhouse, but it could help nudge the AG into action). I think the time period is a balance between giving the AG enough time to act (or be pressured into action), versus not making it too long so that illegal businesses can simply lobby to neuter the whole law before it actually goes into effect.
I can imagine loopholes to this... nothing stops facebook/google from buying this data from companies not in Massachusetts? and facebook/google don't have to give advertisers the location information but can still use that information when determining the advertisement to return, right? In theory the big silicon valley "targets" of this bill don't actually have a huge incentive to give this data away, do they? They just need to be able to read/access it, which I don't think this law stops? Assuming the data broker is not doing business in Massachusetts itself
* to the extent to which MA can do that… I mean it’s one state, so we should judge it’s accomplishments by that standard. One possibility could be that the rest of them get their act together, or at least, every state that engineers are willing to live in does.
SECTION 1. The General Laws are hereby amended by inserting after chapter 93L the following chapter:-
Chapter 93M. Massachusetts Data Privacy Act
Section 1. As used in this chapter, the following words shall have the following meanings unless the context otherwise requires:
...
“Sale of personal data”, the transfer of personal data in exchange for monetary or other valuable consideration by the controller to a third party; provided, however, that “sale of personal data” shall not include: (i) the disclosure of personal data to a processor that processes the personal data on behalf of the controller if limited to the purposes of the processing; (ii) the disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer; (iii) the disclosure or transfer of personal data to an affiliate of the controller; (iv) the disclosure of personal data with the consumer’s affirmative consent, where the consumer affirmatively directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party; (v) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets; or (vi) the disclosure of personal data that the consumer: (A) intentionally made available to the general public via a channel of mass media; and (B) did not restrict to a specific audience.
Related, General Motors got hit with a $12.75M fine for reselling OnStar location data last month: https://ccpa.world/enforcement/gm-onstar-smart-driver
More importantly, many companies will follow California rules even outside California. My car was built to California emissions spec at a time when very few states had stricter rules.
(The one major exception seems to be the "sell my data" opt-out and such privacy rules, that industry is sleazy enough that they'll go through extra trouble to keep screwing over non-CA residents.)
Apparently no one at the FTC is smart enough to realize if Bob and anonid both move through the same sequence of approximate locations that the anonid is Bob. Or maybe they aren't that ignorant and just wanted to look like they were doing their job while protecting the surveillance status quo.
(https://epic.org/press-release-massachusetts-senate-unanimou...)
In which case "precise location data" is moot.
important because "sharing" is much more prevalent than "selling" data.
that said, I wonder how "precise location", and statistics/algorithms will combine?
for example, what if someone moves from zipcode 1 to zipcode 2? would that work out to a more precise position?