I see a lot of comments deriding this law, can someone explain to me why these are bad things? Quoting from this article - <a href="https://techcrunch.com/2018/06/28/landmark-california-privacy-bill-heads-to-governors-desk/" rel="nofollow">https://techcrunch.com/2018/06/28/landmark-california-privac...</a><p>- Businesses must disclose what information they collect, what business purpose they do so for and any third parties they share that data with.<p>- Businesses would be required to comply with official consumer requests to delete that data.<p>- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.<p>- Businesses can, however, offer “financial incentives” for being allowed to collect data.<p>- California authorities are empowered to fine companies for violations.<p>I totally understand that this will impact a lot of tech companies' profits...but that's to be expected if you're making money selling people's data to third parties without their permission.
Lot's of (mis)information floating around regarding CCPA. I recommend taking the time to read the actual text[1]. The text is not particularly long or dense. There has been a lot of speculation about complex compliance procedures, but the main thrust of the bill is to provide users with information about how their data is collected, who it is shared with, and the rights to prevent certain types of selling or sharing of said data. The leginfo site also includes non-partisan analysis (under the "Bill Analysis" tab) of the bill and amendments as it moves through the legislature, which is useful for getting an understanding of how specific issues are being considered and addressed. Something to consider is that bills change substantially through the amendment process, so often critiques you read are based off old versions of the text that have already been addressed.<p>[1] <a href="https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375" rel="nofollow">https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...</a>
We need to have a conversation about jurisdictions in the digital age. The way governments have decided that having a website accessible in a country makes you liable to respect the law of this country is a convulted and hacky notion that has been accepted way too fast.<p>The physical establishment rule was the only sound approach. The fact that some countries started to lose shouldn't have allowed them to rewrite the rules (especially in such a hacky manner).<p>Can you imagine owning a grocery store and having to ask every customer their nationality to check which law you must follow to do business with them? Then multiply this hell by 10 and soon 1000 considering new laws created left and right and you have the environment these dishonest politicians have created.
So the author would rather see each state/country implement it’s own laws so that a small startup needs to ensure they comply with hundreds of regulatory jurisdictions... awesome.
It’s jarring to see such headlines on TechCrunch. They fed the valley by giving every little news a place and are ne of the original hype masters for startups. They profit off the area by hosting the disrupt conference as well, which is again a huge pat each other on the back event. So now they turn around and post a headline like that is just somehow ugly to me. It’s absolutely in their right obviously.
I'm pretty concerned about it, and we are a tiny political digital agency. My reading is that basically any small sized email list, website, service etc that 'receives for the business’ commercial purposes' data on more than 50k 'devices' or 'consumers' must be compliant which is a very low bar. Like small business email lists would hit this, though maybe burden falls onto Mailchimp for most.<p>It should be fairly easy to add a contact us address for delete and info requests to the bottom of websites. A lot harder and would take development time to automate a UI for a person to see all data associated automatically (e.g. lots of separate analytics; would have to build api to lookup ip/device/user data match across tables/dbs, and then how do I verify a user is requesting their data and not someone else's). Also harder to 'block' new data collection of device/consumer post delete request.<p>What I'm less sure about is 'inform consumers before the point of collection.'<p>Does a privacy policy link in footer count? If not what is required for compliance? What about advertising?<p>Another big concern for me is that this is going to be weaponized in my industry (politics). I think a political campaign wont fit the bill's definition of 'business' (profit seeking for shareholders) but I think it will still be weaponized by opposition campaigns and service providers.
Does anyone know the real implications of the CCPA for things like Sift Science, Google's Recaptcha, and maybe even Cloudflare?<p>All of these are based on many companies contributing information about users to create profiles which curb abuse. And Sift/Google/etc. get commercial benefit from this data sharing, which might trigger the CCPA. But you can't give bad actors the ability to opt out of this kind of data sharing without crippling them.<p>I think these kind of companies are really important to a functioning internet. I hope there are carve outs of some sort, but seems like they're living on the edge right now.
How is this not a violation to the first amendment? Does the first amendment not extend as follows: (?)<p>As a citizen don't I have the right to create a business and privately take notes on whatever I'd like to about my customers? If i run a dry cleaners and take notes about my customers, should I be obligated to disclose these notes or even the existence of these notes to my customers? I don't see why extending the dry cleaning business to a mobile app or website effects anything. What about journalists, are they required to disclose what data they're collecting about people as they do their job?<p>I feel like the state constitution granted right to privacy does not supersede the federally mandated right to freedom of speech both the right to take internal notes and documentation and the violation of one's speech rights by forcing this disclosure.<p>however IANAL and I don't live in California. Could someone share some insights onto the first amendment side of this?
Many comments here make the false dichotomy of paying for a service with money vs paying with your data. That ship has sailed. In the current market selling user data will win every time. Only laws can make sure that a company you pay for “premium service” or “no ads” won't turn around and sell your data anyway.
As much as most browsers have implemented a standardised payment API, a generic, browser-level Privacy related GUI would be helpful. By that I mean something less repetitive than the multitude of consent screens people have to deal with (not to mention dark UX patterns in the existing solutions).
People keep comparing this to the GDPR. I have lived in the UK pre and post GDPR and the US. I like the GDPR a lot. It isn’t just internet businesses either. Because it was such a crazy bogeyman, plenty of brick and mortar businesses have paid a bit more attention to their data security. I like being told what’s gonna happen with my PII, and having the right to control my data. Most people seem to like the effects of the GDPR in my (anecdotal) experience. Yeah you have people using it as some bizarre bogeyman to stop you doing normal things, but it makes you think about it. From a business perspective, the ICO provides great advice to people and companies when they need it. It’s not as though what you need to do is a secret. You just need to do business in accordance with peoples’ rights.
What will these laws accomplish in real terms?<p>This just seems like poorly written legislation with the purpose of pandering to the populist public. I guess if it makes you all at least feel better.
> Since the law passed, tech giants have pulled out their last card: pushing for an overarching federal bill.<p>>In doing so, the companies would be able to control their messaging through their extensive lobbying efforts, allowing them to push for a weaker statute that would nullify some of the provisions in California’s new privacy law. In doing so, companies wouldn’t have to spend a ton on more resources to ensure their compliance with a variety of statutes in multiple states.<p>Is it really that much easier to control a federal vs. state legislator?<p>I wonder if the idea might actually be to prevent the likely future scenario in which 50+ different privacy regulations need compliance. Setting a national standard could prevent such an outcome.<p>Privacy advocates should favor the state-by-state solution, though. The more difficult it is to comply with regulations, the more expensive it becomes to collect the data in the first place.<p>As the cost of compliance increases, the alternative of simply not collecting the data in the first place becomes more attractive.<p>But that itself can lead to unintended consequences. It would mean that only the biggest companies could afford the regulatory burden of collecting the data. And these are the very companies that have received the most negative attention.<p>All of which makes me wonder whether at some point we could see a private data settlement along the lines of the tobacco settlement:<p><a href="https://en.wikipedia.org/wiki/Tobacco_Master_Settlement_Agreement" rel="nofollow">https://en.wikipedia.org/wiki/Tobacco_Master_Settlement_Agre...</a>
This:<p>> The bill would authorize businesses to offer financial incentives for collection of personal information.<p>Means it's nothing like the GDPR. This might actually be a sane law. And it doesnt implement punitive fines if you get hacked. Nor does it bring about a massive cookie alert insanity.<p>The right to delete may work in europe , but i think in the US it is going to clash with free speech laws. So it might not work at all.
This law is a step in the right direction, although in its current form it's toothless and uses disgustingly submissive language (e.g. the user may not out or the user needs to be informed about how theur data is going to be abused). The final goal of such laws should be to poison user data: so that collecting it and storing would open all sorts of legal and criminal troubles and that no company would want to touch user data with even 10 foot pole. This will open more ethical business opportunities that currently can't compete with data mining model. An analogy in real world. If theft and robberry was legal, no other business model could exist: if you sell gas for 3 bucks a gallon and your neighbor sells it for a negative price, but sells user address to theft agencies, you'd be out of business long before everybody realises the true cost of that "free" gas.
I can't help but view it with disgust just at the headline of having the wrong kind of mentality. It is a spiteful logical fallacy of the worst kind. "Soviets terrified of plan to nuclear first strike whole world - good!" Just because even the vilest foe dislikes it doesn't mean it is a good idea.<p>The whole article seems to be about shutting down thinking and manipulation via playing with emotions.<p>I am probably an outlier but I view that as an active sign that is terrible because otherwise they would lead on better points. The article made me /less/ supportive of it. It is perhaps unduly harsh but I would call it an outright propaganda piece not because of the message but how it was delivered.
While I think CCPA is a step in the right direction from the status quo, which is basically a free-for-all, it's still a mediocre privacy law. GDPR remains the gold standard because it's opt-in, CCPA is opt-out.<p>The only reason it was even passed was because some guy was going to force the issue with a ballot initiative so lawmakers scrambled to do something. If not for that, California would be the last state to pass meaningful privacy regulation.
In short: laws against things that never sbould have been.<p>One can only hope they make sure it hits big actors more than any other ones, because they are what makes this kind of data collection dangerous for societies.
LMAO, Google should just make itself unavailable in California due to 'involuntary violation' of this law to see it repealed real quick. Those who complain can use bing.
Besides the tremendous onus laws like this may place on small startups and side projects:<p>Does anyone know how companies are supposed to comply if “user data” literally cannot be deleted? I’m thinking in the case of blockchain type applications, where one users’ actions feed into another users’ actions, and you can’t deleted user A’s actions without deleting potentially tons of other stuff and destroying the application.<p>Like does this law basically ban GitHub and code collaboration too?
The whole system is rotten to the core. Allowing companies to portray themselves in a positive light on privacy<p>> “The time to act is now,”<p>While pushing a federal law geared towards undermining privacy rights?<p>Doublespeak anyone?
If the Environmental <i>Protection</i> Agency can hold a straight face while revoking California's ability to protect its own environment with higher standards, I'll hold off on getting excited about privacy laws until we see the FTC/FCC/etc.'s response.
Project Gutenberg currently blocks users from Europe to avoid having to comply with GDPR. Logically the next step would be to block users from California as well.
So many NYC-based journalists who love to spit all over "Silicon Valley".<p>Is there room for a TechCrunch-like publication with a more Silicon Valley-influenced editorial bent? (There's already a massive surplus of sneering Brooklyn-based scolds in "tech media".)