How Tech Companies Could Skirt California's Strict New Privacy Law (nbclosangeles.com) 33
Forty million Californians "will soon have sweeping digital-privacy rights stronger than any seen before in the U.S.," reports the Associated Press, saying the new law taking effect Wednesday "might end up serving as a de facto national standard."
"Early signs of compliance have already started cropping up in the form of 'Don't sell my personal information' links at the bottom of many corporate websites..." But there are catches galore. The law -- formally known as the California Consumer Privacy Act, or CCPA -- seems likely to draw legal challenges, some of which could raise constitutional objections over its broad scope. It's also filled with exceptions that could turn some seemingly broad protections into coarse sieves, and affects only information collected by business, not government. For instance, if you're alarmed after examining the data that Lyft holds on you, you can ask the company to delete it. Which it will legally have to do -- unless it claims some information meets one of the law's many exceptions, among them provisions that allow companies to continue holding information needed to finish a transaction or to keep it in a way you'd "reasonably expect" them to. "It's more of a 'right to request and hope for deletion,'" says Joseph Jerome, a policy director at privacy group Common Sense Media/Kids Action.
A more fundamental issue, though, is that Californians are largely on their own in figuring out how to make use of their new rights. To make the law effective, they'll need to take the initiative to opt out of data sales, request their own information, and file for damages in the case of data breaches... State residents who do make that effort, but find that companies reject their requests or offer only halting and incomplete responses, have no immediate legal recourse. The CCPA defers enforcement action to the state attorney general, who won't be empowered to act until six months after the law takes effect.
When the state does take action, though, it can fine businesses up to $7,500 for each violation of the law -- charges that could quickly add up depending on how many people are affected...
Among other limitations, the law doesn't really stop companies from collecting personal information or limit how they store it. If you ask a company to delete your data, it can start collecting it again next time you do business with it.
The article also provides another example of "unintended consequences and even corporate attempts to discourage people from using the law.
"The job-search site Indeed.com, for instance, now explains that when anyone opts out of data sales under CCPA, it will also ask them to delete their associated accounts and all personal information."
"Early signs of compliance have already started cropping up in the form of 'Don't sell my personal information' links at the bottom of many corporate websites..." But there are catches galore. The law -- formally known as the California Consumer Privacy Act, or CCPA -- seems likely to draw legal challenges, some of which could raise constitutional objections over its broad scope. It's also filled with exceptions that could turn some seemingly broad protections into coarse sieves, and affects only information collected by business, not government. For instance, if you're alarmed after examining the data that Lyft holds on you, you can ask the company to delete it. Which it will legally have to do -- unless it claims some information meets one of the law's many exceptions, among them provisions that allow companies to continue holding information needed to finish a transaction or to keep it in a way you'd "reasonably expect" them to. "It's more of a 'right to request and hope for deletion,'" says Joseph Jerome, a policy director at privacy group Common Sense Media/Kids Action.
A more fundamental issue, though, is that Californians are largely on their own in figuring out how to make use of their new rights. To make the law effective, they'll need to take the initiative to opt out of data sales, request their own information, and file for damages in the case of data breaches... State residents who do make that effort, but find that companies reject their requests or offer only halting and incomplete responses, have no immediate legal recourse. The CCPA defers enforcement action to the state attorney general, who won't be empowered to act until six months after the law takes effect.
When the state does take action, though, it can fine businesses up to $7,500 for each violation of the law -- charges that could quickly add up depending on how many people are affected...
Among other limitations, the law doesn't really stop companies from collecting personal information or limit how they store it. If you ask a company to delete your data, it can start collecting it again next time you do business with it.
The article also provides another example of "unintended consequences and even corporate attempts to discourage people from using the law.
"The job-search site Indeed.com, for instance, now explains that when anyone opts out of data sales under CCPA, it will also ask them to delete their associated accounts and all personal information."
Wait! (Score:2)
should be
"How Tech Companies Will Skirt California's Strict New Privacy Law"
Just my 2 cents
Re: (Score:3)
While better than the other states, and certainly better than the Feds, I reluctantly admit California's privacy protection act has more holes in it than the Albert Hall.
Although not perfect either, Europe does a better job at this than California or the US, with both their GDPR (General Data Protection Regulatio
Re: Governments need to stay out of this (Score:1)
Nah. But I agree, this clicky-click "opt in" bullshit isn't desirable.
Instead what's needed is a hard ban on the collection and hording of personal data by corporations. It's a big problem, the malefactors are remorseless and getting worse - so it needs a draconian law to stop it. Ideally a super-draconian law that would put Faceboot, Big Brother Google, and a couple thousand Surveillance Valley evilcorps out of business overnight.
Re: No scamming. (Score:1)
Preach, Comrade Wang, preach!
Re: Is there a way to monetize violations? (Score:2)
Someone making a living off of enforcement fines is also providing a valuable service to the rest of us by keeping violations expensive.
Re: (Score:3)
So Indeed.com (Score:4, Funny)
When 20 states follow suit will you still be telling people to 'go take a hike' if you can't sell their data?
Actually, it is worse than that. Indeed operates in the UK which follows the GDPR.
If you can work fine there then why not in California eh?
I'm waiting.....
Well done California.
Re: (Score:2)
The real question is what kind of data. There are really two kinds of data related to a person as an individual, broadly speaking, public data and private data. That is what really needs to be delineated, what is public data and what is private data. Consider news services and that data they keep about individuals, what is private data for a criminal and the criminal act they carried out and what is private data for that criminal, obviously the public needs to be fully aware of the crime and the perpetrator
Why is 'skirting' laws not a crime, in general? (Score:2)
If a place and its people have decided (â¦I know, hahaha. But just let's assumeâ¦) that something is forbidden because it harms them,
and the intention of the law is obvious, as it is in this and most cases,
why is there not a principle that by deliberately circumventing the legal rule, to break that intention, and do wjat is harming and forbidden anyway, ... ... that you then not only broke that law, but did therby show that you did it knowingly and with intent. Doubling the pubishment.
Wh
P.S.: I am sorry for the typos. (Score:2)
I had to write this on a fuckin touch screen. And sadly, /. also doesn't support the ellipsis, which I am used to typing, as my layout supports it. (No Apple, no autocorrect or any of that cancer. I really type â, âoe, â(TM), â¦, Ã--, Ã, and various dashes and spaces by hand.)
Re: Why is 'skirting' laws not a crime, in general (Score:2)
Re: (Score:2)
Because if you don't limit the law to what the law says, then you quickly have people expanding the law when it suits them.
Re: (Score:2)
...deliberately circumventing the legal rule ... knowingly and with intent. Doubling the pubishment.
You might google the difference between manslaughter vs involuntary manslaughter or between murder vs premeditated murder. This is the primary way by which the law takes intent into account. Then after a declaration of guilt there is another opportunity in the sentencing phase. This is where the judge has the leeway to "let them off easy" or "throw the book at them", base on witness impact statements, defendant's attitude and remorsefulness.
Re: Why is 'skirting' laws not a crime, in general (Score:1)
Silly pleb, laws are for little people. Everyone knows the Owners are above the law.
Comment removed (Score:4, Insightful)
Re: (Score:1)
Re: (Score:3)
Under the GDPR regime, privacy paranoids have in a sense become a protected class. In effect, it is explicitly forbidden to deny someone normal service just because they exercise their privacy rights under the new law.
That position does have risks of its own, because it potentially destroys business models that rely on that data processing for their revenue generation. If too many people choose to exercise their rights, businesses that do provide some genuine value but have until recently paid for it throug
Fines should go to the people affected (Score:5, Interesting)
I think these laws should be written such that the fines are paid to the individual rather than the state (or at least split 50/50). People would be much more motivated and vigilant about enforcing their rights... (wishful thinking I know)
However, California has a ballot initiative process that gives California citizens a way to propose laws and constitutional amendments without the support of the Governor or the Legislature, so maybe the law could be amended through that process.
Re: (Score:2)
Just like telephone scammers (Score:2)
Moved overseas so will the Internet "scammers"....
Could skirt? (Score:2)
I reckon legally enshrining the hoovering up as much personal data as one can was the sole and primary aim of this legislation.
People will just click a warning anyway... (Score:2)
That's exactly what we want, delete all our data forever when we demand it, and if your business model requires you to spread data all over the place, or even out of your dentist's office to third-party CRM and accounting cloud software, robodialers, and billing companies, you better well disclose it before we give you that data!