
California Eyes Data Privacy Measure - joubert
https://www.npr.org/sections/alltechconsidered/2018/05/28/614419275/do-not-sell-my-personal-information-california-eyes-data-privacy-measure
======
spodek
> _" Every industry sector [that] has looked at this initiative considers it a
> very serious threat to the ability to do business in California," says
> Robert Callahan, vice president of state government affairs for the Internet
> Association. The group represents major tech companies, including Google,
> Facebook and Netflix._

It's not hard if you don't base your businesses doing what many people
consider creepy.

Maybe they should have thought of that before doing so.

~~~
matte_black
Stop using subjective terms like “creepy” and define exactly what you mean.

~~~
slg
The subjective nature of the term creepy is exactly what is important here
because it all depends on context. Most people would consider it creepy when
Target knows their daughter is pregnant before they do. [1] I would also bet
most people would be perfectly happy if Target figures out they have a new
puppy and starts sending coupons for dog food. Those things are fundamentally
the same when it comes to what data is collected and what process predicted
it. However the human element of privacy makes those two situations worlds
apart. That human context is what is important and why it is so hard to come
up with universal algorithms or rules that can adequately handle any privacy
situation.

[1] - [https://consumerist.com/2012/02/17/target-figures-out-
teen-g...](https://consumerist.com/2012/02/17/target-figures-out-teen-girl-is-
pregnant-before-her-father-does-sends-helpful-coupons/)

~~~
nneonneo
Somewhat unrelated, but is anyone else having trouble loading that consumerist
page? It keeps redirecting me off to [https://consumerist.com/remote-
login.php?login=...](https://consumerist.com/remote-login.php?login=...).
which 404s. Looks like a WordPress plugin (WPRemoteLogin) gone amok.

EDIT: looks like this is because I'm logged into my own Wordpress blog. Weird
that that should have any bearing on my ability to load this blog.

------
kinsomo
> But Callahan [VP of a tech industry group] doesn't think a privacy law
> should be written by advocates like Mactaggart and put on the ballot.

> "Without any sort of process ... the proponents came up with this law,"
> Callahan says. "[Mactaggart is] suggesting [this] should be the law of the
> land without any sort of public vetting or scrutiny and we think that's
> irresponsible and dangerous."

Isn't the ballot initiative process the "public vetting or scrutiny" this guy
is talking about? Seems like he's unhappy his group didn't get a chance to
water down or kill the measure behind the scenes.

~~~
Arainach
The public aren't lawyers. One of the points of representative democracy is
supposed to be that legislators are more experienced with the practice of
writing effective laws - laws that will have their intended effect and stand
up in court. With the initiative process, it's easy to find text that sounds
nice when you describe it in 30 seconds to people on the street but is either
ineffective or has awful unexpected consequences.

That's not to say that there's no place for the initiative process, but it's
not without its problems.

~~~
tunareter
If laws can't be easily written and understood, that's a problem with the
legal system (and the media explaining said laws and initiatives).

The CA implementation seems terrible, but in general direct democracies end up
with better laws, and the populace in such democracies ends up being better
than a bunch of self selected politicians (who happen to not be experts
anyway). US and UK lawmaking processes are a perfect example of why you need
to give citizens more control (but you still want legislative bodies to do the
grunt work).

~~~
duxup
"but in general direct democracies end up with better laws"

Is there something that indicates that?

------
ryanworl
This law seems much more reasonable compared to GDPR.

"(b) "Business" means: (1) a sole-proprietorship, partnership, limited-
liability company, corporation, association, or other legal entity that is
organized or operated for the profit or financial benefit of its shareholders
or other owners, that collects consumers' personal information, that does
business in the State of California, and that satisfies one or more of the
following thresholds: (A) has annual gross revenues in excess of $50,000,000,
as adjusted pursuant to paragraph (5) of subdivision (a) of section 1798.115;
or (B) annually sells, alone or in combination, the personal information of
100,000 or more consumers or devices; or (C) derives 50 percent or more of its
annual revenues from selling consumers' personal information; ..."

And the definition of "selling" is also clearly defined.

" (q)(l) "Sell," "selling," "sale," or "sold," means: (A) selling, renting,
releasing, disclosing, disseminating, making available, transferring, or
otherwise communicating orally, in writing, or by electronic or other means, a
consumer's personal information by the business to a third party for valuable
consideration; or (B) sharing orally, in writing, or by electronic or other
means, a consumer's personal information with a third party, whether for
valuable consideration or for no consideration, for the third party's
commercial purposes."

[[https://oag.ca.gov/system/files/initiatives/pdfs/17-0039%20%...](https://oag.ca.gov/system/files/initiatives/pdfs/17-0039%20%28Consumer%20Privacy%20V2%29.pdf)]

~~~
blub
It looks like it was designed to be useless, since neither Google nor Facebook
sell info under the definition of selling you posted.

~~~
ryanworl
There are many business that “sell” data under the second clause TO both
Facebook and Google which could be impacted.

The Facebook Pixel is definitely disclosing data to Facebook, even if they
aren’t being paid for it. And they probably use data from the Facebook Pixel
across many advertisers for Facebook’s own business purposes.

~~~
mtgx
It's not about Facebook Pixel, but the fact that ad companies usually don't
"sell the data". They _share_ the data with third-parties, and they can also
_give access to their advertising platforms_ (where the third-parties don't
have direct access to the data).

~~~
ryanworl
Sharing the data is explicitly in the definition of selling I listed so long
as the entity receiving the data uses it additionally for their own purposes.
If Facebook uses it to provide more accurate targeting to a _different_
advertiser, that sounds like using it for their own purposes to me.

Edit: to be clear, the Facebook Pixel is basically fine under this law so long
as Facebook only uses the data for facilitating ads for the company the data
was collected from in the first place.

------
xg15
Ironically, this article is not available without opting in to their tracking.
Could someone post the plaintext link?

~~~
Smaug123
You just need to decline to be tracked, and then follow the appropriate link
on the text-only home page.

[https://text.npr.org/s.php?sId=614419275](https://text.npr.org/s.php?sId=614419275)

~~~
xg15
Ah, didn't see the link was still under "Top news stories". Thanks.

~~~
IshKebab
Well it isn't always. If it isn't you have to copy the article ID from the
URL. Also you don't get pictures. This clearly isn't GDPR-compliant.

------
yuhong
"He asked a Google engineer at a cocktail party whether he should be worried
about his privacy."

Something similar is what led me to write my essay on ad tracking and Google
that tried to trace it back to Larry and Sergey:

[http://yuhongbao.blogspot.ca/2018/04/google-doubleclick-
mozi...](http://yuhongbao.blogspot.ca/2018/04/google-doubleclick-mozilla-
essay-final.html)

Also see:

[https://twitter.com/berendjanwever/status/775366191078641664](https://twitter.com/berendjanwever/status/775366191078641664)

~~~
woolvalley
Your essay is a bit of a wall of text, I would suggest adding headers and
cutting up the paragraphs into smaller chunks to make it easier to read.

Also I feel like the general essay format that is taught to you in grade
school is actually a bad format. Grade school project style reports are
usually easier to read and easier to write.

Essays contorts most people's writing into a very awkward form. If people were
allowed write without the restrictions of essays, they would usually be more
clear.

Better yet, try the typical medium or journalistic article format to get
better reading comprehension.

~~~
jacquesm
And maybe have it proofread by someone? I always do this and still end up with
typos and grammar errors but a proofreading session will usually get rid of
90% or more of those.

~~~
yuhong
Yea, the essay has other problems I want to fix too. What I am interested in
most is the points about Larry/Sergey BTW.

------
dawhizkid
Data privacy is great and all, but I just want one-click unsubscribe from paid
subscriptions.

I’m a practicalist.

~~~
Someone1234
I'd love a law that says [paraphrasing] "You must allow unsubscription via the
same medium as subscription." Problem is there are far too many loopholes and
potential issues, there's no way you could make the text of the law both exact
enough but vague enough to work in most circumstances.

It would be better to just have a consumer watchdog that had the power to ask
companies to change anti-consumer practices and use a jury to determine if
something is anti-consumer (like dark patterns).

~~~
dawhizkid
Yes I’ve thought about this too - especially with cell
phone/internet/cable/magazines - silly how you can subscribe online or in-
store but need to call to cancel. With digital subscriptions it should be as
easy as unsubscribing from an email list.

~~~
Silhouette
It's a tough issue to get right, because unfortunately some customers are
clueless and some customers can be abusive.

I have some experience running online subscriptions, and my policy has always
been that you can unsubscribe straightforwardly. Typically it takes a couple
of clicks clicks, one to start and one to confirm, and the whole process is
immediate and fully automated. In some cases, maybe there's also a brief and
optional exit survey, but never anything deceptive or that significantly
obstructs someone who wants to cancel. Like not using some conversion
optimisation techniques that cross a line into invading privacy, I just see
this as treating our customers how we'd like to be treated ourselves.

Many people have used these facilities with no trouble and those services have
generally received few complaints, but you do still get the special people who
instead of taking ten seconds to do that would rather send a page-long email
about how they demand that we cancel their subscription right now and if we
charge them again they'll dispute it, and they'll literally send that email 5
minutes before their next renewal fee goes through.

When you're dealing with that kind of person, you want it to be stated very
clearly and in writing that their subscription continues until cancelled in
the proper way, that merely emailing is not sufficient to cancel and may not
take effect immediately even if we do honour the request, etc. Of course, that
doesn't stop us from being friendly and helpful if someone sends a polite
cancellation request by email, even though it's an irritating waste of time to
deal with those requests manually, but you can't be too casual about
cancellations or, sadly, some people will exploit that.

------
jadedhacker
The is great and all, but it requires individual action on the part of the
consumer. I'd like to see a US version of GDPR and soon.

------
newman8r
this is their homepage
[https://www.caprivacy.org/about](https://www.caprivacy.org/about) \- they
should at least implement the conspicuous "Do not sell my personal
information" link on their own website. Just to get an idea about the extra
work that they're asking millions of people to do.

*Edit: under the proposed law, websites like this wouldn't actually be required to post the 'Do not Sell' link

~~~
majewsky
Their privacy policy states that they do not sell personal data at all. So
what benefit would that button have?

Source: [https://www.caprivacy.org/privacy-
policy](https://www.caprivacy.org/privacy-policy)

~~~
newman8r
Upon closer inspection, it seems like this law would only apply to large
business or businesses that actually sell personal information. If that's the
case then it's more reasonable than I initially thought.

I was concerned that every blog and startup might need to implement the
functionality, but it seems like that might not be the case.

~~~
simion314
But what if the personal information is not sold but shared for free, will
this law apply? I can see the big comnpanies finding so many loopholes in
this.

~~~
jkaplowitz
If I'm reading the quoted portion correctly, it'd apply to large companies
whether or not they sell personal information.

~~~
woolvalley
But if the large company doesn't sell, then it would be a blank page for the
most part?

~~~
jkaplowitz
I'd have to read more of the law than was quoted on HN to know for sure, but I
suspect there would at least be rights to learn what data they have on you and
rectify inaccurate data.

Maybe some deletion right too but the above is the part commonly found in
other privacy laws, such as in Canada where I now live.

None of this depends on whether they share your data, let alone share in
exchange for compensation.

------
csours
> If voters approve the measure, businesses will be required to have a "clear
> and conspicuous link" on their website's homepage titled "Do Not Sell My
> Personal Information." The link would take users to a page where they can
> opt out of having their data sold or shared.

Ugh but why though? Why not just have a law that says you cannot sell or trade
personal information.

~~~
lisper
Because some people might believe that allowing companies to sell their
personal information could provide them with some benefits that outweigh the
costs and risks. Not everyone attaches the same value to privacy.

~~~
simion314
But why not force all sites to give you clear information so you are informed.
So when I follow some link and land on a "intresting" site I should be
informed that continuing navigating means I agree that Google,Facebook, other
20 companies will be informed about me opening this link. If I do not agree I
will be forced to leave.

The only work the site owners needs to do is to have a list of all the
companies they sell the data too, show that list to you, and save your
acceptance in a cookie.

For more complex apps like Facebook that sell more data or mine your private
messages/emails,purchases, music and movies you watch they should also display
the exact thing they sell or share for free.

My point, the companies would have just to inform, would not be forced to give
you access.

~~~
TeMPOraL
You're basically reinventing European cookie law. I'm pointing it out for two
reasons - one, for those wondering how this "stupid law" was created, this is
how. Two, we ended up needing the GDPR anyway, since just informing is not
enough.

~~~
simion314
The cookie law did not forced the sites to tell you exactly what data they
sell/share and to what companies.

The way it was implemented was "This site uses cookies to store your
preferences and it can't work without this essential technology".

I suggested this because I see some people here don't want to stop selling the
data, at least have this selling transparent to the user. Maybe we get the ad
blockers, containers in browser and other related technology adoption rise
faster(it won't solve all the problems but would stop tracking at least)

~~~
TeMPOraL
Yes and no. If all you wanted to say was:

> _" This site uses cookies to store your preferences and it can't work
> without this essential technology"._

... then you didn't need to display anything at all. You only needed a cookie
warning if you were doing tracking and other data collection that was not a
technical requirement of the site (and "supporting the business model of
selling user data" is not a technical requirement of a site).

Alas, the law was broken enough that everyone could get away with defaulting
to show a vague "this site uses cookies for your own good" message.

Where it applies, GDPR doesn't disallow selling data. It just ensures the user
_explicitly opts into_ that scheme. That creates extra burden for those who
don't mind their data being resold, but that's like a small percentage of
users. The ones who desperately don't want to be tracked are another small
percentage. The vast majority of users are people who don't know any better
and don't even understand the topic, so they will go along with whatever is
presented.

------
yuhong
The fact that they require the name "Do Not Sell My Personal Information" is
part of what I don't like in the bill.

~~~
freehunter
And the fact that selling personal information isn't the only concern with
personal information. I'm pretty sure that Facebook and Google don't sell my
personal information to third party entities, but I still don't want them to
have it unless I give it to them by choice.

------
hedora
This is broken in so many ways, it's ridiculous. There needs to be a
programmatic opt out (at least something a browser extension can do on each
page visit), or, better, a manual opt-in.

Also, opting out won't actually prevent any of the big data abuses people are
actually concerned about...

------
dmode
Although I agree with the sentiment that we need more privacy protections, I
don't believe that a ballot measure is the right way to do this. There have
been several poorly written ballot intiatives that have led to various
unintended consequences.

------
newman8r
The article fails to mention that the proposed law doesn't actually impact the
majority of startups and small businesses, so calling it 'sweeping' might be a
bit much.

------
_o_
I think that the basic issue here regarding privacy is that only the ones
breaking it are writting. There are literally millions that wont give upvote
but want it.

Google and Facebook already launched their lobbyists there and are trying to
undermine it, I wonder what they will do to Japan.

------
jacquesm
Excellent news. Next step: reciprocal enforcement.

