
California Unanimously Passes Historic Privacy Bill - ax00x
https://www.wired.com/story/california-unanimously-passes-historic-privacy-bill
======
PlanarFreak
Good to hear! Glad to see that some state is going to stand up for consumer
protections.

> Facebook initially supported the opposition initiative, but pulled out
> publicly in April, a month after news broke that a political consulting firm
> called Cambridge Analytica amassed data on tens of millions of American
> Facebook users for political purposes without their knowledge.

Hilarious.

> [] lobbyists affiliated with the group TechNet were working behind the
> scenes to change crucial parts of the bill, as well, including the
> stipulation that businesses include a clear button on their websites giving
> people the ability to opt out of data collection.

> The law goes into effect on January 1, 2020. The Internet Association has
> already hinted at efforts to modify the legislation before implementation.

A year and a half before it goes live; the fight's not over yet. Gotta make
sure they don't completely gut it before then, like the net neutrality bill.

------
btown
Text of the bill:
[https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375)

Only seems to apply to companies with 50k+ California-resident users, or
$25mm+ in revenue. So there's likely much less of a chilling effect on small
businesses than GDPR. (IANAL, though, and with the speed this was pushed
through, lawyers should take a much closer look in the coming days before
anyone jumps to conclusions.)

~~~
yuhong
I really dislike the “Do Not Sell My Personal Information” part.

~~~
fcarraldo
Okay. Why?

~~~
yuhong
I am talking about the part where the link has to be named that way.

------
Sylos
> It’s similar to the General Data Protection Regulation that went into effect
> in the European Union last month, but adds to it in crucial ways. Under the
> GDPR, businesses are required to get users' permission before collecting and
> storing their data. But the way most companies have designed those opt-in
> pop-ups, "you really don't have a choice," says Ashkan Soltani

Those opt-in dialogs that don't actually leave you a choice are __not legal
__under the GDPR. So, you cannot add to the GDPR in crucial ways and somehow
make these more illegal.

In fact, the GDPR even requires that revoking once given consent is just as
easy as giving it. So, companies that have no problem interpreting a single
click as consent for something that you need a team of lawyers and tech
experts to actually understand the implications of, will have to also somehow
present users with a one-click process for revoking this consent.

Companies like Google and Facebook just don't adhere to the GDPR and there's
no reason to assume that they will adhere to this new law either. They've
placed these clearly illegal dialogs and are now waiting for lawsuits to
follow through, requiring them to actually adhere to the law then. They're
gambling for the punishment to not be as high as the profit that they'll turn
in the time that the lawsuit is not yet settled.

------
adventured
The disaster is going to be when/as every state adopts unique privacy
legislation.

It's going to be necessary for the US Congress to override these state-based
rules using the Commerce Clause, FCC, and FTC, to takeover responsibility for
legislating all digital privacy matters on the basis of its impact on
interstate commerce and the FCC's overarching control of nearly anything
involving electronic communication.

It won't be practical or reasonable to track users across every state and
their movements at all times. People that happen to cross a state line and the
need to somehow magically identify their location of origin, and all the blah
blah shit that goes with that nightmare. California (or any given state) will
probably claim their law applies to California residents at all times, and
states will claim their laws apply if you're in their state at any point,
enter the conflicting nightmare.

Here's also where GDPR's global enforcement proponents should get pretty
excited: being consistent with that premise, now all of the EU has to comply
with all privacy laws of all 50 US states, to the extent that they have users
from the states. So EU companies will have to implement and maintain dozens of
privacy schemes to fit all of the US states (as they each roll out unique
privacy legislation). That glorious global enforcement. The world must now
adopt all US policies. That's how it works according to GDPR proponents,
right?

Instead of the Web of insanity that that 50 state disaster will spin, the Feds
will ideally smother all state attempts at establishing their own privacy
frameworks, establish Federal regulations on the matter and overrule the
states aggressively.

~~~
casefields
That's how car emissions are and the world isn't collapsing. Auto
manufacturers know if they want access to California they're going to have to
deal with the toughest pollution regulations.

------
jackfoxy
Most important part of the tldr; is this law does not take effect until 2020.
Lots of time to be amended before then.

~~~
394549
> Most important part of the tldr; is this law does not take effect until
> 2020. Lots of time to be amended before then.

Yeah, and it looks like the process has already started:

> And yet, a report by The Intercept revealed that lobbyists affiliated with
> the group TechNet were working behind the scenes to change crucial parts of
> the bill, as well, including a stipulation that businesses must include a
> clear button on their websites giving people the ability to opt out of data
> collection.

------
Gaelan
AFAICT, the opt-out stuff only applies to selling data, and not using it
internally for ads or whatever. Seems like this won’t hit Google or FB very
hard.

------
burntrelish1273
It's better than nothing. Until personal information is the property of the
individual, and not resold/shared without permission, the "genie" is out of
the "bottle;" lists and databases of personal information will continue to be
trafficked by corporations of all sorts.

~~~
alfredallan1
That’s one of the most valid ideas I’ve heard - define private data as
personal property.

When one looks deeper into laws like GDPR and this one, at the heart of it
lies the fact that a company cannot do as it pleases with an individual’s data
without said individuals consent. But given the nature of the legislation, it
is not too hard for a company to simply bypass it in ways that adhere to the
letter of the law but not the spirit.

If instead there were laws that defined private data as the personal property
of the respective individual, the need for all this convoluted legislation
would be rendered moot, since such a law would open the grounds for a variety
of class action lawsuits against companies perceived to be egregiously
abusive. The case law itself would set numerous precedents and eliminate the
need for varied “interpretations” of one piece of legislation. IMO, this is
what we should be pushing for, not more GDPR-clones which can be watered down
by lobbyists.

~~~
nostrademons
I'd love to see private data as personal property, but in practice that's
likely to run into a lot of contradictions.

The biggest problem is that most of the interesting private data is actually
about _relationships_ between multiple private individuals. If you're having a
conversation with a friend on Whatsapp, is that conversation property of you,
your friend, or do you each own your own messages? If it's a group
conversation, is the whole conversation owned by all of the participants, or
only parts of it? What if some people in the group chat aren't actually
participating, but are just lurking? If you mention a company's product, does
that mention belong to the company or the person mentioning it? What if
instead of a product, you mention another person? What if you're quoting
gossip they told you in person?

This is why Hacker News doesn't let you delete or edit posts after 2 hours,
BTW. Once people have read them and replied and referenced them elsewhere,
it's not really fair to other participants in the conversation to remove the
words they were replying to.

Other social networks have run into real problems where people have edited
their posts after many replies have been added to take the replies out of
context and make them mean something totally the opposite of what their
authors intended. If you own your own words, this is your right, but it's also
a dickish and disruptive thing to do.

The same applies to many other types of personal data. A credit report is a
list of transactions _between_ you and various creditors. The credit bureau
didn't just snoop on everything you do, that information was reported to them
_by the other party of the transaction_. If they own the data about them, this
is within their rights, but it certainly doesn't feel about it when it's used
to deny the borrower further credit.

I think the current situation, where data is owned by the company or
individual that collects it, is the most absurd alternative possible. But
that's because our legal system is poorly structured to handle property rights
where the "property" is owned by multiple firms, can be transferred easily
(and surreptitiously) without the original owner losing rights, and may
eventually come to harm one of the original owners.

~~~
ckastner
> _The biggest problem is that most of the interesting private data is
> actually about relationships between multiple private individuals. If you
> 're having a conversation with a friend on Whatsapp, is that conversation
> property of you, your friend, or do you each own your own messages? If it's
> a group conversation, is the whole conversation owned by all of the
> participants, or only parts of it?_

To me, not addressing this one of the biggest flaws of the GDPR.

As a practical example: I've talked to numerous other banks, and with regards
to data portability (article 20 GDPR), there is nothing even close to a
consensus as to what you are _allowed_ to give the customer with regards to
his own transactions, because there are numerous parties involved.

It gets even worse: the text of the "right of access" (article 15 GDPR), in a
wide interpretation, grants access to far more information than the data
subject would otherwise have access to.

If person A and person B confidentially process data of C, is it really the
intention of the GDPR to grant person C access to this confidential
processing?

~~~
burntrelish1273
There's two ways to look at compromised legislation:

1\. It doesn't go far enough, and sells-out to the opposition.

2\. It's better than nothing, and future legislation can address it.

Holding out exclusively for 1. or settling for 2. are bad strategies. There's
nothing wrong with trying to get as much in a bill as possible, but the damn
corporations push back on everything for the people.

Until, as Larry Lessig / Aaron Schwartz noticed, either the political OS gets
changed (unlikely) or it crashes and burns.

------
sqdbps
Idiocy. The motive is to hamstring some of our most innovative companies which
by itself is baffling and of course the collateral damage is the extra
overhead and lawyers inflicted on all businesses big and small.

The desire to imitate the euros in their efforts in making it as hard as
possible for our companies to operate there is beyond stupid.

California ballot initiatives like all referendums must be eradicated and the
fact that a california real estate developer (the source of all that is wrong
in the state) straight after killing recent zoning reform is using a ballot
initiative to blackmail the assembly into passing this law makes it worse.

~~~
Rjevski
> most innovative companies

If that innovation is about stalking people online & offline to serve them ads
then no thanks.

~~~
darawk
I hear this sentiment expressed a lot, but I rarely see anyone actually
articulate their rationale. What do you think the downsides of that are?

~~~
ahelwer
I find in myself a very human desire to not have every private action subject
to registration & scrutiny by unknown entities. No further justification is
needed.

~~~
darawk
I think quite a bit further justification is needed. That's why I asked the
question. You're proposing companies have their rights circumscribed. You need
to justify that.

~~~
ahelwer
All justifications must ultimately rest on some axiom or set of axioms. You
want to recurse down some more levels, that's fine. I don't feel the need. My
answer satisfies in itself. It is an answer which recognizes human dignity.

~~~
darawk
You believe it's axiomatic that you are entitled to the services of Google and
Facebook and they are not entitled to save the information that you willingly
send them during the use of their services?

