
Silicon Valley is terrified of California’s privacy law - ssklash
https://techcrunch.com/2019/09/19/silicon-valley-terrified-california-privacy-law/
======
nabnob
I see a lot of comments deriding this law, can someone explain to me why these
are bad things? Quoting from this article -
[https://techcrunch.com/2018/06/28/landmark-california-
privac...](https://techcrunch.com/2018/06/28/landmark-california-privacy-bill-
heads-to-governors-desk/)

\- Businesses must disclose what information they collect, what business
purpose they do so for and any third parties they share that data with.

\- Businesses would be required to comply with official consumer requests to
delete that data.

\- Consumers can opt out of their data being sold, and businesses can’t
retaliate by changing the price or level of service.

\- Businesses can, however, offer “financial incentives” for being allowed to
collect data.

\- California authorities are empowered to fine companies for violations.

I totally understand that this will impact a lot of tech companies'
profits...but that's to be expected if you're making money selling people's
data to third parties without their permission.

~~~
darawk
> \- Consumers can opt out of their data being sold, and businesses can’t
> retaliate by changing the price or level of service.

This is something I object to. It's just fundamentally stupid and doesn't make
sense. The entire premise of free exchange is that I give you my services in
exchange for something of value of yours. Making it illegal to withhold
services if you don't give up your data is crazy. The only reason those
services are being provided at all is to get that data. That's effectively a
requirement that people provide services _for free_.

EDIT: I'll also add that it strongly favors incumbent tech companies, by
explicitly carving out "selling to third parties" as a disfavored tactic.
Google can monetize your data internally. Your average startup may not be able
to. Specifically carving out "selling to third parties" favors large,
incumbent players over small startups. But then, regulation always does.

~~~
joshklein
Charging different customers a different price for the same product is illegal
under US law, and California laws don’t change that.

EDIT: Several comments below point out the innumerable businesses operating in
such a way as to make mine an impossible claim.

Enumerating the established methods to avoid meeting the legal parameters of
price discrimination is not the same as price discrimination being legal.

My bar for following just laws is higher than the minimum required to avoid
being prosecuted. I’m sure experts can help work around any future privacy
laws too, so why even worry?

Surveillance already creates a different product one can charge more for,
though your lawyer might advise you call it “personalization” in memos.

~~~
reaperducer
_Charging different customers a different price for the same product is
illegal under US law_

Demonstrably untrue.

It is illegal to charge a different price based on a protected class like race
or gender. But travel sites, for example, are notorious for charging different
people different prices based on their GeoIP, whether they're on mobile or
desktop, or Windows vs Macintosh.

~~~
lightedman
"Demonstrably untrue."

Robinson-Patman Act says "Please read me, and understand me and the Clayton
Anti-Trust Act which I amend."

------
morganherlocker
Lot's of (mis)information floating around regarding CCPA. I recommend taking
the time to read the actual text[1]. The text is not particularly long or
dense. There has been a lot of speculation about complex compliance
procedures, but the main thrust of the bill is to provide users with
information about how their data is collected, who it is shared with, and the
rights to prevent certain types of selling or sharing of said data. The
leginfo site also includes non-partisan analysis (under the "Bill Analysis"
tab) of the bill and amendments as it moves through the legislature, which is
useful for getting an understanding of how specific issues are being
considered and addressed. Something to consider is that bills change
substantially through the amendment process, so often critiques you read are
based off old versions of the text that have already been addressed.

[1]
[https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375)

~~~
notfromhere
The main problem is that the bill is rushed and the legal bits have a lot of
ambiguity.

source: CCPA and its potential compliance has been a big PITA

~~~
morganherlocker
No argument there; just pointing out that many of the common complaints around
ambiguity are explicitly addressed in the text of the bill already.

~~~
notfromhere
They're really not - the definition of using California household vs resident
creates a huge unenforceable gray area for compliance

~~~
morganherlocker
Agree to disagree on this example I guess. "household" is referred to in the
bill when defining re-identification, and this is an important improvement
over the language in GDPR, especially when it comes to geolocation data, which
is often sold at the household level (ie: Experian sells household level
market segmentation profiles that tell you a lot about a person's behavior
without directly linking to an individual).

The only other place households are referred to is in the section defining
which companies the rules apply to, which is also pretty straightforward in a
plain reading. If a company's number of consumers, households, _or_ devices
exceeds 50k, they qualify.

> (B) Alone or in combination, annually buys, receives for the business’
> commercial purposes, sells, or shares for commercial purposes, alone or in
> combination, the personal information of 50,000 or more consumers,
> households, or devices.

------
throawayuk55po
We need to have a conversation about jurisdictions in the digital age. The way
governments have decided that having a website accessible in a country makes
you liable to respect the law of this country is a convulted and hacky notion
that has been accepted way too fast.

The physical establishment rule was the only sound approach. The fact that
some countries started to lose shouldn't have allowed them to rewrite the
rules (especially in such a hacky manner).

Can you imagine owning a grocery store and having to ask every customer their
nationality to check which law you must follow to do business with them? Then
multiply this hell by 10 and soon 1000 considering new laws created left and
right and you have the environment these dishonest politicians have created.

~~~
FussyZeus
> We need to have a conversation about jurisdictions in the digital age. The
> way governments have decided that having a website accessible in a country
> makes you liable to respect the law of this country is a convulted and hacky
> notion that has been accepted way too fast.

You know if you turn that around and say "How come we have to respect the laws
of every country we do business in?" it sounds a lot more self serving.

Nobody said your website had to serve Californians. Nobody said your iPhone
game has to be accessible in North Korea. Nobody said your movie has to be
viewable in China.

If you're intending to serve any product to an entire planet composed of
nations, states, societies all pulling from different experiences, different
cultural attitudes, I think expecting a completely friction-free experience in
doing so is more than a little unreasonable.

And more to the point that this particular discussion is about, these are
principles that pretty much every society could reasonably get behind. Sorry
that means mining data isn't a solid business model anymore, but I'm also not
even remotely sorry. Adtech should die. It's a blight on our society.

~~~
fennecfoxen
> Nobody said your movie has to be viewable in China.

You will of course forgive me if I do not find economic favoritism that
benefits politically connected industrialists, the restriction of freedom of
thought by oppressive governments, and the general Balkanization of the
Internet, to be things that we ought to celebrate.

Once upon a time the memes of Internet culture would suggest that "information
wants to be free!" Oh, sweet halcyon days of yore!

~~~
jakelazaroff
_> Once upon a time the memes of Internet culture would suggest that
"information wants to be free!" Oh, sweet halcyon days of yore!_

Turns out it’s _not_ free — it’s actually _very valuable_ , and the cost is
borne by society writ large.

~~~
alanbernstein
Information does want to be libre.

Information is not gratis.

------
rdlecler1
So the author would rather see each state/country implement it’s own laws so
that a small startup needs to ensure they comply with hundreds of regulatory
jurisdictions... awesome.

~~~
mitchdoogle
The gist of these laws are all the same. Just respect ALL users' data from the
start, and you shouldn't have any difficulty with compliance.

~~~
bcheung
Many companies have to RADICALLY change their architectures just to support
these laws. And often the costs will be enormous. How do you scan all the logs
that might somehow have an association with the requesting user that are in
cold storage and alter data on write only archived optical media? You have to
make an entire copy of it with those data removed. It's not about just
treating customers better. It's government dictating the technical
architecture.

~~~
scottlocklin
>Many companies have to RADICALLY change their architectures just to support
these laws. And often the costs will be enormous.

Bummer dude. As an engineer type, I say, bring it on. Hard for me to have much
sympathy ZuckerBrin can't afford another island or whatever because they made
unethical decisions in the past. And if companies blow up because of it: good,
that's the idea. There needs to be consequences.

~~~
tick_tock_tick
Facebook will be just fine and probably come out ahead. Same with google. They
have the money and resource to comply. These kind of regulation that don't
take reality into account when written are a god send to large corps.

------
yalogin
It’s jarring to see such headlines on TechCrunch. They fed the valley by
giving every little news a place and are ne of the original hype masters for
startups. They profit off the area by hosting the disrupt conference as well,
which is again a huge pat each other on the back event. So now they turn
around and post a headline like that is just somehow ugly to me. It’s
absolutely in their right obviously.

~~~
degenerate
Pet peeve: when editors/authors throw their opinions on the end of headlines.
[ _and why it 's a good thing / and why you should care / and why it's
dangerous / etc_]

Just give me the facts and let me decide on my own after reading the facts. I
don't need your opinion up front.

------
dillondoyle
I'm pretty concerned about it, and we are a tiny political digital agency. My
reading is that basically any small sized email list, website, service etc
that 'receives for the business’ commercial purposes' data on more than 50k
'devices' or 'consumers' must be compliant which is a very low bar. Like small
business email lists would hit this, though maybe burden falls onto Mailchimp
for most.

It should be fairly easy to add a contact us address for delete and info
requests to the bottom of websites. A lot harder and would take development
time to automate a UI for a person to see all data associated automatically
(e.g. lots of separate analytics; would have to build api to lookup
ip/device/user data match across tables/dbs, and then how do I verify a user
is requesting their data and not someone else's). Also harder to 'block' new
data collection of device/consumer post delete request.

What I'm less sure about is 'inform consumers before the point of collection.'

Does a privacy policy link in footer count? If not what is required for
compliance? What about advertising?

Another big concern for me is that this is going to be weaponized in my
industry (politics). I think a political campaign wont fit the bill's
definition of 'business' (profit seeking for shareholders) but I think it will
still be weaponized by opposition campaigns and service providers.

~~~
Sephr
Sounds like you need a Data Privacy Infrastructure provider so you don't have
to worry about the implementation details. The startup I'm working at,
[https://transcend.io](https://transcend.io), offers that.

------
milesskorpen
Does anyone know the real implications of the CCPA for things like Sift
Science, Google's Recaptcha, and maybe even Cloudflare?

All of these are based on many companies contributing information about users
to create profiles which curb abuse. And Sift/Google/etc. get commercial
benefit from this data sharing, which might trigger the CCPA. But you can't
give bad actors the ability to opt out of this kind of data sharing without
crippling them.

I think these kind of companies are really important to a functioning
internet. I hope there are carve outs of some sort, but seems like they're
living on the edge right now.

~~~
matty22
If Recaptcha gets the ax due to CCPA, the internet will be better off for it.

~~~
milesskorpen
There needs to be some way to identify non-humans and/or malicious actors.

~~~
0xffff2
Malicious actors? Yes. Non-humans? No. If my bot is playing by the same rules
a human would, what do you care as a website operator?

------
calithrowaway
How is this not a violation to the first amendment? Does the first amendment
not extend as follows: (?)

As a citizen don't I have the right to create a business and privately take
notes on whatever I'd like to about my customers? If i run a dry cleaners and
take notes about my customers, should I be obligated to disclose these notes
or even the existence of these notes to my customers? I don't see why
extending the dry cleaning business to a mobile app or website effects
anything. What about journalists, are they required to disclose what data
they're collecting about people as they do their job?

I feel like the state constitution granted right to privacy does not supersede
the federally mandated right to freedom of speech both the right to take
internal notes and documentation and the violation of one's speech rights by
forcing this disclosure.

however IANAL and I don't live in California. Could someone share some
insights onto the first amendment side of this?

~~~
krapp
>I feel like the state constitution granted right to privacy does not
supersede the federally mandated right to freedom of speech

Gonna have to stop you there.

The First Amendment doesn't mandate a right to free speech. It only prevents
Congress from passing laws abridging that right.

There's nothing, Constitutionally speaking, preventing _states_ from doing so.

Edit: nope, Apparently I'm wrong on this one.

~~~
mdavidn
That's not the case. The Bill of Rights now does largely apply to the states.

[https://en.wikipedia.org/wiki/Incorporation_of_the_Bill_of_R...](https://en.wikipedia.org/wiki/Incorporation_of_the_Bill_of_Rights)

------
tempodox
Many comments here make the false dichotomy of paying for a service with money
vs paying with your data. That ship has sailed. In the current market selling
user data will win every time. Only laws can make sure that a company you pay
for “premium service” or “no ads” won't turn around and sell your data anyway.

------
tspike
A significant part of the fear comes from how poorly worded it is.

~~~
TazeTSchnitzel
Broad wording means companies have to be conservative (collect less data) and
less loopholes. That's a win for the ordinary person.

~~~
tick_tock_tick
Or realistically it means they will collect the same and wait for
clarification. Since it's worded so poorly they won't be punished for it or
going by past examples in California the fine will be so small it was worth
it.

~~~
TazeTSchnitzel
The US has a common law system. What is not specified in the statute will be
slowly clarified by the courts.

------
rpastuszak
As much as most browsers have implemented a standardised payment API, a
generic, browser-level Privacy related GUI would be helpful. By that I mean
something less repetitive than the multitude of consent screens people have to
deal with (not to mention dark UX patterns in the existing solutions).

~~~
ptest1
Yes, please!!

------
noodlesUK
People keep comparing this to the GDPR. I have lived in the UK pre and post
GDPR and the US. I like the GDPR a lot. It isn’t just internet businesses
either. Because it was such a crazy bogeyman, plenty of brick and mortar
businesses have paid a bit more attention to their data security. I like being
told what’s gonna happen with my PII, and having the right to control my data.
Most people seem to like the effects of the GDPR in my (anecdotal) experience.
Yeah you have people using it as some bizarre bogeyman to stop you doing
normal things, but it makes you think about it. From a business perspective,
the ICO provides great advice to people and companies when they need it. It’s
not as though what you need to do is a secret. You just need to do business in
accordance with peoples’ rights.

------
codesushi42
What will these laws accomplish in real terms?

This just seems like poorly written legislation with the purpose of pandering
to the populist public. I guess if it makes you all at least feel better.

~~~
simplecomplex
Nothing, except soon there will be annoying legalese on every website form.
Just like the GDPR. Large businesses will benefit at the expense of smaller
ones. Lawyers will make more money selling these legalese templates, and
sometimes when a big company doesn’t pay the right bean counter they’ll end up
being investigated by regulators, and paying the state money to continue doing
the same thing.

But it will be celebrated as a heroic victory because “privacy good. Business
bad. I want a banana.”

~~~
bengale
The GDPR does a lot to protect user data. As someone that’s implemented stuff
at a huge company for GDPR and at my startup, it was waaaay harder at the
larger company. The ICO has been beyond helpful with the few questions I’ve
had recently and implementation for my startup has been fairly
straightforward.

~~~
simplecomplex
“The GDPR does a lot to protect user data”

As you proceed to state absolutely nothing. Before GDPR my information was in
a bunch of databases managed by other people. After GDPR my information is in
the same databases managed by the same people. Except now they have legalese
stating this totally fucking obvious fact.

Before GDPR if my information was hacked and used to hurt me, the business was
not liable. After GDPR they still are not liable. Oh and if they violate the
GDPR the state gets money, but the victims don’t. Such amazing protection of
consumer data...

~~~
chobeat
Dude, GDPR's effects just began. Give it time. A sudden enforcement of GDPR
would destroy too many business and so it's being enforced gradually. Still,
there are beginning to discuss the complete outlaw of the real time bidding in
adtech because completely incompatible with the GDPR. That means destroying
bilions of dollars of businesses, so they go slow until there's enough
political consensus to do so without fear of retaliative lobbying. This is not
something that is done overnight.

~~~
DanBC
You know that GDPR is just a refinement of ideas that began over 20 years ago,
right?

The EU really isn't engaged in a three decade campaign to destroy American
companies.

Two nice timelines:

[https://edps.europa.eu/data-protection/data-
protection/legis...](https://edps.europa.eu/data-protection/data-
protection/legislation/history-general-data-protection-regulation_en)

[https://iapp.org/resources/article/a-brief-history-of-the-
ge...](https://iapp.org/resources/article/a-brief-history-of-the-general-data-
protection-regulation/)

~~~
chobeat
Sure I do know, but these processes take time. And don't frame EU as a
singular entity, there are many interestes involved.

------
aazaa
> Since the law passed, tech giants have pulled out their last card: pushing
> for an overarching federal bill.

>In doing so, the companies would be able to control their messaging through
their extensive lobbying efforts, allowing them to push for a weaker statute
that would nullify some of the provisions in California’s new privacy law. In
doing so, companies wouldn’t have to spend a ton on more resources to ensure
their compliance with a variety of statutes in multiple states.

Is it really that much easier to control a federal vs. state legislator?

I wonder if the idea might actually be to prevent the likely future scenario
in which 50+ different privacy regulations need compliance. Setting a national
standard could prevent such an outcome.

Privacy advocates should favor the state-by-state solution, though. The more
difficult it is to comply with regulations, the more expensive it becomes to
collect the data in the first place.

As the cost of compliance increases, the alternative of simply not collecting
the data in the first place becomes more attractive.

But that itself can lead to unintended consequences. It would mean that only
the biggest companies could afford the regulatory burden of collecting the
data. And these are the very companies that have received the most negative
attention.

All of which makes me wonder whether at some point we could see a private data
settlement along the lines of the tobacco settlement:

[https://en.wikipedia.org/wiki/Tobacco_Master_Settlement_Agre...](https://en.wikipedia.org/wiki/Tobacco_Master_Settlement_Agreement)

------
buboard
This:

> The bill would authorize businesses to offer financial incentives for
> collection of personal information.

Means it's nothing like the GDPR. This might actually be a sane law. And it
doesnt implement punitive fines if you get hacked. Nor does it bring about a
massive cookie alert insanity.

The right to delete may work in europe , but i think in the US it is going to
clash with free speech laws. So it might not work at all.

------
jkp56
This law is a step in the right direction, although in its current form it's
toothless and uses disgustingly submissive language (e.g. the user may not out
or the user needs to be informed about how theur data is going to be abused).
The final goal of such laws should be to poison user data: so that collecting
it and storing would open all sorts of legal and criminal troubles and that no
company would want to touch user data with even 10 foot pole. This will open
more ethical business opportunities that currently can't compete with data
mining model. An analogy in real world. If theft and robberry was legal, no
other business model could exist: if you sell gas for 3 bucks a gallon and
your neighbor sells it for a negative price, but sells user address to theft
agencies, you'd be out of business long before everybody realises the true
cost of that "free" gas.

------
Nasrudith
I can't help but view it with disgust just at the headline of having the wrong
kind of mentality. It is a spiteful logical fallacy of the worst kind.
"Soviets terrified of plan to nuclear first strike whole world - good!" Just
because even the vilest foe dislikes it doesn't mean it is a good idea.

The whole article seems to be about shutting down thinking and manipulation
via playing with emotions.

I am probably an outlier but I view that as an active sign that is terrible
because otherwise they would lead on better points. The article made me /less/
supportive of it. It is perhaps unduly harsh but I would call it an outright
propaganda piece not because of the message but how it was delivered.

~~~
notTyler
"Shutting down thinking." Reporting on transgressions and laws designed to
hold parties accountable is designed to shut down thinking now, and how those
who would be affected by it are literally trying to kill the bill is
considered "shutting down thinking." This is literally what you just said.

~~~
Nasrudith
You proved my point ironically. It is all about "punishing the bad ones for
their past sins" as opposed to going forward the impact of the law - the part
to actually think about. Instead straight to emotionally knee jerk driven
narratives of "they are bad and must be punished" instead of what the law is
actually about. See emotions come out and the thinking on the topic like
"would it actually help with Cambridge Analytica 2.0" go kaput.

It is an old trick narrative for pushing terrible "tough on crime" laws for
advancement. If you point out that it isn't a well thought out idea you
support bad people!

------
Despegar
While I think CCPA is a step in the right direction from the status quo, which
is basically a free-for-all, it's still a mediocre privacy law. GDPR remains
the gold standard because it's opt-in, CCPA is opt-out.

The only reason it was even passed was because some guy was going to force the
issue with a ballot initiative so lawmakers scrambled to do something. If not
for that, California would be the last state to pass meaningful privacy
regulation.

------
atoav
In short: laws against things that never sbould have been.

One can only hope they make sure it hits big actors more than any other ones,
because they are what makes this kind of data collection dangerous for
societies.

------
Aperocky
LMAO, Google should just make itself unavailable in California due to
'involuntary violation' of this law to see it repealed real quick. Those who
complain can use bing.

------
ptest1
Besides the tremendous onus laws like this may place on small startups and
side projects:

Does anyone know how companies are supposed to comply if “user data” literally
cannot be deleted? I’m thinking in the case of blockchain type applications,
where one users’ actions feed into another users’ actions, and you can’t
deleted user A’s actions without deleting potentially tons of other stuff and
destroying the application.

Like does this law basically ban GitHub and code collaboration too?

~~~
chobeat
For the 1) you just don't commit data in the blockchain itself. You can commit
an ID that points to external data and drop these external data if requested.
This clearly looks like an anti-pattern but putting personal data in an
immutable data structure is an anti-pattern too, since those data don't belong
to you.

What if a bank put the gold of their customers in a concrete pillar instead of
a vault? Fuck the back, I guess. I don't see why not.

~~~
ptest1
Again, the GitHub example is a good one. I have some commits in Django core
from years ago. What if I “request” my data be deleted from GitHub? What are
they supposed to do? If they rewrite the history it will destroy the project;
and if anyone can rewrite the history in the future it leaves projects open to
hostile actions.

I suppose the argument would have to be made that it’s not personal data; it’s
an act of public publishing or something. So in this case it’s akin to me
publishing a blog and other people quoting it years later. I can delete the
original blog but not the reprints in newspapers or quotes.

Or that it stops becoming “your” data and becomes instead “the other user’s”
once eg the Django project accepts the PR. So you can delete user A’s PR but
not the Django project’s now-integrated copy. I think this rationale makes the
most sense. After all, someone could still have the repository on their
computer and push it back to GitHub again.

I realize this is an edge case that doesn’t apply to 99.9999% of companies,
but as an engineer I find it interesting!

Edit: after thinking this through more, I suspect that e.g. GitHub could argue
they comply as long as they delete User A’s repo. Subsequently integrated PRs,
etc wouldn’t have to be deleted because they could argue they’re no longer
User A’s.

I kinda feel like if language to allow this was added to the law explicitly it
would be open to abuse, so I suppose this kind of thing has to remain vague
and open to interpretation in e.g. the courts if someone is being nasty.

------
mychael
Is this an opinion article or a legit journalism? The article clearly has a
slant, but TechCrunch didn't classify it as Opinion.

------
Havoc
The whole system is rotten to the core. Allowing companies to portray
themselves in a positive light on privacy

> “The time to act is now,”

While pushing a federal law geared towards undermining privacy rights?

Doublespeak anyone?

------
xhruso00
Instead of complying with the law they are wasting time lobbying. If they
don't comply on 1st of JAN what excuse are they going to have?

------
systematical
I wish I lived in California. I'd be requesting the deletion of my data ALL
OVER the internet.

------
mehrdadn
If the Environmental _Protection_ Agency can hold a straight face while
revoking California's ability to protect its own environment with higher
standards, I'll hold off on getting excited about privacy laws until we see
the FTC/FCC/etc.'s response.

------
nicky19890202
I think everyone's data must belong to their own.

------
EGreg
Can someone who has actually READ this law summarize the main provisions from
it?

------
classified
Project Gutenberg currently blocks users from Europe to avoid having to comply
with GDPR. Logically the next step would be to block users from California as
well.

------
gojomo
Anyone remember when TechCrunch actually took the side of "Silicon Valley"?

------
gojomo
So many NYC-based journalists who love to spit all over "Silicon Valley".

Is there room for a TechCrunch-like publication with a more Silicon Valley-
influenced editorial bent? (There's already a massive surplus of sneering
Brooklyn-based scolds in "tech media".)

~~~
Barrin92
>Is there room for a TechCrunch-like publication with a more Silicon Valley-
influenced editorial bent?

are you actually asking for someone to purposefully preach to the quire? The
function of journalism is to speak truth to power, you think facebook et al
need any further help? I think they actually paid the telegraph for a series
of agitprop articles, you might want to check those out.

~~~
corebit
"are you actually asking for someone to purposefully preach to the quire?"

He's both rightfully pointing out that TechCrunch is preaching to one minority
choir and asking for another publication to preach to a different choir.
Ironically the publication he's asking for was TechCrunch before it was bought
by AOL and ruined.

