
Comparison of California Consumer Privacy Act (CCPA) and GDPR [pdf] - ed
https://www.bakerlaw.com/webfiles/Privacy/2018/Articles/CCPA-GDPR-Chart.pdf
======
lacker
This law frequently refers to "selling consumers' personal information". But
hardly any company actually sells personal information. Google doesn't sell
your personal information, Facebook doesn't sell your personal information.
Companies use your personal information to match you to advertising, not to
sell the information directly. So laws forbidding the sale of personal
information sort of pointless.

At first I thought that this PDF was just describing the proposed law in an
inaccurate manner. But no, the CCPA really does talk a lot about "selling your
personal information".
[https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-p...](https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-
proposed-regs.pdf)

~~~
chipotle_coyote
This is a great point that often gets glossed over in these discussions.
Facebook and Google primarily get value from your personal information by
hoarding it and treating both it and the data they derive from it as
proprietary.

~~~
gorgoiler
The last time I used Google Takeout to download my data I got all my emails,
custom maps, YouTube uploads etc., as one might expect, but what I couldn’t
find were:

* all the URLs I’ve visited with my Google cookie loaded

* all the searches I’ve ever done

* all the ads I’ve clicked on.

I know ad tech mechanics can be counter intuitive but I’m surprised they don’t
have that information for me to download, especially when ads and search are
the primary Google functions.

Maybe these logs are pseudonymized in such a way that google can’t tie them to
my identity?

~~~
judge2020
They're technically not linked to your Google account I believe,
[https://policies.google.com/technologies/anonymization?hl=en](https://policies.google.com/technologies/anonymization?hl=en)
(although we've seen how anonymized data can still be de-anonymized
[https://news.ycombinator.com/item?id=20513521](https://news.ycombinator.com/item?id=20513521)
)

~~~
gorgoiler
Thanks, that’s useful and interesting. Good on Google for keeping the two
activities (and cookies) separate.

[Edit: oof, I found my search history after all so most of this is moot. It’s
under “Other Google Activity” ... “Web & App Activity”. I guess it would be
nice to see the words “Search Activity” a little more prominently, but still,
my bad.]

I can’t help but feeling that both cookies (and their associated histories)
count equally as personal data.

Anyone who gets hold of my devices can use the cookies to get my history. _I_
can use the cookies to get some of my history in some form or other (I can’t
get my own search history, but I can see it partially in typeaheads on the
desktop site.)

It feels half hearted that I can’t pull up the entire dataset, but then I
would surely be grateful that no one else can do the same thing if they steal
my login.

(I also accept that some of this is just me arrogantly pushing back on being
told “no!” by Auntie Google, when I feel entitled to a yes.)

------
ed
I thought CCPA was California's GDPR, but it seems to offer consumers very
little protection.

CCPA does not restrict the collection or processing of personal data for
marketing purposes. You can't even opt-out. Companies like BounceX will still
be able to deanonymize 40% of consumer web visitors for direct marketing. You
can only opt-out from your data being sold. And how are you supposed to know
when a company is selling your data? The company is not required to tell you –
you have to ask.

GDPR the other hand is entirely opt-in. Companies cannot collect or process
personal information unless given explicit consent. And that's a big deal –
the rate of consent is so low that many marketing projects have a negative ROI
and companies stop working on them.

Enforcement will likely be weak. CCPA introduces civil penalties so consumers
can sue companies, or join class action suits, but it will be difficult for a
consumer to know when a business is violating CCPA, so this will be rare.
California's AG can bring action, but there isn't a very strong incentive for
them to do so with the exception of high-profile, politicized cases.

~~~
l4u532
GDPR is NOT entirely opt-in. For reasons of ‘legitimate interest’ a consent-
less collection is warranted (ie. to perform the service). Yes, this does
usually excludes data collection for marketing purposes. But it’s important to
state that it’s not Entirely opt-in.

~~~
ed
If the collection is truly necessary to provide a service, and the consumer
has decided (opted in) to use that service, it seems pretty reasonable.

------
hiei
CCPA is certainly a headache at work and brought in consulting to assist but I
hope it spreads beyond California and more! As a consumer I want to be able to
opt out of any/all data collection related to my personal details. Fully
support it regardless of the "costs" it brings to the company. Data should
have been regulated from the get go.

~~~
toomuchtodo
Microsoft has stated they will honor CCPA nationwide. I would expect other
tech companies to follow until national regulation catches up.

~~~
willy_ph
Many companies have adopted a one-size fits all approach, whereby the most
restrictive legislation applies, regardless of jurisdiction where they do
business. This reduces costs by minimizing duplication where possible. I
suspect Microsoft's approach was likely driven in part by the additional costs
needed to support two compliance regimes for their various products.

------
mgoblu3
I’m still struggling to find out what exactly is required for mobile apps in
particular. Our legal team (very big company) told us we have to add a link to
our Privacy Policy on every screen of our app, so hundreds. Where can I find
things like requirements on those, or is it just really vague?

~~~
kitotik
That sounds like overkill but IANAL. You should only need to post the
disclosures _before_ the info is collected, _where_ the info is collected.

Shameless plug: we put together a more readable version of the CCPA with all
the amendments incorporated here [1] and an outline of the _proposed_
enforcement regulations here [2]

[1] [https://hq.services/blog/ccpa-full-text-with-
amendments/](https://hq.services/blog/ccpa-full-text-with-amendments/)

[2] [https://hq.services/blog/ccpa-proposed-
regulations/](https://hq.services/blog/ccpa-proposed-regulations/)

