
CCPA goes into effect January 1, but nobody’s sure how the new rules work - rschnalzer
https://www.latimes.com/business/technology/story/2019-12-26/california-internet-data-privacy-law
======
ailideex
I'm not confident that this is a good thing after the mess that resulted me in
having to navigate dozens of cookie popups on most days.

~~~
dependenttypes
Never understood the cookie popups mess. I remember back in the ages of
internet explorer it showed a popup when a site tried to use cookies, why do
the sites need to implement the cookie popups rather than let the users
configure it in their browsers?

~~~
oneplane
Because browsers make it an all or nothing setting (all, 1st party, none) and
there are many more combinations. On top of that, the laws are there to
prevent companies from tracking people at will, and the DNT header that was
supposed to make that an easy browser setting completely failed.

~~~
dependenttypes
> Because browsers make it an all or nothing setting (all, 1st party, none)

At least for Firefox this is not the case. Anyway, extensions like uMatrix
exist.

> the DNT header

The DNT header is yet another way for sites to track you. I am glad it failed.

~~~
ailideex
> The DNT header is yet another way for sites to track you. I am glad it
> failed.

And clicking decline on cookie banners or your unique combination on the
multiple choice cookie disclaimers wont allow sites to track you?

~~~
dependenttypes
Certainly it will, but I said already that I am against cookie banners.

~~~
oneplane
Keep in mind that cookie banners are an implementation choice of the website.

------
gojomo
Which will win the crown for destroying more Californian livelihoods & wasting
more citizen time in 2020, CCPA or AB5?

(AB5 is the anti-freelancing bill whose intended targets, Uber & Lyft, may
escape its application, while many other California freelancers have their
traditional contract work patterns made illegal.)

------
unstatusthequo
Some people understand it. We have dug in deep because companies are turning
to us to interpret it. Here’s our resource to learn in case anyone is
interested.

[https://www.globalprivacywatch.com/tag/ccpa/](https://www.globalprivacywatch.com/tag/ccpa/)

Note since these were originally published, the big thing that changed is that
employees and employees of clients and vendors are now generally exempt from
the CCPA. There is still a general notice obligation (think short privacy
policy) for your employees, but that is about it. They also tightened up the
FCRA and GLB exceptions, but those are not generally relied on by the majority
of businesses out there.

------
naringas
so that's why I have been getting so many privacy policy updates

------
theshadowknows
This is going to make a lot of class action lawyers even more rich than they
already are. Just like TCPA is doing.

------
vjktyu
In its current form, ccpa is useless. The companies will just demand all
personal data for any purpose or deny access.

~~~
joblessjunkie
Under CCPA, businesses do not "demand" data because there is no restriction on
its collection. Businesses simply need to provide _notice_ of what they
collect.

Consumers cannot opt out of this collection.

Consumers do have the option to opt out of having their personal information
_resold_ to third parties. The CCPA then specifically restricts businesses
from withholding services or providing you with reduced services as penalty
for this opt-out.

CCPA may not be perfect or even well-explained, but it's a first step in a
positive direction within the United States. I think it's unfair to call it
"useless".

------
neonate
[http://archive.md/B9061](http://archive.md/B9061)

------
EGreg
Where is a good overview of these laws?

~~~
CharlesW
I searched for "CCPA FAQ", and here are two I read that were useful:

[https://docs.microsoft.com/en-
us/microsoft-365/compliance/cc...](https://docs.microsoft.com/en-
us/microsoft-365/compliance/ccpa-faq)

[https://www.adweek.com/programmatic/everything-you-need-
to-k...](https://www.adweek.com/programmatic/everything-you-need-to-know-
about-the-california-consumer-privacy-act/)

------
alkonaut
Regarding the GDPR:

> 95% of users choose to be tracked in exchange for access to websites and
> services

The GDPR explicitly disallows the practice of conditioning access to a site or
service on acceptance. Without that it would be rather useless. Once that bit
is also enforced (current fines for violation sadly week focused on poor data
safety measures and similar) I think the online ad landscape actually may
start to change.

~~~
SpicyLemonZest
I dunno, man. As you mentioned, all of the people who implement or enforce
GDPR compliance seem to think that "our business model relies on ads" is a
sufficient reason to require tracking. Maybe the regulators are just biding
their time before pouncing, but I'm not sure why they'd want to do that or
what they're waiting for after a year and a half. It seems more likely that
GDPR as an ad industry killer was just a piece of HN lore that didn't end up
panning out.

~~~
alkonaut
The wording was very clearly made to avoid any doubt about “we need to track
people to survive on ads”. As I said I think it’s sad that so far the fines
have been for data security and not yet for tracking-ads-without-opt-in.

I really do hope regulators will take a few high profile sites and make an
example with a massive fine for blatant violations.

The rule is: if I visit a site then tracking is OFF until I switch it on.
Seeing the content can’t be conditioned on accepting, and the default “ok
close the popup and show me the article” should always result in the _miminum_
cookies allowed - that is, typically no ad networks at all.

~~~
SpicyLemonZest
The basis in GDPR I've seen people use for your position is that consent must
be "freely given", and consent isn't freely given if my other option is not
using the site. The line of argument seems pretty sketchy on its face; can it
really be true that my consent to an employment contract isn't "freely given"
because my other option is not taking the job? It's certainly not clearly made
to avoid doubt.

~~~
Thiez
There are plenty of things that you cannot consent to under various
circumstances. As an extreme example you cannot freely give consent to become
a slave no matter how much you would like to (except by going to prison in a
certain well known country north of Mexico, I suppose). In many cases you
cannot consent to intimate acts with authority figures (e.g. boss, teacher,
prison guards). I think in the case of the GDPR the desire was for consumers
to be able to make a choice about their data, but such a choice would be
meaningless if websites were allowed to make a "click here to consent, or here
to close this browser tab" popup, and the "cookie law" shows that this likely
the approach that 95%+ of websites would have taken. The cookie popups have
shown quite clearly the balance of power between consumers and websites:
website owners know consumers will get the exact same deal (accept or fuck
off) everywhere else, so the consumers have no real power in this
"negotiation". The definition of "freely given" consent in the context of the
GDPR was probably written the way it is to correct for this power imbalance.

------
xenospn
This article makes it sound like this entire industry wasn’t deliberately set
up and developed by corporations for years. They know exactly what they’re
doing and they know exactly how to turn the whole thing off.

~~~
manigandham
What entire industry? The internet affects everyone.

~~~
xenospn
The industry that sells your info to the highest bidder.

~~~
manigandham
That would be the credit reporting agencies. Either way, cookies and PII are
far more involved than just a single industry.

------
rudedogg
> The CCPA only applies to companies with more than $25 million in revenue or
> access to the personal information of more than 50,000 people.

This is refreshing, I wish GDPR had a revenue threshold like this.

~~~
dependenttypes
Why is that? Surely if X is bad it should be bad for everyone rather than only
for big companies.

~~~
helen___keller
Policy trade-off. Small businesses can only do limited damage from a consumer
privacy perspective. Navigating policy for small businesses can be toxic as
they don't have teams of high powered lawyers, and considering California's
startup industry the last thing policymakers want is to hurt small businesses.
This is a compromise.

------
riffic
Why use an abbreviation in the title when it wasn't used in the latimes.com
headline? 'CA' on its own is ambiguous.

~~~
anonymfus
Because titles here are limited in length to 80 characters.

~~~
anonymfus
I would just remove the articles. So my version: "California is rewriting
rules of internet. Businesses are scrambling to keep up". Does it look better
or worse?

------
thescriptkiddie
Good.

~~~
derision
It's good that one state can force it's hand over the other 49?

~~~
epc
It's good that each state can determine the laws applicable in its
jurisdiction. If you don't want to comply, don't do business in California.

~~~
judge2020
Of course the question when you want to block California or run different code
for users in California is "how do you legally and reliably tell if a user is
in California"; eg. if they're using a VPN to new york could they sue you/file
a complaint and win? What if Maxmind's IP database is outdated and you miss a
bunch of California users?

~~~
r00fus
Could this be handled with a single checkbox stating that you are either in CA
or a CA resident/etc?

~~~
judge2020
I suppose so, but it's a similar situation as GDPR/cookie consent when you
need to perform 0-interaction data collection like running Ads for incognito
users or creating a session that might also be used to track you on other
websites. Maybe these use cases will just fall out of play as compliance when
using them gets harder (which would not be a bad thing).

~~~
bobthepanda
If we weren't collecting personally identifying information with paper ads, no
reason to just allow it just because technology lets you.

------
username90
How are these different from GDPR? Most global companies should already have
most of this in place, so it will just hurt the small businesses which has yet
to expand outside the states. Is there some limit to company size here to
avoid that?

~~~
esotericn
You mean like all of the US news sites that just firewall off EU citizens at
the moment?

~~~
BrandoElFollito
I do not understand why they do that.

If a US news outlet has no presence in the EU there is nothing which can be
done if they do not follow EU rules.

~~~
moomin
It’s just a passive-aggressive hissy fit. The cost of writing the middleware
to write out your angsty nonsense is higher than the cost of writing the
middleware to just remove all cookies from every request. The EU detection
logic is the same in both cases.

~~~
erik_seaberg
GDPR has a lot of burdensome requirements, like hiring a commissar and multi-
month government review periods before features launches. _Do not_ bet 21M USD
that merely deleting cookies and logs will get you anywhere near compliance.

~~~
moomin
I'm not sure how serving up a custom page to EU addresses solves that problem
either, though, so we come back to equivalence.

~~~
erik_seaberg
The theory is that Article 3 stops the EU from coming after you (however they
might try) if you don't offer goods or services to EU data subjects or monitor
their behavior. The GDPR is roughly the size of a _novel_ , and proving you're
doing everything it requires is a hell of a lot more work than proving you're
out of scope entirely.

------
RiOuseR
Sounds like typical California legislation to me.

