
Senate takes another stab at privacy law with proposed COPRA bill - troydavis
https://arstechnica.com/tech-policy/2019/11/senate-takes-another-stab-at-privacy-law-with-proposed-copra-bill/
======
Thriptic
Once again we continue to look at data privacy and identity theft in the wrong
way in my opinion. To me the solution is very simple. If you are reselling my
data, allowing access to my data, or deriving data / servives from my data
that identifies me in any way and then selling that to a third party for a
profit or giving it to them as part of a license so that they can generate
profit from it (including ad targeting or analytics) then when I visit your
site or use your service there should be a big box in simple to understand
English, not legalese or a lengthy EULA, that says "we [do one of the things
listed above], are you ok with that?" If I say "no", then you cannot
descriminate against me and you cannot do those things. You still have to let
me use your site or service; you still have to provide me with identical
services; etc. You can still show me ads (non-personalized), charge me a bit
more money commensurate with the value of my data, or introduce a different
monetization method, but you can't deny me service all together.

Further, if you collect my data, YOU are liable for it. Breaches should not be
the user's problem. Meaning, if someone walks off with the contents of your
database containing my PII using anything less than a crazy number of zero
days, you are liable for a set financial penalty per user's info lost (in the
way HIPAA does it) and / or you are liable in perpetuity for protecting
against identity theft with an insurance policy. I don't need to prove
attribution. If I ever have a problem that could plausibly be linked back to
the data exposure, you are liable for damages.

Finally, it should not be the user's problem to clean up identity theft, ever.
If a bank opens an account in my name without properly authenticating me, that
is the bank's problem, not mine. It should be up to them to conclusively prove
it was me that did it, not up to me to prove that I didn't. Does this mean it
will be more complicated to open up various accounts and credit? Yes. Does it
mean that there will be lost business for these institutions? Yup. Tough luck;
that is the price we have to pay.

The entire point of this should be to heavily disincentivize collection of PII
unless absolutely necessary for core business function.

~~~
greggman2
So it sounds like you're okay with Google collecting all your data because
your description doesn't cover them

> If you are reselling my data

Google doesn't resell data

> allowing access to my data,

Google doesn't allow access to user data

> or deriving data / servives from my data that identifies me in any way

Google doesn't let people be identified from the data they collect.

> and then selling that to a third party for a profit or giving it to them as
> part of a license so that they can generate profit from it

Google doesn't sell data to a third party for profit.

I'm 100% for a law that prevents that scammier companies who do all the things
above to stop doing those things. Just pointing this doesn't cover HN's most
hated company.

~~~
chipperyman573
I would argue that makes what they're doing ok. I know this is a really
unpopular opinion on HN but I think google is actually a really good example
of ethical data collection. Sure they scrape up just about everything they can
get, but they hold onto it themselves and have repeatedly demonstrated that
(unlike facebook etc) they try hard to protect it and won't let an arbitrary
3rd party access it. They just let advertisers target demographics, so long as
you don't actually click an ad your data is never accessible to advertisers.

Someone has to pay the devs to make their services, someone has to pay for the
server farms (and the electricity to run them), someone has to pay for their
open-source efforts, etc. They have to make their money _somehow_ and people
have demonstrated over and over again that they're unwilling to pay for
services like gmail (remember when hotmail used to charge a monthly fee for
email service if you wanted more than like, 500mb or something?)

(I don't and have never worked at google)

~~~
blub
There is no such thing as ethical data collection, as long as that data
contains personal information about individuals. The very act of collecting
data is problematic because, as history has shown us, data troves cannot be
protected long-term and that eventually the company and others will abuse that
data.

This already happened to Google. Not only they got hacked, but various
governments successfully get access to all that data both by asking and by
taking.

------
troydavis
Summary: [https://www.cantwell.senate.gov/imo/media/doc/COPRA%20One-
Pa...](https://www.cantwell.senate.gov/imo/media/doc/COPRA%20One-Pager.pdf)

Press release, including endorsements by EPIC, law school professors, Consumer
Reports, Georgetown Center on Privacy & Technology, and others:
[https://www.cantwell.senate.gov/news/press-
releases/cantwell...](https://www.cantwell.senate.gov/news/press-
releases/cantwell-senate-democrats-unveil-strong-online-privacy-rights)

Bill text:
[https://www.cantwell.senate.gov/imo/media/doc/COPRA%20Bill%2...](https://www.cantwell.senate.gov/imo/media/doc/COPRA%20Bill%20Text.pdf)

------
kelnos
Looks like it was written/sponsored by four Senate Democrats. In other words,
no chance this is even going to get to a vote, unless/until the balance of
power in the Senate changes.

~~~
bluejekyll
The article agrees with you.

I do wonder if this could be a bipartisan issue, as it really does concern a
lot of people online. It could easily become a wedge issue, “protect your
children from the evil internet corporations—look the other side is doing
nothing about it!”

~~~
henryfjordan
Can anything be bipartisan right now?

~~~
vharuck
Plenty of things, we just don't often hear about them because that'd be boring
news.

~~~
jrockway
The Hong Kong Human Rights and Democracy Act has been all over the news and
passed with only one vote against it in the House.

The DMCA was also bipartisan, which has made me very skeptical anytime that
word comes up.

------
erentz
Is this law only applicable to some definition of “online” companies? Why not
a generic privacy law that applies to all?

------
lupire
Title is misleading, as usual for Ars Technica on politics.

> group of Senate Democrats

Not "Senate".

Minority parties don't get partisan bills passed into law.

~~~
munk-a
> Minority parties don't get partisan bills passed into law.

I don't really see this bill as partisan in nature, though it only currently
has Dem support consumer protections are something both parties should be able
to get behind.

~~~
rndgermandude
It is partisan at the moment because, while it is neutral in nature, it only
has support of the one party. They may get (enough) Republicans on board, but
given the current political climate, I'd guess it's rather unlikely, unless
Trump decides this is a good way to fuck with his nemeses i.e. FAA(N)G.

------
downerending
That's a truly awful acronym.

~~~
keitmo
Maybe the'll trim it down and call it COPRA LITE.

~~~
aasasd
I vaguely felt that with the meh name the bill's not gonna pass. But now,
seeing as I'm not a native speaker of English, I have a definite need for
someone to explain the pun.

~~~
cwkoss
Coprolite is the name for fossilized poop

Copro- is a suffix that generally applies to poop-related things.

------
aasasd
> _COPRA also seems to take the challenges the EU and consumers have faced
> since the GDPR went into effect into account, as it specifically tasks the
> FTC with making sure those rules not only require "clear and conspicuous"
> notices to opt in or opt out of data collection and transfers but also "to
> minimize the number of opt-out designations of a similar type that a
> consumer must make" (such as an "accept cookies" warning on every single
> website one visits)._

I think I need a cigarette after going through the dependencies and embeddings
in this sentence.

------
musicale
I assume the privacy law they're trying to stab is CCPA?

