
U.S. retailers rush to comply with CCPA - sxp
https://www.reuters.com/article/us-usa-retail-privacy/do-not-sell-my-info-u-s-retailers-rush-to-comply-with-californias-new-privacy-law-idUSKBN1YY0RK
======
Despegar
>There is also lack of clarity on what constitutes “sale” of information,
retail lobbyists and attorneys advising retailers said.

It's embarrassing that the law isn't more explicit that this also covers
"sharing" where money doesn't change hands, but I wouldn't expect any more
from California's legislators where my default assumption is that they'll be
captured by the industry in their backyard.

I guess it will be up to courts to decide if sharing data counts as payment-
in-kind.

~~~
geocar
Your particular concern seems to be addressed:

[https://leginfo.legislature.ca.gov/faces/codes_displaySectio...](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140).

(t) (1) “Sell,” “selling,” “sale,” or “sold,” means selling, renting,
releasing, disclosing, disseminating, making available, transferring, or
otherwise communicating orally, in writing, or by electronic or other means, a
consumer’s personal information by the business to another business or a third
party for monetary or other valuable consideration.

[https://leginfo.legislature.ca.gov/faces/codes_displaySectio...](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.120).

Even if Google doesn't pay you for your data, you still have the right (as a
resident of California) to prevent Google from selling on your data directly,
or in using your data as part of a sale (e.g. targeted advertising).

My experience is the "confusion" is in what constitutes "other valuable
consideration:" Can a company offer a personal data marketplace using credits
that can only be used to obtain other personal data, and can only be
_obtained_ by sharing personal data? (e.g. the old data.com connect model).
The code suggests _maybe_ , but I suspect the Attorney General will take as
broad a view as possible, so I'd steer clear from any startups that think this
is a good idea.

~~~
d1zzy
> Even if Google doesn't pay you for your data, you still have the right (as a
> resident of California) to prevent Google from selling on your data
> directly, or in using your data as part of a sale (e.g. targeted
> advertising).

Except the definition you quoted doesn't say anything about "using" the
information to provide a product (ie targeted advertising), it only talks
about actually transferring that information to "another business or third
party for monetary or other valuable consideration". So if the information
doesn't leave Google's servers then it seems like it doesn't apply to Google.

~~~
geocar
It does leave Google's servers in several ways.

1\. The ad tag Google delivers to publishers captures personal data like IP
addresses and cookies, non-personal but potentially privacy-leaking data such
as the URL the user is visiting, and somewhere in-between marketing segments
that the user may belong to, and delivers that information (usually in JSON)
to hundreds or even thousands of different advertisers using a protocol called
OpenRTB.

2\. The ad tag being served can also include an impression tracker. This is
usually a pixel (literally an <img tag!) that refers to the advertisers'
server where they record counts, sometimes media spend, and because it's a
third-party server, that advertiser will receive (automatically) the IP
addresses and cookies, the URL the user is visiting, and so on.

3\. One of Google's products includes custom segments which contain IP
addresses and cookies for one or more ad exchange. This is actually delivered
in a flat file to buyers, and while Google themselves do not offer this
service publicly (so conceivably the contracts could be updated to be CCPA-
compliant), other exchanges that are like Google in other ways certainly do
not.

It is entirely possible your point is accurate for someone who doesn't provide
ad exchange services or impression trackers or custom segments (such as
Facebook), but it is also likely that some party selling a product that is
derived from the use of this data will be considered in-scope. I would steer
clear of companies that favor an alternate interpretation until the Attorney
General has had a say.

------
Orangeair
I think this should say [2019]

It feels a bit pedantic to say that about a post from a week ago, but the
whole point of the article was that they had until January 1st to comply,
which has now passed. When I first saw the article title, I assumed it would
be an article about how companies were out of compliance already since the
date had passed, but it's not.

~~~
lmkg
Well, kind of. The law technically goes into effect on Jan 1, but the CA
Attorney General is not allowed to enforce it until July 1. This was part of a
compromise brokered around the fact that it's taken a long while to nail down
the final wording of the law. While some companies are already compliant,
others are taking this as a grace period to get their act together. Which is
necessary because of the short timeline.

As far as I'm aware, the actual text of the regulation _is still not
finalized_. The most recent update to the text was in October, but the AG
office was gathering public feedback in early December. They still haven't
released their findings from the feedback. The October version was more a
Release Candidate, if you will.

~~~
Wowfunhappy
How can a law be simultaneously in effect but also not finalized? What rule is
anyone supposed to follow?

(I realize the fact it's not being enforced makes this moot, but...)

------
Trias11
I want to explicitly opt-in, not to go through hassle to opt-out at every
shitty website of every vendor.

You want to sell my purchase/demographics data? No problem. Just let me know
how much or what i'll get for it and i'll decide if it worth to opt-in.

By default - no one should be able to share my data with anyone.

~~~
ApolloFortyNine
>You want to sell my purchase/demographics data? No problem. Just let me know
how much or what i'll get for it and i'll decide if it worth to opt-in.

It should be allowed to be the cost of admission to the site. If you don't
like that the advertising and your own metadata allows you to view the site
for free, you could just not visit (or when you click no to consent, they
would block you).

Websites shouldn't be required to provide you content for free.

~~~
ppseafield
Maybe for some or even most sites this makes sense. But Walmart, Home Depot,
etc., from the article are businesses open to the public, and as such operate
under laws governing public businesses. Few would put up with Walmart making
them sign a contract letting them sell their personal demographic information
in order to enter a public store (except if every public business did this,
removing the choice - currently how most of the internet works). Why should
websites for public businesses be different?

You may say that credit and debit cards do this already (and they do), but you
can still pay cash in public stores. Of course they can track you with your
phone's bluetooth identifiers, facial recognition, etc., but why as a society
should we allow public businesses to require this? Once we permit one place to
do it, others will follow.

~~~
fastest963
> Few would put up with Walmart making them sign a contract letting them sell
> their personal demographic information in order to enter a public store

What about Costco, BJ's, etc who require a membership to enter the store and
(probably) are selling the data they get from your membership?

~~~
blackearl
You don't need a membership to enter. Specifically, the Costco near me has a
liquor store inside but can't legally have it be part of the store. It's a
separate store within Costco, and they won't stop you from walking in, buying
liquor, and leaving. You can even grab a cheap hot dog on the way

~~~
ab_testing
Costco does not do that because of the goodness of their heart. They do that
because state laws mandate liquor stores to allow anyone to buy liquor without
being part of a club or membership. You can thank your state's liquor lobby
for that.

~~~
blackearl
I can still go enter without a membership. Liquor store or not.

------
shadowgovt
""" A Walmart source with knowledge of the matter told Reuters the company is
“working through a lot of ambiguities in the law, for example, the language
around loyalty programs and if retail companies can offer them going forward.”

"""

If loyalty programs run afoul of the law, it'll be interesting to see if this
creates a plane of competition between companies that kick out or forego
loyalty programs in states outside of CA as well as inside CA and companies
that continue to offer loyalty programs in states outside CA.

Loyalty programs seem a mixed bag for consumers; some are actually into them,
some hate them (seeing them as inefficiency that pushes labor onto the
consumer).

~~~
zAy0LfpBZLC8mAC
Except there is absolutely no problem with loyalty programs. There is only a
problem with collecting data for loyalty programs. Loyalty programs used to be
done with stamps on paper cards, if you had a card full of stamps, you could
get a rebate or whatever.

Also, I don't hate them (the ones that collect data, that is) because they
push inefficiency onto the customer, but because I have to pay more so other
people get paid for helping corporations manipulate me more effectively.

~~~
shadowgovt
Stamps on paper cards are more prone to fraud, require more physical product
be printed, and are less convenient for users than online solutions.

I don't anticipate most stores going back to them (or staying that way as they
grow; small stores will always do whatever).

~~~
zAy0LfpBZLC8mAC
> Stamps on paper cards are more prone to fraud

Given how much fraud is happening with customer data (that is: it being
acquired under a pretense and then used for a different purpose), I very much
doubt it.

> require more physical product be printed, and are less convenient for users
> than online solutions.

Except that's kinda orthogonal. The paper solution is easier to demonstrate to
be free of back doors, but there is no reason why you couldn't build an
"online solution" that doesn't do any tracking. You could just hand out random
tokens without ever associating them with a transaction, and then accept sets
of ten of those to redeem for a rebate, say.

~~~
shadowgovt
> Given how much fraud is happening with customer data (that is: it being
> acquired under a pretense and then used for a different purpose), I very
> much doubt it.

Sorry; I was unclear. More prone to fraud against the loyalty program, i.e.
customers buying the appropriate stamp and photocopying a dozen instances of
the card to make "every 10th visit" into "every visit."

------
guelo
The privacy violation that infuriates me the most is that Visa and Mastercard
sell your purchase data, and I don't believe CCPA applies to them. Like cell
phone companies selling tower-based location data, the credit card's sale of
data is unavoidable and completely hidden from consumers.

~~~
JadeNB
While cell-phone companies could function without keeping records of my
location, credit cards couldn't function without keeping records of my
purchases—at least until the next billing cycle. Somehow this makes their
abuse of that information less surprising to me—which doesn't mean I like it
any better!

~~~
zAy0LfpBZLC8mAC
That isn't actually true. It would be perfectly possible to build a payment
system where the participants by default don't know the identity of most other
parties.

Like, it would be perfectly possible for a merchant to encrypt the transaction
description with a public key of the customer, and their bank only submitting
the encrypted record with the amount and the account to debit to the card
issuer, who would debit the account and pass on the encrypted record to their
customer.

That's just a random idea, but the point is that you could achieve much the
same result with a lot less data collection if you actually cared to.

~~~
reaperducer
_It would be perfectly possible to build a payment system where the
participants by default don 't know the identity of most other parties._

It's been done.

Cash. Checks. Travelers checks. Money orders. Cashiers checks. Gift cards.
Pre-paid debt cards.

------
nesky
I often think these efforts will just continue to empower the larger players
and frustrate the user. No one is going to go to all these
companies/websites/apps and ask them to delete their data and then do it again
tomorrow, next week, next month, next year...when they collect more data. We
need a mechanism that just creates so much data both legitimate and artificial
that these systems prove worthless.

Edit: Curious the effectiveness of browser extensions like Ad-Nauseum. I've
used it on & off and became amused with how much I 'cost' the ad-companies but
for all I know it just proves another data point that my machine clicks every
add that comes across it.

------
dlahoda
in jetdotcom, part of Walmart, we succefully rushed to be ccpa compliant

------
fbonetti
By the year 2030, the amount of fine print and opt-ins at the top of each
website - in order to comply with every state and country's bespoke data
regulations - will be larger than the warnings on cigarette packs.

~~~
ginko
Or you know, websites could just stop collecting unnecessary amounts of data
by default.

~~~
CWuestefeld
There would still need to be a link to a page that says that.

~~~
remus
Sorry if you're being sarcastic and it's totally gone over my head, but if
you're not processing personal data you don't need to explain all the ways you
don't process personal data. Otherwise you might as well explain all the other
ways you're not breaking the law (which is going to be a long list).

~~~
SpicyLemonZest
It's impossible to build a website that doesn't process personal information
at all, because the California law explicitly defines your IP address as
personal information.

~~~
paulmd
assuming it works like GDPR, that is presumptively acceptable on multiple
grounds: (a) it is necessary to provide you business services (serving you the
website) and (b) you are not retaining/logging it.

california didn't outlaw the internet guys, you're just being hysterical
because you're going to have to ease back on your data collection a bit

~~~
SpicyLemonZest
It's presumptively acceptable, yes. But the comment I responded to was saying
that you don't have to even explain it, and I don't think that's true; the law
makes it pretty clear you do.

------
cbsmith
I so want to walk into a 7-11 and say, "delete my data".

