Hacker News new | past | comments | ask | show | jobs | submit login
Comparison of California Consumer Privacy Act (CCPA) and GDPR [pdf] (bakerlaw.com)
96 points by ed 22 days ago | hide | past | web | favorite | 37 comments

This law frequently refers to "selling consumers' personal information". But hardly any company actually sells personal information. Google doesn't sell your personal information, Facebook doesn't sell your personal information. Companies use your personal information to match you to advertising, not to sell the information directly. So laws forbidding the sale of personal information sort of pointless.

At first I thought that this PDF was just describing the proposed law in an inaccurate manner. But no, the CCPA really does talk a lot about "selling your personal information". https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-p...

This point is incorrect. There are unfortunately many companies that sell consumers' information directly [1][2]. I understand people have hatred for big companies collecting advertising related information. Nevertheless, it's misguided to pretend the industry of directly collecting and selling private information doesn't exist. Your ISPs can and do collect much worse data about us. The potential damage is much worse. I'm more worry about the lack of oversight on that industry.

[1] https://arstechnica.com/tech-policy/2019/01/t-mobile-sprint-... [2] https://www.forbes.com/sites/metabrown/2015/09/30/when-and-w...

This is a great point that often gets glossed over in these discussions. Facebook and Google primarily get value from your personal information by hoarding it and treating both it and the data they derive from it as proprietary.

The last time I used Google Takeout to download my data I got all my emails, custom maps, YouTube uploads etc., as one might expect, but what I couldn’t find were:

* all the URLs I’ve visited with my Google cookie loaded

* all the searches I’ve ever done

* all the ads I’ve clicked on.

I know ad tech mechanics can be counter intuitive but I’m surprised they don’t have that information for me to download, especially when ads and search are the primary Google functions.

Maybe these logs are pseudonymized in such a way that google can’t tie them to my identity?

They're technically not linked to your Google account I believe, https://policies.google.com/technologies/anonymization?hl=en (although we've seen how anonymized data can still be de-anonymized https://news.ycombinator.com/item?id=20513521 )

Thanks, that’s useful and interesting. Good on Google for keeping the two activities (and cookies) separate.

[Edit: oof, I found my search history after all so most of this is moot. It’s under “Other Google Activity” ... “Web & App Activity”. I guess it would be nice to see the words “Search Activity” a little more prominently, but still, my bad.]

I can’t help but feeling that both cookies (and their associated histories) count equally as personal data.

Anyone who gets hold of my devices can use the cookies to get my history. I can use the cookies to get some of my history in some form or other (I can’t get my own search history, but I can see it partially in typeaheads on the desktop site.)

It feels half hearted that I can’t pull up the entire dataset, but then I would surely be grateful that no one else can do the same thing if they steal my login.

(I also accept that some of this is just me arrogantly pushing back on being told “no!” by Auntie Google, when I feel entitled to a yes.)

Correct google keeps two separate cookies one for ads and one for everything else. This was part of the agreement with the FTC when they bought Double Click. They are prohibited from joining those two cookies by that agreement.

CCPA states that data is valuable and specifically calls out trading for "other valuable consideration" as part of selling.

Therefore (in my read) if your business is "giving away" data, it would inherently be for "other valuable consideration".

Especially since the law calls out 4 cases where sharing data is NOT a sale or valuable consideration: 1) When a consumer is sharing data with your business so that you can help them interact with a 3rd party business 2) Your business is sharing data to tell 3rd parties a consumer now wants to opt-out 3) Your business transfers data to a 3rd party to get a service from a service provider (and the data stops there, it can't be sold on) 4) Your business is acquired

Edit: typo, confusing sentence

IIRC google et al never share your data with third parties. Instead, they use it to target ads from third parties.

This is a critical point, but the definition of “sell” is fairly broad:

“ “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

So targeting ads based on personal information that you've collected is still OK, as long as you don't share the data?

It appears so.

There is a possible argument that selling an ad that will use PII to target consumers to a 3rd party advertiser constitutes a “sale” however.

The cynical side in me is now saying “of course! California’s government is not gonna shit where they eat.”

We should not ever expect the government of the place where Google and Facebook are headquartered to do anything meaningful to protect privacy. To do so would destroy the business model of these companies. Why would they ever want to do that?

and what does GDPR say?

IIRC, it refers primarily to collecting and processing consumer information.

I thought CCPA was California's GDPR, but it seems to offer consumers very little protection.

CCPA does not restrict the collection or processing of personal data for marketing purposes. You can't even opt-out. Companies like BounceX will still be able to deanonymize 40% of consumer web visitors for direct marketing. You can only opt-out from your data being sold. And how are you supposed to know when a company is selling your data? The company is not required to tell you – you have to ask.

GDPR the other hand is entirely opt-in. Companies cannot collect or process personal information unless given explicit consent. And that's a big deal – the rate of consent is so low that many marketing projects have a negative ROI and companies stop working on them.

Enforcement will likely be weak. CCPA introduces civil penalties so consumers can sue companies, or join class action suits, but it will be difficult for a consumer to know when a business is violating CCPA, so this will be rare. California's AG can bring action, but there isn't a very strong incentive for them to do so with the exception of high-profile, politicized cases.

CCPA has enough common elements with GDPR that companies are likely to look for a set of practices that meets both in as many cases as possible. I'm hopeful that while the CCPA may lack the full width of GDPR's effect, it will push companies that were special-casing the EU to apply GDPR practices to the US as a whole as well or the entire world.

Very few companies are going to want to maintain a separate GDPR strategy, a separate CCPA strategy, and an unregulated strategy, and then selectively apply each to various users. As more jurisdictions jump on board with privacy requirements, hopefully globally consumers will get the benefits of the strongest passed regulation in each category.

But there is no CCPA strategy. CCPA is so weak that compliance is easy: offer data exports and stop selling data on behalf of the handful people who request it. No need to encrypt stored data, or restrict what you collect, or how you collect it.

Yeah, I've heard similar at the Fortune 10 where I work. We could barely get our legal/compliance/privacy team to meet with us on it. They said our approach is wait and see, that based on the verbiage they see basically no risk of any real litigation resulting from it in the current form and from a business standpoint not to waste time with it.

ICO was not established by GDPR. It has been around since 1984, and was also the agency responsible for enforcing GDPR's predecessors.

I agree that a regulatory agency specialized to these issues would increase their importance, but it's not the whole solution. ICO already existed, it just didn't have teeth.

I think that the enforcement part is key, I’m very skeptical.

It likely won’t start until July 2020, and it’s hard to imagine the state AG prioritizing this except for cases you mention - very high profile/political.

Current estimates are that out of roughly 500,000 businesses in scope, only 2% will be in compliance by January 1st. Though to be fair, GDPR numbers were fairly similar at the onset.

Regardless of my skepticism, I can’t help but feel this is better than nothing, and likely better than an even more diluted federal regulation that all the big corps are lobbying for.

BounceX probably counts as a data sale, and CCPA allows you to restrict data sales via a required link labeled "Do Not Sell My Personal Information" (hereafter DNSMPI) that must be present on the home page and on pages where PI is collected.

It remains to be seen how many companies comply, but the law certainly does have some restrictions.

Furthermore, there is a CCPAv2 in progress for a proposition on the next ballot.

I am sure I can opt out of BounceX if I know BounceX exists.

But am I really supposed to fill out a DNSMPI form every time I interact with any business? How many new businesses do you think you interact with on a given day? I suspect it is a lot.

Opting out is an unreasonable burden and there's a reason why almost no one does it. And yet we know consumers want privacy, so there is clearly a larger structural problem here.

We already know the solution! Make data collection opt-in.

You can fill out DNSMPI once for a business and it applies for at minimum the next 365 days. You do not need to specifically enumerate systems; it is a blanket prohibition.

Right, once per business per year. Just remember to go back and renew next year!

And perhaps reconsider doing business with companies whose business practices you find objectionable

No, they can't sue the company. America has invented the concept of binding arbitration, that effectively allows the company to opt out from laws, as funny as it sounds. Your isp contract, your bank account contract, your insurance contract all likely contain the binding arbitration clause. Coincidentally, these are the companies that get the most accurate and valuable information on you.

GDPR is NOT entirely opt-in. For reasons of ‘legitimate interest’ a consent-less collection is warranted (ie. to perform the service). Yes, this does usually excludes data collection for marketing purposes. But it’s important to state that it’s not Entirely opt-in.

If the collection is truly necessary to provide a service, and the consumer has decided (opted in) to use that service, it seems pretty reasonable.

However, data collected for that "legitimate interest" may only be used for that specific legitimate interest. They can't turn around and use it to end-run the consent requirement.

Also, the "legitimate interest" of the business is required to be weighed against the interests of the data subject, so it isn't a blank check.

> GDPR the other hand is entirely opt-in.

As an European I don't feel like it's opt-in.

Last I've heard Google is still tracking me left and right.

The GDPR add a regulatory hurdle to jump over that is hard to small businesses to do properly, and affordable to Google to do it right and have a similar status quo.

I think most startup people would have no problem with the GDPR if it included the minimum limits that the CCPA has.

CCPA is certainly a headache at work and brought in consulting to assist but I hope it spreads beyond California and more! As a consumer I want to be able to opt out of any/all data collection related to my personal details. Fully support it regardless of the "costs" it brings to the company. Data should have been regulated from the get go.

Microsoft has stated they will honor CCPA nationwide. I would expect other tech companies to follow until national regulation catches up.

Many companies have adopted a one-size fits all approach, whereby the most restrictive legislation applies, regardless of jurisdiction where they do business. This reduces costs by minimizing duplication where possible. I suspect Microsoft's approach was likely driven in part by the additional costs needed to support two compliance regimes for their various products.

I’m still struggling to find out what exactly is required for mobile apps in particular. Our legal team (very big company) told us we have to add a link to our Privacy Policy on every screen of our app, so hundreds. Where can I find things like requirements on those, or is it just really vague?

That sounds like overkill but IANAL. You should only need to post the disclosures before the info is collected, where the info is collected.

Shameless plug: we put together a more readable version of the CCPA with all the amendments incorporated here [1] and an outline of the proposed enforcement regulations here [2]

[1] https://hq.services/blog/ccpa-full-text-with-amendments/

[2] https://hq.services/blog/ccpa-proposed-regulations/

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact