At first I thought that this PDF was just describing the proposed law in an inaccurate manner. But no, the CCPA really does talk a lot about "selling your personal information". https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-p...
* all the URLs I’ve visited with my Google cookie loaded
* all the searches I’ve ever done
* all the ads I’ve clicked on.
I know ad tech mechanics can be counter intuitive but I’m surprised they don’t have that information for me to download, especially when ads and search are the primary Google functions.
Maybe these logs are pseudonymized in such a way that google can’t tie them to my identity?
[Edit: oof, I found my search history after all so most of this is moot. It’s under “Other Google Activity” ... “Web & App Activity”. I guess it would be nice to see the words “Search Activity” a little more prominently, but still, my bad.]
I can’t help but feeling that both cookies (and their associated histories) count equally as personal data.
Anyone who gets hold of my devices can use the cookies to get my history. I can use the cookies to get some of my history in some form or other (I can’t get my own search history, but I can see it partially in typeaheads on the desktop site.)
It feels half hearted that I can’t pull up the entire dataset, but then I would surely be grateful that no one else can do the same thing if they steal my login.
(I also accept that some of this is just me arrogantly pushing back on being told “no!” by Auntie Google, when I feel entitled to a yes.)
Therefore (in my read) if your business is "giving away" data, it would inherently be for "other valuable consideration".
Especially since the law calls out 4 cases where sharing data is NOT a sale or valuable consideration:
1) When a consumer is sharing data with your business so that you can help them interact with a 3rd party business
2) Your business is sharing data to tell 3rd parties a consumer now wants to opt-out
3) Your business transfers data to a 3rd party to get a service from a service provider (and the data stops there, it can't be sold on)
4) Your business is acquired
Edit: typo, confusing sentence
“ “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
There is a possible argument that selling an ad that will use PII to target consumers to a 3rd party advertiser constitutes a “sale” however.
We should not ever expect the government of the place where Google and Facebook are headquartered to do anything meaningful to protect privacy. To do so would destroy the business model of these companies. Why would they ever want to do that?
CCPA does not restrict the collection or processing of personal data for marketing purposes. You can't even opt-out. Companies like BounceX will still be able to deanonymize 40% of consumer web visitors for direct marketing. You can only opt-out from your data being sold. And how are you supposed to know when a company is selling your data? The company is not required to tell you – you have to ask.
GDPR the other hand is entirely opt-in. Companies cannot collect or process personal information unless given explicit consent. And that's a big deal – the rate of consent is so low that many marketing projects have a negative ROI and companies stop working on them.
Enforcement will likely be weak. CCPA introduces civil penalties so consumers can sue companies, or join class action suits, but it will be difficult for a consumer to know when a business is violating CCPA, so this will be rare. California's AG can bring action, but there isn't a very strong incentive for them to do so with the exception of high-profile, politicized cases.
Very few companies are going to want to maintain a separate GDPR strategy, a separate CCPA strategy, and an unregulated strategy, and then selectively apply each to various users. As more jurisdictions jump on board with privacy requirements, hopefully globally consumers will get the benefits of the strongest passed regulation in each category.
I agree that a regulatory agency specialized to these issues would increase their importance, but it's not the whole solution. ICO already existed, it just didn't have teeth.
It likely won’t start until July 2020, and it’s hard to imagine the state AG prioritizing this except for cases you mention - very high profile/political.
Current estimates are that out of roughly 500,000 businesses in scope, only 2% will be in compliance by January 1st. Though to be fair, GDPR numbers were fairly similar at the onset.
Regardless of my skepticism, I can’t help but feel this is better than nothing, and likely better than an even more diluted federal regulation that all the big corps are lobbying for.
It remains to be seen how many companies comply, but the law certainly does have some restrictions.
Furthermore, there is a CCPAv2 in progress for a proposition on the next ballot.
But am I really supposed to fill out a DNSMPI form every time I interact with any business? How many new businesses do you think you interact with on a given day? I suspect it is a lot.
Opting out is an unreasonable burden and there's a reason why almost no one does it. And yet we know consumers want privacy, so there is clearly a larger structural problem here.
We already know the solution! Make data collection opt-in.
Also, the "legitimate interest" of the business is required to be weighed against the interests of the data subject, so it isn't a blank check.
As an European I don't feel like it's opt-in.
Last I've heard Google is still tracking me left and right.
I think most startup people would have no problem with the GDPR if it included the minimum limits that the CCPA has.
Shameless plug: we put together a more readable version of the CCPA with all the amendments incorporated here  and an outline of the proposed enforcement regulations here