- Businesses must disclose what information they collect, what business purpose they do so for and any third parties they share that data with.
- Businesses would be required to comply with official consumer requests to delete that data.
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
- Businesses can, however, offer “financial incentives” for being allowed to collect data.
- California authorities are empowered to fine companies for violations.
I totally understand that this will impact a lot of tech companies' profits...but that's to be expected if you're making money selling people's data to third parties without their permission.
> - Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
This is something I object to. It's just fundamentally stupid and doesn't make sense. The entire premise of free exchange is that I give you my services in exchange for something of value of yours. Making it illegal to withhold services if you don't give up your data is crazy. The only reason those services are being provided at all is to get that data. That's effectively a requirement that people provide services for free.
EDIT: I'll also add that it strongly favors incumbent tech companies, by explicitly carving out "selling to third parties" as a disfavored tactic. Google can monetize your data internally. Your average startup may not be able to. Specifically carving out "selling to third parties" favors large, incumbent players over small startups. But then, regulation always does.
You just have to change the onboarding process to include a fee, and offer an incentive/rebate of the subscription price to match the cost to basically make it free. That way if they decide to change their mind and not give their data, you're still in the clear by removing the incentive and either charge their payment method or disable their service until they do (or reenable data sharing).
That way it feels more transparent to the end-user, and they have to make the conscious choice of either giving a bit of their data in exchance of a free service or be prepared to pay to keep their data private.
>You just have to change the onboarding process to include a fee, and offer an incentive/rebate of the subscription price to match the cost to basically make it free. That way if they decide to change their mind and not give their data, you're still in the clear by removing the incentive and either charge their payment method or disable their service until they do.
What's the practical difference between these two scenarios?
1) I offer a free service if you let me collect your data, but charge you $3/mo if you refuse to let me collect it.
2) I offer a $3/mo service, but give you $3/mo back if you let me collect your data.
Option #1 is explicitly illegal under the new California law. If option #2 is legal, then what is the law supposed to ban?
The difference is mostly to do with user experience. It also has to do with the requirements of how you bill the customer. It means you can't give them a "free" sign up and then charge them a fee after the click the data selling opt out button.
What's meant by saying you can offer incentives is that you must present all information at the same time and that users are considered as opt-out by default.
Basically, the user must go through a sign up page that has a box that says "You may sell my data in exchange for a $3 discount" and it cannot be selected by default. You also cannot have a sign up page that has a box that must be selected to opt-out whether the box is selected by default or not.
The no-relatiation clause also has addition requirements that are not related to money. For example, you cannot refuse to allow a user to access your site because they didn't allow their data to be sold. You also couldn't impose access limitations like slowing the rate of page response or increasing the number of advertisements on the page or send spam only to users that opt-out.
The difference isn't really about charging a fee to users that won't let you sell their data. It's more about not allowing websites to harass users with increased advertising on behalf of whoever they wanted to sell your data to. It's only illegal for them to sell the data, internal use is still legal, so they're preventing a loopholes.
One difference, it seems, is that under the proposed law you couldn’t advertise your $3 service as “free”, maybe?
Either way though, I’d be happy if it were just required that there BE an opt out even with a price tag. Google can then finally tell me how much money they want for their services.
>It also shows a direct discrimination against poor and/or young people who might not afford the service.
As opposed to what, treating everybody badly? McDonalds discriminates between people who can afford a Big Mac and people who can't, and that's not a problem.
The internet is not the same as a food place. People expect and have gotten used to services for free. If you put a price tag on a software library, you obviously discriminate against students and poor people.
If you don't have the money to buy a big mac, you either eat a cheeseburger on the dollar menu or go home and cook a burger yourself.
If you don't have the money for the software library, you either choose a lesser library, or go write your own.
A larger problem however is many are considering the internet a fundamental human right, which it isn't. Might be nice to have, but a fundamental right it is not.
There is already a price in the data collected (for FB i think $120 / year). I think making it public is a good thing. I think the law will also force facebook to offer ad free subscription plans, something people have been asking for. My bet is nobody is going to use them though.
Average revenue per user is around $25 for global users.
This brings up a related issue that not all users are equal. Even in non-data mining business models, you still have some segment of the users subsidizing another.
You need parental permission to collect data from young people in the US anyway (see COPPA). But an age gate and asking for a credit card number are very different levels of sign up friction for a young person to try to get around.
For a short time AT&T GigaFiber was charging $30/month to opt out of surveillance and I thought they can't possibly be selling my data for that much. I wonder if this new law will also lead to some unrealistically high prices.
> You just have to change the onboarding process to include a fee, and offer an incentive/rebate of the subscription price to match the cost to basically make it free. That way if they decide to change their mind and not give their data, you're still in the clear by removing the incentive and either charge their payment method or disable their service until they do (or reenable data sharing).
The problem is that then you cannot effectively offer a service level that is ad based. Say I want to offer some web services. I provide a free tier with ads (information gathering and selling) and a payed tier with no ads. This law says that I cannot charge more for the non-ads version. OK, so then I make both cost the same, either free or some fixed cost. If they are both free, what stops everyone from just using the non-ads version, it's free too. If both aren't free and cost money, what is the point of even providing the ad version, since people can pay the same and get the no-ads version. Not to mention, everyone that is fine giving their information in order to receive the service for "free" is now not able to do that.
You can still have ads you just can’t sell the users data to get them. Which means you either have to target ads yourself or you have to use non targeted ads. So you can still have an ad supported free level.
Exactly - you can still have an ad supported model all you want, you just can't be lazy about it anymore. You'll either have to tell the ad network yourself what your audience attributes are and likely take a hit on CPC because of less targeting data, or you'll have to do what people used to do (and some still do) and manually choose the ads you want to run.
It's not the end of the world, it's the end of some business models.
At least in America we already restrict certain types of transactions, e.g. selling illegal and/or restricted drugs is itself generally illegal IIRC. Similarly I'm pretty sure slavery is illegal even if it's entered into voluntarily (please correct me if I'm wrong there, I'm not speaking from specific knowledge).
We impose these restrictions for the good of the public. If we decide that exchanging personal data for goods and services should be illegal under certain conditions, I don't see why that's any different than the precedents I mentioned.
I mean, I'd push back against some of it myself, but how many people are arguing that e.g. methamphetamine and fentanyl should be freely available?
Of course, it's all up for debate. I used it as an example because it's the status quo, so it's a good refutation of the statement that this new law is "crazy" in the sense of it being radical and unprecedented.
Exactly. And i think it 's better UI overall: You default to no ads , but when it comes payment time, you present the ad opt-in to the users. My bet is 99.99% of users will choose free with ads. This also crosses a psychological barrier to disable their ad blocker.
Yeah, the latter seems like it would involve more bureaucracy than the former. I don't want to sound fatalistic, but I cannot shake off the feeling that it was almost definitely intended.
I think the intention is to decrease the opacity of 'free' services, with the awareness that most people using most free services don't or can't know what happens with it and what is collected. Money is not personal data, likewise almost anything else is not personal data, and there should be more legal protections in llace imo to protect a naive person's ability to limit the propagation of it, or hold companies accountable. If most people knew how any givem system worked, then software engineers wouldn't make as much. It's not a clear cut transaction when the cost is "any amount of data we can collect about you and sell to anyone for any price in exchange for this specific service we provide amd cam take away at any moment". That's a bullshit transaction.
> The entire premise of free exchange is that I give you my services in exchange for something of value of yours.
Not if the thing I value is my personal data. Because I, as a typical short sighted consumer, will consistently underestimate the value of my data, as well as how my data affects those around me (extreme case: my data is my social graph, which you can use to reconstruct the social graph of my acquaintances).
If I don't know the actual value of what I am giving up, I am naturally going to get swindled.
You used the first person pronoun a lot there. Do you yourself actually feel that you are short-sighted and that you consistently underestimate the value of your data? Or are you putting yourself in the place of a hypothetical other person?
I ask because people are often very quick to suppose that they are part of the educated elite but other people need them to protect them from their own bad choices.
Do you, for example, not use Google because you are concerned they are getting too good a deal from you? Duck Duck Go exists.
I use DuckDuckGo, and only fairly rarely fall back to Google. My Gmail account is dormant, I set up my own mail server. But I still have an Android phone…
In the case of data, is it always yours to give? Is the fact that I am friends with Friendo my data or Friendo’s? Both? Neither? Collectively both? Taken further is my contact info about Friendo mine to give? Is the photo with Friendo’s face that I took of a group of us at a bar my data to give?
If Friendo doesn’t have the same relationship I have with Tech.co, how is Friendo benefitting? Where is the exchange there?
I think you've missed the point. This does not make it illegal to collect or even sell user data, it makes it illegal to do so without consent.
Any concern regarding whether consent is likely to be withheld really just points out how stupid a company's business model is. Incumbent vs. Startup is also a false premise because Facebook is an incumbent that relies on selling user data. They do make some money from purely internal advertising, but in total Facebook only makes less than $5 per user when selling data, and that's lifetime, not per year. So the only way to make real profits from selling data is if you sell millions of people's data. Their internal data use however, is just for add targeting which they make more money from each year. This internal use makes more per user and is therefore a more viable strategy for a small company than selling data.
There are already regulations that make it impossible to sell user data that would be valuable that apply to more than just internet collected information. So, any data selling strategy a startup or incumbent company might have will either not earn significant profits or is very likely already illegal.
In any case, advertising revenue rarely ever covers a company's expenses. If a company is only staying afloat because of selling data, then that company is achieving a very poor return on investment and is wasting the time of everyone involved. Either they need better business processes, strategies or they're not offering something of sufficient value to be worth the time put into the business.
I think the legislative motivation is a belief that people do not (and perhaps cannot) understand the potential cost of consenting to data sharing. Without that understanding, can you really have a meaningful consent?
In this view, a company offering a discount in exchange for sharing is inherently deceptive.
> The entire premise of free exchange is that I give you my services in exchange for something of value of yours. Making it illegal to withhold services if you don't give up your data is crazy. The only reason those services are being provided at all is to get that data. That's effectively a requirement that people provide services for free.
The service isn't free. The exchange just isn't money. When money is involved a price is put forth. It's an agreed to and published exchange mechanism. When it's data on someone the price isn't shared. It's kept secret. There's always a price. It's just not always money or public. This will make more information public.
I wonder if this will start to change how business operate. Right now they are skewed against consumers towards businesses. I wonder if consumer protections, like this, will cause businesses to re-evaluate business models.
This explains it, I think that California took same diction.
Giovanni Buttarelli, European Data Protection Supervisor “There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation.”
Privacy is fundamental human right that you cant trade for. Same as you cant sign a lawfull contract that you want to be someones slave, even if you want to.
Data mining as a business model is fine, as long as the customer is making an informed decision, there are equally good alternatives out there which you can pay for in other means, and you're not drawn to a particular service because of network effects or platform lock-in.
However, customers aren't well informed, and if they were, they wouldn't use these services. Currently customers are getting scammed for their data. This is why we need regulation.
It's not a requirement that services be provided for free. It's an acknowledgment that, if services can't be provided without violating basic human decency, they should not be provided at all.
> The entire premise of free exchange is that I give you my services in exchange for something of value of yours.
The problem is that these companies advertise their products as "free," which means something very different. And they usually don't mention at all that they're collecting shit tons of personal data. It's taking advantage of people's ignorance, and it's practically fraud, IMO.
Every other business tells the customer up front what the price is, and maybe it's time tech companies started doing the same.
Without telling users what data they collect, how much they collect, how they use it, and who they give it to, there's no way for users to make an informed decision.
> It's just fundamentally stupid and doesn't make sense.
> I give you my services in exchange for something of value of yours.
I never explicitly stated that I'd serve these companies by giving my data. Services cannot be assumed, why do you think there are such long Terms of Service. We as users should also have Terms of Service then.
Charging different customers a different price for the same product is illegal under US law, and California laws don’t change that.
EDIT: Several comments below point out the innumerable businesses operating in such a way as to make mine an impossible claim.
Enumerating the established methods to avoid meeting the legal parameters of price discrimination is not the same as price discrimination being legal.
My bar for following just laws is higher than the minimum required to avoid being prosecuted. I’m sure experts can help work around any future privacy laws too, so why even worry?
Surveillance already creates a different product one can charge more for, though your lawyer might advise you call it “personalization” in memos.
Charging different customers a different price for the same product is illegal under US law
Demonstrably untrue.
It is illegal to charge a different price based on a protected class like race or gender. But travel sites, for example, are notorious for charging different people different prices based on their GeoIP, whether they're on mobile or desktop, or Windows vs Macintosh.
That's not generally true. Businesses are free to vary their pricing provided they aren't violating some other law in doing so (e.g. laws prohibiting discrimination based on race or sex or laws requiring common carriers or utilities to charge prices set on a tariff).
This is suprising to me. I assume it is much more nuanced than that? How does insurance work then? Isn't insurance fundimentally the same plan with different prices for different groups depending on assessed risk?
Because when you buy a car you aren't usually buying "a [year] [make] [model] [with these features]". You're buying "that specific car with that unique identifier"
Airplane tickets. Car rental rates. Hotel rates. Buying a car. Loans: if I want to borrow $100k for 10 years, I will pay a different price than my next door neighbor asking for the same terms.
> Making it illegal to withhold services if you don't give up your data is crazy.
Maybe you can show me generic ads based on your content instead of targeting them based on where I've been on vacation last month, etc.
Or simply stop building businesses based on people data. Sell something people want to pay for. Humankind has been able to do that for thousands of years, did we forget how to do it?
> including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s dat
Doesnt that second part cancel the first part? Businesses can also pay money for data ... so facebook can switch to subsciption only, but pay its users with virtual coins for viewing ads
> except if the difference is reasonably related to value provided by the consumer’s data
I think it means that if you opt out of data collection, then things like personalized recommendations will no longer work, which makes the services worse. That is a part of the service directly related to the data.
If Facebook can't convince its users that its service is worth paying an average of $2.5 per year for, I don't think it really deserves to remain in the Fortune 500.
Where does $2.5/year come from? Other comments in this discussion have suggested that it would be more like $120/year in the US, or $25/year for a global average
$2.5/year from each of their monthly active users would be sufficient to keep Facebook in the Fortune 500. (As referenced in the post I was replying to.)
(Tangentially, they would have to cut costs to remain profitable, but I figure it should be possible for 6k employees to maintain a set of services that people are willing to pay $2.5/year for.)
I interpret the purpose of that item combined with the subsequent one is to ensure that they can't force you to sell yourself but can offer you the option and leave the decision with you.
> The entire premise of free exchange is that I give you my services in exchange for something of value of yours.
"Something" doesn't mean "anything". You can't offer your services in exchange for e.g. my body parts. Why are we willing to ban that but not our data?
> The only reason those services are being provided at all is to get that data. That's effectively a requirement that people provide services for free.
Well, no — they could charge money for them. But even this is a false dilemma; surely we can come up with at least one business model other than "charge directly for our service" and "surveil our users".
> "Something" doesn't mean "anything". You can't offer your services in exchange for e.g. my body parts. Why are we willing to ban that but not our data?
Because if you were to run a survey over the general population the large majority is fine not having to pay for gmail, google search, maps and other "free" services while some data may be collected doing so while a much smaller percentage thinks it's OK to sell their organs for that?
I strongly suspect that if you asked people 50 years ago whether it was ok for companies to eg. track everywhere most people go, I think the vast majority would have said no. Google et al. just started spying on everyone without any serious debate over whether it was right. Then once people caught on, they either had to stop caring about privacy, or they had be Richard Stallman and eschew pretty much all mainstream computing technology.
If someone went back in time to tell people that this new internet thing was going to lead to the US having more surveillance than East Germany or the Soviet Union, there would have been laws passed and systems designed from the start to prevent it from happening. The fact that it didn't happen this way, and our culture's privacy norms have been destroyed as a consequence, is more reason to act to prevent further damage, not a reason to just give up.
> I strongly suspect that if you asked people 50 years ago whether it was ok for companies to eg. track everywhere most people go, I think the vast majority would have said no. Google et al. just started spying on everyone without any serious debate over whether it was right. Then once people caught on, they either had to stop caring about privacy, or they had be Richard Stallman and eschew pretty much all mainstream computing technology.
Sure, but if you had phrased the question more fairly and said "Should it be ok for a company to give you free services in exchange for tracking everywhere you go?" I think almost everyone would have said yes.
> If someone went back in time to tell people that this new internet thing was going to lead to the US having more surveillance than East Germany or the Soviet Union, there would have been laws passed and systems designed from the start to prevent it from happening. The fact that it didn't happen this way, and our culture's privacy norms have been destroyed as a consequence, is more reason to act to prevent further damage, not a reason to just give up.
My intuition here is the same as yours. That this is a bad thing. That privacy matters in an intrinsic sense, not an operational sense. But i'm not so sure that's really true anymore. The privacy ship has sailed off into the sunset for a while now, and at least to me, the harms don't seem that substantial. All that data is mostly used to give me ads that are more targeted to what I might want to see anyway. There certainly could be lurking latent risks about, but it's a little hard to see exactly what they are.
> Sure, but if you had phrased the question more fairly and said "Should it be ok for a company to give you free services in exchange for tracking everywhere you go?" I think almost everyone would have said yes.
Then you should add shadow profiling, data banks linking together data of dozens of different companies, politically targeted advertisement that pretends to be from human users.
Yes the free market is nice and all, still the internet is a hell of a creepy place. It is undeniable that the reason this was allowed (comparing to direct mail advertisement for example) is that it was always believed to be impossible.
General population is simply not aware of how much surveillance is involved and how much of their private information said companies collect, use or sell to 3rd parties. Many are happy to get "free" service in exchange for "some data", but most people people would be very much against someone data mining their health or pregnancy status, using some sophisticated algorithm to selling something harmful to their kids or messing with their mood when they're in depression to maximize profits.
Most people don't understand the risks and how badly mass surveillance done by Google / Facebook / etc can be abused. So akin to situation with tobacco industry someone have to educate them about this.
> Most people don't understand the risks and how badly mass surveillance done by Google / Facebook / etc can be abused.
This is totally dodging the issue.
Would they pay instead of allowing that collection?
Given the choice of "pay for this service", "stop using this service", "give up your data", even with a full understanding of the risks and the extent of this data, the general public has shown time and time again they will take the last option.
People do not like to pay for things.
I see way too many arguments about privacy that doesn't seem to grasp that the core of today's tech industry is built around this fact.
People will pay 5$ for 50 cents of coffee beans and enough sugar to drown a fly a day, but they will never pay 5$ a month to access nearly the entirety of mankind's collective knowledge at their fingertips in milliseconds in the form of a search index spending millions of dollars a year to index it all.
> People will pay 5$ for 50 cents of coffee beans and enough sugar to drown a fly a day, but they will never pay 5$ a month to access nearly the entirety of mankind's collective knowledge at their fingertips in milliseconds
I pay a lot more than $5/month for Internet service.
Would you pay $5 on top of that ISP charge to Google, so that your search experience is ad-free? Would you pay $5 for fastmail.com's standard plan over gmail?
$5 for a tracking free Google, including no Google ads on any site? Maybe. But then it would be $5 to any other tracking network and there will probably be some other tracking with no opt out. I'll be still running adblockers and privacy extensions, so paying is pointless.
The point is that I wouldn't be paying for a search service, I would be paying for not to be tracked, which is something I don't want to happen. It's so similar to paying for insurance against fires (think of gangster movies.) I don't like it.
Agree about the overall point, but this example is unfortunate: complaints about fragmentation are not only about money: crappy apps, less convenience, lack of availability (outside US), etc.
I'd think single source vs fleet of disparate services is a bigger concern. If I have to track and maintain 10 subscription services to get the stuff I want, I'd rather just pirate it, the inconvenience factor is too high otherwise.
One option I also think we are forgetting, Services like ProtonMail and Tutanota. Both are private and encrypted, both are free (with an option to pay for more services). These services are out there, but general knowledge of them is not so high. I believe more users would switch to them if they knew about them. My own parents came to me asking if there was something they could do after being creeped out/scared by big techs privacy invasive tracking and stalking. They weren't aware of the availability of other services and yet they went looking when it got bad enough. How much sooner for others if they were aware of these alternative services? We could all argue back and forth about both sides, but I believe that both sides would be truly surprised about what would actually happen.
I agree and this seems to be the main problem: we are losing privacy today but we will suffer most of the consequences tomorrow.
So most of us are not aware of the real cost we're paying and unable to make an informed decision.
Welcome to democracy, where an individual with zero understanding of an issue can vote on it and is legally entitled to have their opinion taken seriously.
Yes, I think about this often and it appears to be a bug in the democracy system but any attempt to tie voting rights to knowledge seems to create even more bugs.
> Because if you were to run a survey over the general population the large majority is fine not having to pay for gmail, google search, maps and other "free" services while some data may be collected doing so
That's nonsense.
Nobody can make an informed decision because nobody knows exactly what data Google collects or exactly how it's used.
And unless you've actually run a survey you can't even speculate about whether people are okay with it or not. If your claim was true, why would this law even exist? You're okay with it, but privacy is a highly personal issue.
> Because if you were to run a survey over the general population the large majority is fine not having to pay for gmail, google search, maps and other "free" services while some data may be collected doing so
How is this an argument against the law? It doesn't make it illegal to share data but requires that users can opt out. If said large majority is fine with surveillance, I guess Silicon Valley can relax.
He's saying being able to "opt out" is absurd. It's equivalent to getting the product for free in most cases.
"Hey, I want to use your free service but I want to go ahead and opt out of the part that enables it to be free" You don't see a problem with that?
It would be like if there were a restaurant that gave free food in exchange for filling out surveys (data collection). So you eat the free meal and then "opt out" of doing the survey.
The idea that free is only possible by trading data is absurd. E.g. Google search and maps can provide sponsored results without knowing everything about you. News sites can have ads related to their content and general target audience.
> if you were to run a survey over the general population the large majority is fine not having to pay for gmail, google search, maps and other "free" services while some data may be collected doing so
This is simply not true. When informed about it, a clear majority of people would prefer not to be surveilled, and are uncomfortable with unknown third parties having profiles on them, ads following them around the internet, etc.
The fact that these people continue to use these services anyway (even after being informed) is not a sign that they are 'fine' with it. It is because they have no choice. Even as an engineer, I've found it unfeasibly difficult to avoid being surveilled while continuing to live a normal life. For most people it's a non-starter. They have no choice.
Freedom to choose is essential to a free market. Regulation, done well, can increase market freedom.
No need! I’m not presenting a hypothetical survey’s results without evidence. The person I was responding to is, unless they actually have such a survey. I asked for it and no one answered. Therefore, until there is a time with supporting evidence, we can’t even qualify the opinion as a theory, let alone a fact.
"Have you ever read a BGP table"? Arguing that there are too many people in ad exchanges is a very weak argument. This is the internet, which enables global scale exchanges of all kinds of things. GDPR is a law designed for the 1800s
> Well, no — they could charge money for them. But even this is a false dilemma; surely we can come up with at least one business model other than "charge directly for our service" and "surveil our users".
No need to come up with something new, we had content based ads long before Google and Facebook took over.
Because there's a large number of us who want to pay with that data and don't think it's as damaging as cutting off our arms. It is true that there are things we are not allowed to freely exchange: kidneys, livers, most parts of our body. It is true that there are things we are allowed to relatively freely exchange: money, possessions, plasma, blood, and currently data.
Lots of us feel that the data thing should be allowed. That's all.
> Because there's a large number of us who want to pay with that data
Okay, cool, don't opt out then. I on the other hand would prefer to see ads based on the content I'm viewing for which no other data from me needs to be passed around.
Yeah, and those parts of CCPA I support. I also support the data deletion stuff. Everyone should be able to revoke consent at any time. What I object to is the "you must continue to provide service after opt-out". I think you should be able to say what you're willing to accept and get appropriate service.
In fact, ideally, the User Agent would advertise our privileges. Like a DNT option and websites would respond with a paywall or something instead and be expected (by law) to respect the DNT. Then, on first load, browsers could say, "Do you wish to allow tracking?" and warn about the added paywall cost vs. the tracking cost.
> What I object to is the "you must continue to provide service after opt-out".
Well, I quite like that part. It pushes content providers to look for surveillance free business models, such as content based ads that aren't personalized. Why should selling your data vs. paywall be the only options? To protect Google's ad cartel?
Well, then, I suppose that's where our disagreement lies. I would prefer to minimize regulation controlling people so long as harm is not being done (hence I'm pro-CCPA in the ways it protects people from being harmed and disagree with it where does not actively protect from harm) and you have a different bar.
Okay, I'm happy to rewrite that whichever way you like, but I believe businesses are just groups of people. If you wish, consider that 'prefer to minimize regulation binding units of people or groups of people acting in concert'. I'm also content with it just being 'prefer to minimize regulation binding businesses or people so long as no active harm yada yada'.
The core disagreement is that I might want to pay with data only for services to me, and this new standard practically mandates that free riders are allowed.
> this new standard practically mandates that free riders are allowed.
It doesn't. That's merely one way how businesses could comply with the law, the other option would be to look for better business models as I said in the comment you replied to.
No this is one of the most verified facts.
The privacy agreements of gmail, facebook and what not, serve like a poll for this: if you use the service you agree to this. Majority of people use Gmail, Facebook, etc. So this is not anecdotal. On the other hand the desire to "protect" privacy at the expense of free services is based on anecdotal data at best.
> The privacy agreements of gmail, facebook and what not, serve like a poll for this
I don't think they do, given that most people don't read them, and a large percentage of them are written so it's very hard to tell what they are really saying unless you're a lawyer.
No, because it presupposes that people understand what they might be implicitly allowing by not reading them. Without first knowing whether or not people understand the extent of surveillance that is possible and the possible consequences we can not know what it means that people ignore the privacy agreements.
It's possible people genuinely don't care. It's also possible they don't understand the implications, and/or that they trust these companies more than they ought to.
No. Not reading it is not equivalent to "not giving a damn".
First, having to read a long block of legalese on every visit to a website (which would be necessary because those privacy polices can change without notice at any time) is unsupportable. If people actually did that, it would render the web completely unusable. The average normal person can't be blamed for saying "screw that", nor can their attitude about privacy really be inferred from it.
Second, even for those of us who are more concerned than the average person about these issues, reading privacy policies is a pointless waste of time. Once you have a lawyer interpret them for you, it turns out that the vast majority of them say the same thing -- they are reserving the right to do anything they want with my data. That means that I can safely predict what privacy policies say, so there's no need to read them.
Using the service is generally an acceptance and agreement to the terms of service.
A similar analogy is that I may not want to read my credit card bill, that doesn't eliminate the responsibility I have to pay it. Or, I may not want to read my visa card notice they send informing of a change in the APR or other conditions for service. however, my continued use of the card is the standard way one accepts new or changed TOS.
No one's performed a proper survey AFAIK, but the GDPR opt-out rate is very very low, which provides weak evidence. This is not evidence of numbers, but I have an existence proof in that I also personally know a lot of people who know and insist on not opting out.
This is a confusing interpretation of what I said:
> This is not evidence of numbers, but I have an existence proof in that I also personally know a lot of people who know and insist on not opting out.
Most people I know would interpret that as "I know I'm not the only one because". After all, I specifically say "not evidence of numbers" and I also specifically say "existence proof". I find your response baffling.
I don't think the law is harmful. I'm considering the absence of opt-outs and the general prevalence of opt-ins evidence of people not being eager to opt-out.
Only as an artifact of how laws currently work, not a necessary aspect of how transactions have to work.
We could definitely have a system where eg all CC processing must be done through a firewalled system such that the business only ever learns that the payment was successful (unless there is a dispute).
Edit: Europe tries to approximate this with the GDPR system of “you can only use information for the purposes for which it was collected” but that doesn’t stop them from seeing your identity like I described.
The reason there are so many wonderful services available for free is because they make money selling your data. If the service is free, the product is you.
For many, many people, that is _fine_.
The real issue I see here is how this law is written and how we're interpreting it. If the law makes it so that people who want to opt out of free internet services because of privacy concerns are free to do so, then we're all good. If the law is written such that people who want to avail themselves of free services in exchange for their data are no longer able to do so because that business model is broken, then I see a lot of problems.
I would argue this isn't the case. For many people it is out of sight and out of mind. They don't realize what's happening.
I came to this conclusion after talking with people about it. Numerous people didn't believe it. I had to show people documents and articles for them to believe me. Most of the people I've spoken with do not like this behavior and would rather not use a service or pay for it if they had known.
The average person is unaware. That does not make it ok.
I like that the webshit data robbers downvote me for saying what they're doing is evil, yet if I showed any particular one what kind of information I have access to about them, just as a random private citizen interested in these things, they'd freak out and call me a creep. It's a shame what money does to people.
> yet if I showed any particular one what kind of information I have access to about them
This is where the line is drawn for most - if people from Facebook, Amazon or Google look at information other than machines. Totally fine if it's just a computer with a strong law like GDPR safeguarding it.
This statement is too broad brush for me to actually understand where you're coming from. Let's try a few variations of the theme and see if we can suss out why we perceive this so differently. If none of these touch on your perspective, I'd appreciate it if you could propose some of your own.
Please note that these are deliberately constructed as strawmen; I am not advocating for them or saying you do.
1/ Would you approve of a law which forbade companies (perhaps outside of eg healthcare or finance) from collecting or storing PII?
2/ Would you approve of a law which forbade a company which bought or sold PII (perhaps with the above exemptions) from doing any other kind of business?
3/ Would you approve of a law which required companies to explicitly price and purchase PII from consumers?
4/ Would you approve of a law holding employees or executives criminally responsible for data breaches?
5/ Would you approve of a law standardizing the requirements for anonymizing data?
6/ Would you approve of a law banning online advertising?
7/ Would you approve of a law which placed the same requirements on any company which stored PII as are currently imposed on credit agencies?
> Would you approve of a law which forbade advertising of any sort?
No. People are entitled to speech.
> Would you approve of a law which required service providers to offer their service for free?
No. Making money is Virtuous and Good. Acquiring money by theft, deceit, etc is not.
> Would you approve of a law which forbade service providers from offering their service for free?
No. Charity is fine. In the cases people are actually paying with their data and the "free" is just legal trickery then yes. You already can't pay people in blood. Data is just as important.
> Would you approve of a law banning the sale of digital goods or rights to digital goods?
No. However, DRM should be illegal.
> Would you approve of a law banning subscriptions or recurring payments?
No. The only issue here is predatory sign-ons.
> Would you approve of a law forbidding the use of cameras in public places?
This one is difficult. At any earlier time, no.
> Would you approve of a law forbidding companies from having more than $X in revenue, for some X?
> > Would you approve of a law forbidding the use of cameras in public places?
> This one is difficult. At any earlier time, no.
I suspect the best solution here is laws around how the data from public cameras is stored and processed. Cameras that store a temporary loop of data, delete it after a day or two, and don't upload that data to the cloud are one thing. Cameras that upload every image to the cloud for permanent storage where face recognition software is used to track you movement around the city or your emotional state throughout the day are a different beast.
Surveillance cameras could really use a PCI-type compliance regime. Data must be stored encrypted at rest, intranets must be segregated from the broader web, etc. It isn't perfect but it's better than nothing.
Ok, so you would forbid online advertising, but not advertising overall. What would you allow/ban and why (assuming that viewpoint is germane to this conversation)?
I'm not sure what you mean by "at any earlier time". Can you clarify?
You mention predatory sign-ons. In this context it seems you view the data-for-service trade as predatory. Do you think it would remain predatory if it were explicitly priced-- eg, if Google offered you a $5 credit on a $5 service for use of your data?
Would you approve of a law explicitly allowing blood-for-service or similar?
I think the idea is that regulation always has unexpected side effects, some of which can be abused to actually do the perverse inverse of what they're intended to protect against.
This is intuitive because regulation + law can really put a competitive barrier for established incumbents who (and arguably, they would be the target for lawsuits here) have resources to implement and comply with these regulations.
The law does sound great as a consumer, but I think the question is still up in the air about how will it be enforced and what will be the unexpected side effects?
Definitely something to watch for.
P.S. We've been working on a developer-friendly SaaS that helps companies automatically comply with jurisdictional controls + data security / privacy controls. Feel free to email me: mahmoud - @ - https://verygoodsecurity.com and I can dive deeper to answer any questions.
On the flip side, the downsides of regulations don’t outweigh their utility.
We don’t scrap seatbelt and airbag regulations just because they’ve had some unintended side effects.
Regulations aren’t set in stone forever, either, and a functional legislative body can always modify and update them as their effects become more well known.
Or, well, maybe I sound too idealistic. But...I think most of us can all agree that consumer data protections are highly lacking.
Sure, but then you need to demonstrate real (not just imagined) harm. GDPR doesn't seem to have caused the world to end. Vanishingly few people actually followed through on the whining and quit serving the EU.
From the perspective of ordinary users, GDPR was a pretty successful law with no real downsides. Businesses have to be more careful with data, that's about it.
In regards to the GDPR, I imagine most people continue to ignore the laws of jurisdictions they have no presence in. If they have an EU presence they will follow EU laws, same as if they had a presence in China or North Korea.
Did you miss the part where the individual you responded to said "Regulations aren’t set in stone forever, either, and a functional legislative body can always modify and update them as their effects become more well known."?
There is over regulation in some areas, but lets be real: it's already extremely difficult to break into existing sectors, just as a result of industrialization, brand recognition, etc. The idea of the scrappy upstart is overwhelmingly a fantasy. This regulation won't prevent any businesses worth forming from getting underway, in my opinion.
I live in Washington and this is the last year I'll have to do emissions testing for my vehicle registration. I'm still kind of amazed (my default is pessimism) that this was put into motion in 2005 and nothing seems to be in the way of stopping the removal of the requirement next year: https://ecology.wa.gov/Air-Climate/Air-quality/Vehicle-emiss...
My only point is to support your case that it's not always idealistic to believe that some regulations, even ones that have been in place for decades, even with today's questionably functional government, can go away.
I was also surprised by this when I first saw it, but if you read the reasoning behind the ending of the program, it kind of makes sense. It sounds like they are just switching their focus.
The emissions check program is aimed at carbon monoxide, nitrogen oxides, volatile organic compounds, and particulate pollution. Properly functioning emissions systems ensure a vehicle operates efficiently, but the effect on a car or truck's overall greenhouse gas emissions is fairly small - and it is greenhouse gases (primarily carbon dioxide) that are driving climate change.
Vehicles are still the largest source of carbon pollution in Washington. We are working to change that by making sure new cars are more efficient than old ones, supporting zero-emission vehicles and cleaner fuels, and advancing transit, ridesharing and other alternatives to single occupancy vehicles.
we expect air quality to continue to improve as older vehicles are replaced with newer, cleaner cars. Ecology will continue to monitor air quality conditions throughout Washington. If we see any reasons for concern, we will certainly take action.
Carbon isn’t pollution. Particulates and smog are. This is ridiculous that they end testing for pollution that can actually kill people in favor of focusing on CO2 which is necessary for life on earth to survive.
Wrt the laws benefiting incumbents with more resources: in this case I think it’s simple. If you don’t have the resources, just don’t collect the data! If your business model absolutely depends on it, then you should have the resources to do it correctly anyway, so the extra burden of this law shouldn’t be too much on top of that. This is definitely a simplified view, but I think it’s worth noting that following these regulations may actually be easier and cheaper than breaking them (which isn’t the case for, say, some finance and trade regulation).
I disagree with this so much. Data is used for far more than ads. If you can't collect data but your competition can, they'll run a more efficient business, offer better products and be more adaptive to change.
I totally agree. You should definitely be able to A/B test features, for instance, but if that's the point where the business is, you can run focus groups and do similar studies without running up against these regulations. My point is just that the business may need to succeed to some level before these regulations really become an issue. An analogous situation may be a small business being burdened by complex tax laws, but not until they acquire sufficiently sophisticated internal structure and revenue streams.
My point is that this can be factored into the growth of the company, rather than seen strictly as a barrier to entry, as suggested by the comment above. Are there really fresh startups that really need to worry about this kind of data gathering out of the gate? I'm imagining they're going to be spending a lot more time engineering features and interfacing with important clients to get data to improve their product directly. I often see business/marketing folks wanting user data for what amounts to very premature optimization.
I've commented in the past that the privacy community is diverse. I divide the community into (at least) two major groups:
- People who believe that privacy means being able to anonymously use services.
- People who believe that privacy means being able to control what other people do with data about you.
These are not compatible views, and they often conflict with each other -- both philosophically and practically.
If you believe you should be able to compel a business to delete data you gave them, then necessarily there needs to be a way for that business to confirm your identity and link you to that data. You become more concerned with this idea of "owning" information about yourself.
If you believe you should be able to do everything anonymously, then it becomes much harder to control information after it's been leaked. You can't implement things like geo-locking users because what you do with the information doesn't matter -- just collecting it is a problem.
If you're in the "everything should be anonymous" crowd, you're also less likely to agree with efforts like Right to Be Forgotten; you may even reject the idea of data ownership entirely. For someone in the "I control my own data" crowd, the Right to Be Forgotten is absolutely critical -- it's one of the most important safeguards we have against a future where everything is permanently indexed forever.
I'm oversimplifying, but at the moment, the majority of pure-tech solutions for privacy are on the "everything should be anonymous" side, and (at least for the moment) most legislative solutions are falling into the "you should control your own data" side. That leads to conflict. Not always, but sometimes.
It's important to keep in mind that even though the privacy movement is aligned on many issues, there is no binary "pro" or "anti" privacy, because there's disagreement from privacy advocates on both where we're going and how to get there. In this case, California's law is very much a "control my data" law. Points like, "Businesses would be required to comply with official consumer requests to delete that data" conflict with the way that "be anonymous" privacy advocates see the world.
necessarily there needs to be a way for that business to confirm your identity and link you to that data
Why would linking you to that data require confirming your identity? My password links my HN account to me and me alone, while revealing nothing about my identity.
There's no conflicting views. They're two, completely compatible aspects of the same view.
One is how much or how little data each service gets about you. The other is how much control you have over what those services do with the data they do get.
That's why technical and legislative solutions work in tandem, reducing the former (amount of data) and increasing the latter (control over data). That's also why technical solutions are preferable: there's no need to legislate control over data that services are unable to collect about you in the first place.
This works because you're the person who uploaded the data, and because you have a shared secret with Hackernews: in other words, an identity and a link between that identity and the data.
Let's say someone else uploads a photo of my face to an image sharing site. Is there a way for me to prove to that site that the face belongs to me without sharing additional information?
This principle also applies in the opposite direction. Let's say a third-party noncommercial site uploads a photo of my face and makes it publicly fixing. In order to demand they remove the photo, I need to be able to link that website to an owner.
It's not that the systems can never be combined. It's that following either system in the absolute results in conflicts with the other.
My shared secret with HN, my password, is an identity? I don't think you'll find a lot of people who agree with that definition of the word.
As for the use of photos of me that are owned by other people, I'm pretty certain that neither CCPA nor GDPR cover those. The EU might have some relevant privacy laws, but they're not relevant to the "dichotomy" you brought up, because no one expects to be unidentifiable in a photo in which their face is identifiably visible.
No. But in the HN context, your user id is. If HN decided one day to monetize the site by showing you ads based on your posts, the kind of discussions you frequent, or your location, then it's a profile of personal info.
I am 100% okay with HN doing whatsoever they'd like with posts I've made that I haven't deleted. I know they have them. I personally wrote them here with my own two hands.
I am 100% not okay with HN doing anything at all with my location information. Why would they have that information in the first place? Why would they keep it?
> Why would they have that information in the first place?
IP based geolocalization?
> But all of this is irrelevant to the thread you're replying to, because my user id is anonymous.
Just because your hacker news user id is anonymous doesn't mean your account can't have an ad targeting profile built based on it if HN decided. They are sort of independent, and most sites don't care so much about who you actually are, but rather that you can be shown relevant ads.
To clarify, I happen to be technically sophisticated enough to know that yes, unless I use a VPN, websites can guess what city I'm in based on my IP. But I'm saying rhetorically, as someone surfing the Web, it doesn't feel like part of my contract with HN that they know my location.
Everyone knows no one reads terms of service, but even if people did, they don't generally specify location, just that they collect "information about your visit". Or they might mention that they collect your IP, but most people don't know what an IP address it is, much less have an intuition for how specific of location information it reveals (some probably think you can backtrace the IP and send the cyberpolice after them).
That's why ad targeting profiles shouldn't be built on that kind of incidentally-provided behavioral data. As per the Six Fixes, ads should only be targeted to the content of the page I'm looking at, just like a dead-tree newspaper.
Note that this can be achieved either technically, i.e. anonymous browsing, or legally, e.g. requiring my permission to track me to build an ad targeting profile. That's not a conflict, that's anonymity and control over data about me as two sides of the same coin.
Your identity on HN is your profile and posts, and your shared secret is how you prove you own that identity. Is that actually uncommon? I would call `laughinghan` an identity.
> As for the use of photos of me that are owned by other people, I'm pretty certain that neither CCPA nor GDPR cover those.
You're talking about specific laws, and I'm talking about general principles. The dichotomy I'm supposing is between complete anonymity and complete ownership over my own data. Owning data means being able to restrict how other people use it.
No expects to be unidentifiable in a photo where their face is visible. But if I own my face, I expect to be able to issue a takedown request to sites who post images of my face without my permission. If I genuinely own my address, or my contacts, and a third-party site makes them publicly available, I should be able to do something about that, the same way that I would be able to restrict them from distributing a piece of IP I owned.
CCPA and GDPR don't cover individuals, just companies. This is a compromise, because it's just not feasible right now to have a version of GDPR that covers what ordinary citizens share. But there's nothing special about companies. If I'm committed to a world where I own my data, I don't want my rights to vanish just because the information was posted on a blog instead of Facebook.
And that's where you start to see this conflict -- because in order to maintain control over data, you have to, well... maintain control over data. You have to know who's posting it and who it belongs to. People who advocate primarily for anonymity are opposed to that kind of world. Their extremes look different.
In the real world, most people will be somewhere in the middle. They'll lean towards data ownership on some things, and anonymity on others. For example, I doubt that many people on HN believe that companies should be able to operate anonymously. Even though anonymity/ownership is not a binary choice, different people are going to be lean towards different sides of the continuum, and that's where you see these conflicts.
If someone publishes a link between my address and my name, or my address and an online handle of mine or something, in order to remove that link I would have to prove that I am the person with that name at that address, or that I am the person with that online handle or whatever, but there's no fundamental reason I would have to further identify myself in any way. There's no conflict between anonymity and control here. Their having that information about me has hurt my anonymity, but controlling that information in no way further hurts my anonymity.
The possibility of corporations being anonymous is not an example of a tradeoff between anonymity and control either. If the operator of a company had the option of being anonymous, that would be giving them more control over information about them. More control = the option of more anonymity, because there's no tradeoff or conflict, they're two aspects of the same thing.
> in order to remove that link I would have to prove that I am the person with that name at that address, or that I am the person with that online handle or whatever, but there's no fundamental reason I would have to further identify myself in any way.
I feel like I'm missing something fundamental with your point, because this sounds to me like you're saying the same thing I'm saying, and then coming to a different conclusion. How would you prove that you were the owner of a name and address without revealing additional information about yourself?
The best way I can think of is to use a trusted third-party for verification. For example, send a censored utility bill that's in your name. But this still seems to me like it's a compromise -- it means that 3rd party needs to know your name/location, and it means you need to reveal your relationship with the third party.
Is there another strategy I'm not familiar with? I suppose in some cases, like with a government ID, your relationship with the third party wouldn't be new information. But it seems like a stretch to say that a government database of names and addresses wouldn't impact anonymity.
> The possibility of corporations being anonymous is not an example of a tradeoff between anonymity and control either.
If a website operator is anonymous, how are you going to contact them and require them to take down your information? If they refuse, or if you get their website removed and they just keep buying and posting it on new domains, how are you going to stop them from doing that?
I'll fully admit I've been talking a lot about theoretical extremes, but this particular problem isn't theoretical at all. Onion sites are already a thing, and it is notoriously difficult to get illegal information removed from the dark web because the site owners, site visitors, and even server locations are anonymized.
Tor makes it easy for me to stay anonymous, but it seems to me like Tor makes it very hard for me to control my data.
How would you prove that you were the owner of a name and address without revealing additional information about yourself?
Theoretically, there could be a system where, if the publisher of a name+address gets an anonymous request to remove that information, then they have to mail a letter with a nonce to that address, and then if they get a followup request with that nonce, then they have to comply and remove it.
In practice, a system involving third-parties such as a lawyer or government agency is more likely, I'm just proving my point that there's nothing fundamental that requires compromising anonymity.
It's also worth noting that if a client is known to their lawyer but unknown to anyone else, it's pretty widely accepted to describe that client as anonymous, even if they're not technically anonymous in the ultimate, purist sense.
If a website operator is anonymous, how are you going to contact them and require them to take down your information? [What] if they refuse?"
First of all, that's not a conflict or tradeoff between my ability to anonymously use services and my control over my data.
And the obvious solution, which is the one we have, is that to run a website, someone has to give up a little anonymity and be subject to laws. But there's no fundamental reason people can't anonymously use services and maintain control over their data.
I think this is a very important distinction you make, but it doesn't necessarily mean that they are fundamentally incompatible.
It today's world, data about a person is an asset. A person should own their assets, and have control over them. If there were only one option, this would have to be it - it's the only one that aligns with business interests. If you instead go purely the route of anonymous data collection, because data is such an asset it just gives businesses the strong incentive to find ways to de-anonymize your data. That is an unstable situation, and a societal counter-productive incentive.
Since data on me has value (clearly since businesses are run off it), make it a true product. Give it value, allow me as a consumer to trade it, allow businesses to quantify it's value in the market place, and explicitly bid on. That aligns incentives. As data becomes more (or less) valuable, businesses will adjust their prices for it. This aligns incentives, the more data is worth to a business, the more they'll be willing to pay for it. IMHO this is clearly the right approach.
That said, there is still a world where both methods exist. Users choose when they interact if they want to perform anonymous interaction (or pseudoanonymous), and people provide services to ensure it is anonymous. HN, reddit those are forms people would likely choose pseudoanon for, but there would be a firewall between someones pseudoanon identity and their true identity. And people would be pseudoanon knowing the risks and taking care to not divulge linking identityy info, and businesses would ensure there are limits on data preservation / recording of pseudoanon interactions. The same way people post on HN and use care in what they choose to disclose, HN would also ensur data expiry is short enough and would not share/sell pseudoanon data to 3rd parties.
Again, if you can only pick one, it has to be consumer ownership of their data, but I think they both can work together.
In practice, this doesn't really work. You can compromise and build a system out of elements of each individual philosophy (and many people do), but there are going to be conflicts, and at that point you're going to have decide which system takes precedence.
The first issue is that many privacy advocates who believe in anonymity do not believe in data ownership (or believe it should be much weaker). To them, the jump from "data is an asset" to "I own my data" to "because I own it, I should be able to control what people do with it" is begging the question.
The second issue is that in practice, most anonymous systems also make it hard to verify data ownership. In order for regional restrictions to work, you need a way to tell what regions your users are in. The "anonymous" side's solution here is, "anybody should be able to convincingly and legally lie about their physical location to (virtually) any business." If that solution is implemented, GDPR and Right to Be Forgotten don't work because it's impossible to verify jurisdiction.
This is part of why efforts around GDPR and Right to Be Forgotten are focused on businesses. Businesses have a physical address, they're easy to track, it's easy to prove that they're advertising to a specific region, and you can force them to share internal data with a judge. It's a compromise, because applying GDPR to non-commercial entities or individuals would require tracking them on a mass scale.
It's not impossible to compromise -- I mean, privacy advocates do compromise all the time. We work together even though we're different, because we have lots of shared goals. But the differences aren't trivial in the real world. When someone sits down to build a system, they're either thinking about managing data, or eliminating data. That approach is a big indicator into whether you'll end with GDPR or Tor.
> The "anonymous" side's solution here is, "anybody should be able to convincingly and legally lie about their physical location to (virtually) any business." If that solution is implemented, GDPR and Right to Be Forgotten don't work because it's impossible to verify jurisdiction.
How is that? GDPR protects EU residents when they are outside the EU, so you already can't just look at someone's location and decide not to give them GPDR protections. If the GDPR applies to you, your GDPR related features need to accessible to all your users.
> How is that? GDPR protects EU residents when they are outside the EU, so you already can't just look at someone's location and decide not to give them GPDR protections.
How does the company know they are an EU resident when they are outside the EU? Probably because they have an account with the service, which makes it unlikely that they are anonymous.
GDPR protects EU residents (even abroad) when a business sells to them (or when a website targets them). At the point of sale, in order to figure out whether or not GDPR applies, a business needs to figure out whether or not someone is an EU citizen.
You have a couple of choices with a law like this:
1. Just comply with GDPR anyway. That's honestly the easiest choice, especially if you're already privacy conscious. But you're lucking out, because GDPR is a relatively mild law and comes with a bunch of exceptions that make it easy to comply with. It's not a good long-term strategy to say, "I'll just comply with every country, and that way I'll never need to figure out who my customers are."
If you're not interested in complying with GDPR, then you have to stop selling to EU citizens.
2. At the point of sale, you can use something like billing information to try and figure out where your customer lives and block them if they're an EU citizen. This is unacceptable to someone who wants universal anonymity for citizens, because it requires billing information to be tied to identity/location. You're basically guaranteeing that you can't ever move to a payment system that doesn't provide that information.
Maybe you can skip billing information, and use some kind of government ID number instead. But no matter what, you need some way to tie the thing giving you money to the person who legally has a citizenship in a country.
3. If you don't want to verify, you can just ask the person if they're European and block them if they say 'yes.' This is probably the compromise that would make anonymity-advocates happiest, because it doesn't require any extra data to be collected and customers can lie. But that's also the problem -- customers can lie.
In the US, the most direct analogy here is COPPA. COPPA is a set of privacy restrictions for what information can be collected about children under the age of 13. There are traditional ways you can fall foul of COPPA (some sites are just obviously targeting children). But for the most part, the US went with option 3 -- you ask people their age before they sign up for your site, and you block them if they're under 13.
Again, option 3 is great for people who love anonymity. But it takes all the teeth out of COPPA, because children just lie and use the services anyway, and then their privacy gets violated. And the company winks and very coyly says, "Oh, we had no idea 10 year olds were signing up for Facebook. It's not our fault."
If you wanted a COPPA that did more to restrict data collection, you would probably prefer something like option 2 -- where we collect enough information about children so that they can't fake their age, and use that to block access. Except doing that reliably would require either building a national identity database or collecting other data that would itself be considered by some people to be a violation of privacy.
> At the point of sale, in order to figure out whether or not GDPR applies, a business needs to figure out whether or not someone is an EU citizen.
Why? If you have decided to become GDPR compliant then you don't need to know which customers are EU residents. If you really want to know if some customers are not EU residents, you can ask them. There is nothing in the GDPR that requires GDPR residence to prove their residency before you must comply with the GDPR.
> "I'll just comply with every country, and that way I'll never need to figure out who my customers are."
Like most things, you need to comply with the laws of every country you do business in or face the prospect of penalties (which may or may not be enforceable without a legal presence in that country). This is nothing new.
> If you don't want to verify, you can just ask the person if they're European and block them if they say 'yes.'
You could, and some companies have thrown a hissy fit and decided to do location based blocking when there is no evidence that this is sufficient or necessary to indicate that you don't do business in the EU.
This isn't strictly necessary. As long as you don't target EU residents, you don't need to comply with the GDPR. Just don't advertise to europeans, don't talk about having european customers, don't ship to european adresses and/or don't localize to languages from countries where you don't do business.
> In the US, the most direct analogy here is COPPA. COPPA is a set of privacy restrictions for what information can be collected about children under the age of 13. There are traditional ways you can fall foul of COPPA (some sites are just obviously targeting children). But for the most part, the US went with option 3 -- you ask people their age before they sign up for your site, and you block them if they're under 13.
This is not very accurate. COPPA covers more than just what data can be collected. It also has provisions that require the ability to opt-out of the data being shared with 3rd parties and provide notices that clearly detail what your and 3rd parties will use the data for (and who they are and what they do). Additionally, COPPA requires parental consent to collect this data.
COPPA is IMHO a flawed law, the general privacy protections should have just been extended to everyone. Age verification and consent validation were never going to work and it seems patently ridiculous to require companies to collect more dat a to protect privacy.
> Like most things, you need to comply with the laws of every country you do business in
How do you know if you are doing business in the EU without verifying the citizenship of the people who buy from you? If I'm selling a digital product, how do I know whether or not EU citizens are buying it?
You suggest below:
> As long as you don't target EU residents, you don't need to comply with the GDPR. Just don't advertise to europeans, don't talk about having european customers, don't ship to european adresses and/or don't localize to languages from countries where you don't do business.
This is the COPPA strategy, choice #3. It suggests that as long as you can pretend you don't know your customers are EU residents, it's fine to collect data on them. If that's the case, that's a much less effective law then we could otherwise have.
In regards to COPPA, you bring up the central problem yourself:
> COPPA is IMHO a flawed law, the general privacy protections should have just been extended to everyone. Age verification and consent validation were never going to work and it seems patently ridiculous to require companies to collect more data to protect privacy.
You're right, age requirements are a joke. We still don't have a reliable way to validate age without violating privacy. These types of laws only work if they're based on one of the three choices I listed in my post:
1. Universally applying the law to everyone, regardless of context.
2. Accepting that validation requires collecting and managing data, and being OK with the fact that we're going to collect and manage data to do validation.
or
3. Trusting consumers to self-validate and self-sort themselves.
The first option has sovereignty problems -- it doesn't work in a multi-nation, multi-state world. Even with something like COPPA, this strategy falls apart because a big part of COPPA is parental consent, and there's no way to universally apply a parental consent law. At some point, you have to decide whether or not you're going to validate the relationship between the child and the parent.
The second option is fine if you want to control your data, but means that we need to give up some anonymity -- maybe make a national database, or have some kind of proof-of-age or digital passport or something.
The third option is fine if you want to stay anonymous, but means that data protection laws have fewer teeth, because consumers will lie, which gives companies plausible deniability over violations.
What we can't do is have both 2 and 3. We can't say, "we won't require anyone to do any invasive validation, and also the validation will be really good and accurate." With GDPR, we either accept that many EU residents will unwittingly (or deliberately) do business with companies that are not beholden to GDPR, or we accept that businesses will need to validate the citizenship of their customers.
I am not circling around the point, you seem to have an incomplete understanding of both GDPR and COPPA that are leading you to make unwarranted assumptions such as:
> How do you know if you are doing business in the EU without verifying the citizenship of the people who buy from you?
The GDPR lays out guidelines for what qualifies as doing business in the EU and it has nothing to do with verfying the nationiality of your customers (or doing geoip blocking). It has to do with the sorts of things I already explicitly mentioned such as advertising that specifically targets EU residents, localization into EU languages, shipping to EU addresses, etc.
> The first option has sovereignty problems -- it doesn't work in a multi-nation, multi-state world.
Why not? We have plenty of other types of regulation that differ between countries. Companies that wish to do business in multiple countries have to comply with all the laws for those countries. If you want to make a single car model that you can sell in two different countries, it has to meet both countries safety standards. If a company has no legal presence in a country, there is not much those countries can do to enforce the laws. (This last point is the actual weakness of these privacy laws and will have to be addressed by international treaties. This is an issue with enforcing rules in general (i.e. copyright) and doesn't just apply to privacy laws.)
> because consumers will lie, which gives companies plausible deniability over violations.
How so? At worst all this might mean is that consumers who choose to lie won't be protected. Plenty of other people would be.
Its intended to fuck over Facebook. If you're charging for a service you can simply offer a discount for allowing data collection after bumping prices for everyone by the same amount, Facebook however isn't charging. Facebook can't offer a discount on free, and they can't just force only users who opt-out to go pay (because that falls afoul of the first quote you put).
Basically this puts Facebook in a real tight situation, I honestly wonder how they will survive it.
I don't think that specific part fucks over Facebook; Facebook doesn't sell data (it sells ads based on the data, which, having skimmed the law, it doesn't seem to cover).
Is opt out given equal weighting or hidden 3 pages deep into "Learn more" > "manage preferences" while opt in is just an "ok" (or worse "X") away. the one site I know that gave that yes/no choice was Wikia, and they've converted to the dark patterns approach now too so presumably they saw their opt out rate as too high and were emboldened by others getting away with it
> Opt-out for GDPR is under 1%. Most people don't care at the moment, sadly.
Correct.
On top of that, many people on HN, aware of the privacy implications, continue to have a Google Home / Alexa in their homes. Myself included.
Sadly, I (and many people) simply don't care about privacy. The probability/expected negatives of surveillance abuse is far less than the benefit of being able to turn my lights on and off with my voice.
The US will for sure become like China in 10-20 years, with regards to surveillance.
>The US will for sure become like China in 10-20 years, with regards to surveillance.
I very much doubt it. It is one thing when a bunch of small and big companies collect pieces of data about you, and another when the centralized governmentt does it.
Also, it really matters what that data is used for. I would be hard-pressed to compare the onslaught of personalized ads with "disappearing" people who speak out against the government. Just look at US-related political posts on twitter. Why would you even need surveillance if people feel perfectly safe to publicly air out their negative feelings towards the government to a giant audience.
IANAL, but I'm guessing it's the difference between opting in and opting out?
For example, I think it would be legal for Verizon to get around this law by increasing their prices by $5 across the board, and offering a $5 rebate for customers who want to opt-in to their data being sold.
But it would not be legal for Verizon to allow customers to opt-out of data collection by paying an extra $5 a month.
In the first approach, Verizon will not track by default and customers have to opt-in.
In the second approach, Verizon will track by default and customers have to opt-out.
Assuming that's true, then it's just accounting for social behavior.
A user isn't "paying" for privacy. Privacy comes by default (for a price) and a company can pay a user to harvest their data.
Financially, they both work out the same, but based on opt-in, opt-out behaviors and perception I presume they have a different impact. The wording specified by the law says that users should have a default expectation of privacy. They can actively choose to give that up for a fee.
The business profit loss side of it says, you can't build a business that assumes it gets to profit off harvesting user's data for free. User data has value, place a value on it, and make it an explicit part of the transaction.
It's all about marketing and perception. See how credit card companies set rules regarding surcharges and cash. Before credit card companies tried to prevent a discount being offered if a customer paid cash as stipulation for taking credit cards. Durbin Act of 2010 changed that which made it legal in all 50 states.
Ah! I was always saying I'm surprised by the brazenness of gas stations to offer cash discounts in violation of their credit processing agreements. Today I learned that as of 2010 the law protects them. Thanks!
The gimmick has always been that you can't charge more for using a credit card, but you can offer a cash discount. So basically you just have to advertise the credit card price rather than it being a surprise fee added on at the last second.
Which makes sense, most other countries actually roll sales tax and others into the advertised prices, and what you see is what you'll pay out the door.
Right, but before 2010 the credit processing agreements could (and always did) include language that you could not offer a different price to credit customers and cash customers, discount or not. Otherwise you would lose your ability to accept credit cards. Some places would still offer a cash discount and assume they wouldn't get caught, but most places didn't risk it.
Because then they'll have to be up front about "why" they're charging you a lower amount, which puts a real dollar value on the data for the user, something which previously was never disclosed.
It might be a matter of semantics? You can quote a standard price, and then give a discount for allowing data collection, but you can't quote a standard price, and then add a surcharge for disallowing data collection.
I agree that there is no practical difference between the two, but given how deceptive companies can be when disclosing various pricing and hidden fees, this might be an attempt to curb that behavior?
The way I'm guessing that will be clarified is that if you are charging for your product, you cannot offer a lower price point for allowing data collection. This will probably boil down to professional, paid for services, being allowed to collect only a small amount of information, and what is strictly needed.
The second line would allow companies to pay people to permit them to collect information. I imagine that because of the first statement, a company that is charging for the service cannot take advantage of this statement.
It sounds like this means it'll have to be clearly disclosed up front as a bonus, rather than being charged after the fact as a penalty and hidden somewhere in the ToS.
I don't think lawmakers have thought through the ramifications. Here are a few:
Way too hard to enforce, the definition of 'customer data' is going to be a constantly moving target. Does every click count? How about aggregated clicks important for general product optimization?
What constitutes 'selling' user data? Very few companies actually sell your data, instead they place ads based on your data. Will that be banned as well? Many companies, including Google would have to significantly change their pricing model if so.. yet that is apparently illegal.
Yes a click counts as personal data if you can reference it back to a real person. Aggregated clicks probably wouldn't.
Selling ads based on personal data is selling your personal data. The personal data provides the value to the transaction.
Yes lots of companies may need new business models, but for the most part what I've seen is dark patterns, non compliance or wriggling to avoid any real change.
In Europe at least, it's back to the regulators to make a move.
> Way too hard to enforce, the definition of 'customer data'
HIPPA manages with "Patient data". The standard techniques include non-reversible addressing of users. Patient N has an internal number and an external number. Without having Patient N's internal record in hand, you can't correlate it back to that user, which is particularly useful in a legal defense.
I think of customer data as any data that has been created/logged/stored based on some action I took (logging into website, clicking a button, visiting a website, opening an app, etc.) that can be tied back to me, my friends/family/community, my devices, my ip addresses, my locations, etc. in any way shape or form.
I don't understand this mentality. If someone is fine giving a company some information, and the company uses that to give them a better product, where is the harm? And what right do you have to stop those two parties from voluntarily exchanging goods and services?
If I am voluntarily giving information to a company, and have been completely informed of all the purposes that it will be put to (especially which companies it may be transmitted to), then I have no problem with it at all, personally. And I particularly would not be inclined to say that others can't decide this for themselves.
The problem is the rampant data collection that is engaged in without my permission and/or knowledge, and that companies often forward that data to others.
Targeted/behavioral advertising in particular has monetized that abuse. I would be thrilled if that business model dies an agonizing death.
The amount of abuse on that score has been so extreme, and going on for so long, that strong legislation is clearly the only remaining option to at least stem the worst of it.
OK so if I understand you, you are worried that companies are collecting data on people and then using that data to give them more personalized ads. These ads may convince people to buy or do things that they otherwise wouldn't. It's not just that people would buy Chevys instead of Fords. They could be convinced to vote differently and support harmful policies.
I hope that's an accurate summary of your view.
I have a few points.
First, I don't think targeted advertising is much more effective than your typical magazine ad, TV commercial, radio ad, or movie trailer. In all of those cases, the advertisers know the demographics of who is consuming that media and can target pretty effectively. And if targeting was far more effective than old school ads, advertisers would pay significantly more for targeted ads, but they don't seem to. CPC for Facebook and Twitter is about the same (~50 cents), despite one allowing for much more fine-grained targeting. And I doubt LinkedIn does better targeting than Facebook, but LinkedIn's CPC is 10x higher.
Second, is this an instrumental value or a terminal value for you? eg: If all advertising were banned (or at least heavily taxed), would you no longer want a ban on companies storing customers information? If so, I'd like to hear why.
Third, what if we could pass laws that caused the benefits of targeted ads to outweigh the downsides? For example: We could ban targeting for politics. Then people could still get ads for more things they want, such as some software that would help them or some new barbershop that opened near them. That seems like a win-win to me.
Lastly, whenever I see an argument between to sides, I pay attention to emotions. In my experience, the less emotional side tends to be the more correct one. If a side mostly engages using disgust, anger, and catastrophizing, I get very suspicious. If I had to pick the more emotional side in this thread, it would definitely be the side that accuses the other of, "violating basic human decency", of being "horribly unethical", and doing "stupid privacy violating shit". On the other side, pretty much everyone against this law seems to think it's mistaken, not evil.
I object to data about me or my use of my machines being collected without my permission at all. Past that, I object to it being shared with others. What it's used for is beside the point.
Marketing companies come into it simply because they are the most egregious bad actors when it comes to those two points.
> I object to data about me or my use of my machines being collected without my permission at all. Past that, I object to it being shared with others. What it's used for is beside the point.
What can I engage with here? I'm trying to figure out what bad consequences you're worried about, but you seem to have a terminal value that companies shouldn't be allowed to keep information you sent them.
Let's try another tactic: What do you think of casinos that share surveillance photos of card sharps with other casinos? Or wifi hotspots at coffee shops that keep logs of mac addresses to limit abuse? Or news sites that limit non-paying visitors to 3 articles per month? Your statement seems to be so absolute that it forbids all of these legitimate uses.
Yes, in the interests of brevity, I've omitted a lot of nuance. Let me try to add some of that back in.
I do not object to data collection that is technically necessary to provide services. For instance, I don't object to web server logs.
I also don't generally object to sites using data I have willingly provided for their own purposes, as long as they aren't doing things like sharing it with other entities or combining it with data about me that they have obtained with other entities (unless I have given consent, of course). So I have no problem with your wifi hotspot or paywall examples.
Anything beyond that -- which would include your casino example -- requires my express consent. I do think that casinos violate this principle, because they do not inform me of their surveillance before I set foot on their properties. If they did, though, then I would not object.
The essential principle that I operate under is that of informed consent. It's really that simple. Having a relationship with a specific entity carries with it a certain amount of implied consent (web server logs are an example of this) -- but even that data should remain private between me and that entity. Any sharing of it with others requires my express permission. "Sharing with others" includes indirect mechanisms such as using that data to match me with advertisers, even if the raw data itself is not transmitted to others.
>If I am voluntarily giving information to a company, and have been completely informed of all the purposes that it will be put to (especially which companies it may be transmitted to), then I have no problem with it at all, personally. And I particularly would not be inclined to say that others can't decide this for themselves.
I fully agree, but it seems like under this legislation it becomes illegal to conduct a business in this manner. If I am fine with trading a certain set of my data for access to a service, I should be able to do so (if the service provides that option, obviously).
Hardly. It doesnt seem the law will affect the business, it will just make the cost of data collection explicit: "Pay $40/month to use facebook or get a free rebate by enabling ads".
It doesn’t cost anything like $40 per month per user to operate Facebook, it’s not even $40 per year. (Facebooks operating revenue per user in 2018 was about $25).
Of course, they’d hate the idea of having a fixed revenue per user. They want to keep sucking out more revenue per user until the well runs dry.
Yeah, but that's averaged across their global users. Stands to reason that most people in developing nations will not pay $25/mo to access Facebook; nor is their data worth that much.
Ergo, Facebook will charge a different rate per nation; per state; ideally per user (they already have all the data they need to calculate exact revenue per user based on their data).
Oh hell no, HN users are largely startup types who are all-in on adtech/tracking tech and metrics for building their businesses.
There is an incessant amount of whining about GDPR for example, and how "confusing" the regulations supposedly are. What it comes down to is many HN denizens are doing things that are explicitly prohibited by these data collection laws and want to continue doing the things that have been outlawed.
As they say, it is difficult to get a man understand something when his salary depends on his not understanding it.
Yup agreed. I wanted to see someone spell out why they opposed this law, because it would make it obvious that they have no problems with the horribly unethical things some of these tech companies are doing.
You are well on your way to having this comment pulled. Heaven forbid you cast any blame on those who are building our dark-patterned surveillance dystopia. Note, I have been told on good authority that the pay is good and the work is interesting. And that makes it okay.
Well, going on the endless GDPR discussions last year, that very much depends whether it's a time it's mostly America awake or mostly Europe. There's far too much of SV wedded to the idea of farming customer data infinitely. Which is why data privacy laws are becoming a thing.
They’re not bad for the consumer. They’re just hard to implement in practice. I’m going through this right now at a well known tech co. Nobody, including the lawyers on both sides of the table, knows exactly what to do to be compliant because a lot of the bill is pretty vague on details.
And for some companies doing shit like selling customer data is the only reason they’re in business. Good riddance to them though.
I think there are a lot of people here whose employment depends on being able to sell and buy peoples data freely.
Many of the people here who work for these companies truly and honestly believe the online services they are offering are/will change the world for the better.
As such, they view hindrances to this as threatening to the progress they are trying to help bring about.
Personally, I support this privacy initiative and think SV companies are many times viewed through rose tinted glasses by their employees, but that's just my perspective.
I can totally see how viewed through the lens of a hindrance to progress, some people would feel very strongly that I'm wrong in supporting such legislation.
- How do you identify what is customer data? There may be information stored in logs somewhere. Do you now have to write log parsers to extract personal data for everything that previously you just stored for general debugging and security purposes? How do you even know all the permutations of personal data that came be stored in the logs. There are possibly infinite possible ways personal information can manifest in logs. How do you ensure compliance with something when you don't fully understand what can come out of it? Any engineers now must fully understand the consequences of anything they log and design delete mechanisms for it. This extends to any 3rd party software you use that generates logs. You must now fully and deterministically understand your entire system just to comply with this law. Such a request is essentially NP-complete.
- How do you prune said data from logs?
- How do you delete data that are archived in write only media formats and/or that are in cold storage somewhere? You'd have to physically destroy the media and make a copy of everything minus the part you want to exclude. This dramatically increases archive storage complexity and cost.
Do you now have to write log parsers to extract personal data for everything that previously you just stored for general debugging and security purposes? ... Any engineers now must fully understand the consequences of anything they log and design delete mechanisms for it.
YES YES YES YES YES.
Are you not already doing this for passwords, credit card numbers, and social security numbers?
Such a request is essentially NP-complete.
I think you mean undecidable, or equivalent to the halting problem, or subject to Rice's theorem. NP-completeness is irrelevant. I think you'll find that HN is the last place you'll win arguments by inaccurately using technical terms in the hopes that it will go over other people's heads, Legally Blonde-style (https://www.youtube.com/watch?v=8rNVaY7Stt4).
To anyone who knows what they're talking about, this an obviously nonsensical argument. It's similarly undecidable to verify whether the data that you expose publicly contains customer data, or customer passwords, or your own passwords, but you do it anyway, by restricting your engineers to only write and deploy code that they understand.
> How do you even know all the permutations of personal data that came be stored in the logs. There are possibly infinite possible ways personal information can manifest in logs.
Nonsense. You write the log statements. You know what data structures you are logging.
If you're using some server's built in logging, or some logging library or middleware you don't understand, turn that off until you understand what it's logging.
GP is referring to pseudonymization, not data structures.
Logs that do not contain explicit PII are still rife with pseudo-identifiers that could possibly (but not typically) be used to join activity with PII.
For example:
- You have one set of logs that stores anonymized click activity
- You have another set of logs that stores purchase transactions
- Both have millisecond timestamps
You could potentially link the click record from one logs database to the purchase record in the transaction database, when during a single millisecond there is only one transaction and one click happening. Now your anonymized click ID and all your click activity is linked to your PII in your transaction.
Sometimes it's off by a few millisecond. Sometimes the logs are obfuscated up to the second level, but then you'll still have instances of a single click and transaction in a second. Does this activity still need to be removed from logs, despite not being linked to your PII or even being identifiable? These are the challenges that need to be addressed.
We should be making an effort to take such care with all customer data, even just when storing it. Mistakes are inevitable, of course, so small gaps that are soon fixed should be let off with a warning, with any fines proportionate to the amount of exposure and negligence involved. How would we do that? Maybe have an agency of experts tasked with determining the fines, and allowing companies to appeal those fines in open court. Like what GDPR does.
I'm a software engineer who works for a SaaS data analytics startup that has to comply with GDPR. It's not cheap, just like it's not cheap complying with all the laws restricting pollutants emitted by my car, but it's still completely worthwhile.
(My employer is not Emplify, although we are a customer of theirs. Good service.)
That is not how logs work. Did you reply to the right comment?
Exemplify is gating database records from surfacing through their UI. These records still exist in the database and are admin accessible. The act of knowing if clustering the data is too much still requires knowing the data - i.e. the data existing.
Yes, I replied to the right comment, you're getting hung up on an irrelevant detail.
I'm saying that the thought they put into anonymizing the data they surfaced through their UI, that same amount of thought should be put into the data we all store.
If the data can't be clustered in a way that preserves anonymity, it should be deleted (after the desired aggregate statistics are computed). Emplify probably isn't required to, and so they probably don't. I'm saying they should be required to.
It is not known at the time of storing the data if the data being stored will be denonymizable - especially for logs data.
Saying, "Just don't store logs data" is a fundamental misunderstanding of how web development works. This data is crucial for operational uptime, debugging, and running an online business. The scope of the data is so large that there inevitably are factors that can be used for denonymization, which is to GP's point.
The reason I asked if you replied to the right comment is because logs data is fundamentally different from database records, which is the working example you gave you gave with exemplify.
I'm not fundamentally misunderstanding anything. We both understand the problem quite well, you're just refusing to take on the burden of trying to solve the problem.
I didn't suggest not storing any logging data, actually. I suggested deleting it. Old, stale logs are unnecessary for operation uptime or debugging and low-value for usability or security investigation.
They also cumulatively presents risks to customers. A gay blogger in Russia who used LiveJournal in 2004 might regret their decision now, even though in 2007 when LiveJournal sold to a Russian company, few reasonable people would have foreseen the country's turn towards homophobia later. If LiveJournal had, for example, replaced all IP addresses with cities in historical, pre-2007 HTTP logs, they would have lost nothing of value to them while their customers would be that much safer. If they had gone so far as aggregated statistics of requests and unique visitors per tuple of (user agent, city, timestamp truncated to 15-minute intervals), and then deleted detailed all HTTP logs older than 90 days as suggested by Maciej Ceglowski [1], can you think of anything of value they would have lost?
But of course I'm sure they didn't, because they weren't required to put that much thought into the data they stored.
> engineers now must fully understand the consequences of anything they log
I don't think this is quite the dichotomy you make it out to be.
So we can create optimizing compilers, but we can't figure out what to log?
This seems like a problem of never having motivation to solve the problem before.
"We can't do that, it's too hard" is often a mea culpa I'm industry when they oppose regulation. Then they will come up with a solution from having actually spent some effort to actually think of potential solutions.
Oh we can figure out what to log - and figure out how it would suck donkey balls. Just like the other "too hard" areas like the magic golden key backdoor.
It can trivially backfire to make things less secure if it is poorly defined which is generally a given. The GDPR made exfiltration easy as an account compromise - one could argue it is an acceptable trade off for transparency but the regulators must bear full responsibility for their constraints.
"We can't log sensitive customer data slowing down debugging and worsening data integrity" is one thing but now imagine "can't log customer IDs in a read only way as sensitive information" oops there goes a lot of useful auditing information as it is excluded or forced to be writeable.
There are a (very) few hard edge cases. But most of this stuff is easily addressed by 1) having good designs around data handling in your system and 2) treating customer data and PII as data you only have limited rights to in the first place.
In Europe, we have GDPR which is broadly similar. And the answer to your question about logs is basically "Tough shit. Personal data is important and if you've been leaving it in logs all over the place then you're going to have to sort that shit out".
The Backups question is a bit more complex. One source I've seen: "According to France’s GDPR supervisory authority, CNIL, organisations don’t have to delete backups when complying with the right to erasure. Nonetheless, they must clearly explain to the data subject that backups will be kept for a specified length of time (outlined in your retention policy)."
Paired with that is that if you're keeping data (or backups) for any length of time beyond the immediate needs of the customer then you need to be able to justify it.
ALL of those scenarios are only problematic because the design of these megalithic services didn't even consider things like the basic privacy of their livestock/user base.
Think this law is going to allow me to require 7-11 to delete me from their DVR records? Not part of the business model, it's a matter of security. Nice straw man though.
Their terrible system design can't handle "FROM PornPrefs DELETE SSN,Name,Address WHERE SSN LIKE "999-11-2222"". They brought this on themselves.
Regulations that don’t achieve anything create a massive drag on innovation and commerce. Every regulation is a compliance check that needs to be paid for, a lawyer that needs to be hired, etc. which advantages incumbents.
It’s like lines of code in a program — each one makes the application worse, so each one should have a purpose that it achieves.
The law would not be necessary if companies were upfront with how they collect and process information about individual consumers. Now this is a compromise many consumers want.
It makes it extremely difficult to legally be a tech firm unless you're already a tech giant, just like the FDAs procedures make it impossible to invent a new drug unless you're already an established, giant pharma company.
None of the big names in tech will have any trouble at all complying with this; I'd be very surprised if any at all are not already compliant today.
At the same time, the percentage of tech startups that are already compliant with this law is likely around zero, and few will ever become so. Unless this is precisely what your startup is about, small firms, especially with venture funding, can't afford to invest anything at all into privacy beyond the surface. If your startup fails because it gets sued into oblivion, that's no worse (and way less likely) than it failing because nobody actually wanted a chat app for dogs.
> It makes it extremely difficult to legally be a tech firm unless you're already a tech giant
Why? There are plenty of tech companies that collect very little data, and don't sell any of it. I fondly remember one of my customers telling me how much effort it took to come up with a wordy enough privacy policy page for one of their products so that it wouldn't look suspicious. The first draft was barely two paragraphs long and contained just a couple of items, most of them ephemeral (e.g. IP addresses, which were collected only for logging purposes and were only stored for 30 days).
If a company is unable to even articulate what data it collects and cannot do basic operations on it (e.g. remove a piece of it), then it shouldn't be in the business of handling personal information. The same way a clinic that can't even keep track of blood samples shouldn't be in business.
And if a company's earnings depend strictly on being able to collect and sell personal data, what they need is a better business plan, not having everyone turn a blind eye.
I just wanted to piggy-back onto the parent’s comment with a concrete example.
I’ve always been told that it’s good practice to take periodic backups. In the absolute worst cases, you can simply restore directly from these.
If a customer requests that their data are deleted, in addition to my production instance, does that mean that I have to remove their data from my backups? If so, I’m uncertain of the best way to do this. I’m uncertain if many managed services will allow me to mutate backups. And even if I were managing my database and backups directly, it seems painful to load each backed up database, remove the data, and rewrite the backup.
Note: I’m not saying that any of this is impossible. However, it does require a lot of ancillary engineering work difficult for a small company that’s just trying to get to product market fit.
Not sure about the legal framework in the US but over here across the pond, it's enough if you remove the data when restoring the backups (reasonably easy to do; took me about a day to implement that on an old codebase that I wrote more than ten years ago, and I haven't touched either PHP or that codebase since then...).
IANAL but the guy who told us how it's done was, and in addition to all the legal stuff, of which I have absolutely no recollection because I don't really understand it, he pointed us to this as a useful resource for people who are also not lawyers: https://ico.org.uk/for-organisations/guide-to-data-protectio... .
Turns out it's acceptable for data to remain backed up for a while (as long as you inform your users), as long as you have systems in place that guarantees it's not used anymore.
Just sayin, it's not rocket science. Reading Internet forums you'd think the GDPR was like Apocalypse Lite, but in my experience, it took very little effort to implement it for companies that weren't engaging in shady practices.
>Not sure about the legal framework in the US but over here across the pond, it's enough if you remove the data when restoring the backups
Implementation-wise, is the best approach to do this to store some token for "user XX requested YY data be deleted" and check those tokens whenever you restore a backup?
I feel like that'd run befoul of a true solution because, in the event of a leak, it could be used to tie the information in the backup to the user who requested their data be deleted. Or am I misunderstanding such that that'd actually be acceptable under GDPR?
That's pretty close to what I did, except I didn't reference the user who requested removal -- it's just a token that says "data will be removed due to GDPR request". I think there's a requirement to log removal requests, so there are still dots that can be connected, though.
Also, I don't know if it's the best technical approach -- I did just because it's code that I wrote a very long time ago, for a friend who was just starting their business. I took care of it because we're still friends and he asked me if I could take a look at it, but it's the first time I've done backend/web development in more than 12 years now.
I think this is sufficient, even considering things like the potential for data breaches. It complies with both the explicit requirements and the general spirit of the GDPR. IANAL and all but I think that, since data leaks aren't a form of data processing by the company who collected the information, they are outside the scope of Art. 17. There are already requirements in place about the secure storage and administration of personal data.
Plus, if you think of it, the framework of this whole construction provides sufficient assurance. If you have live, online backups which can be restored immediately, with a single click, then it's clearly not a problem to erase data from them immediately. If you have offline backups, you're required to have a retention policy for them anyway, and you can't process data from them anyway -- not until they're restored and you've had a chance to purge them. It's certainly possible that someone might break into your storage unit and run away with your archive tapes or hard drives or whatever, but at that point there's a lot of legislation that you have to worry about having broken before you even get to the damn GDPR :).
For GDPR it's sufficient to inform about the backups and when they are expected to be deleted. If you restore them you must have procedures in place to delete the requested data. I don't think this is any different.
I doubt this to be true honestly, because having user data worth selling already implies you to have a certain size. The request are reasonable and the dismissal with reference to difficulties startups might face is probably not applicable.
But if that is really a problem, just apply the requirements to companies with a minimum amount of users. Venture capital funded companies don't need to cut corners and shouldn't be allowed to when it comes to privacy.
This law's implementation is bad for the same reason GDPR's implementation is bad: the people it's meant to target are easily capable of complying (and likely already do) and it's good for "the people" on paper, but disproportionately affects (hurts) small businesses that don't have the means to comply (or even know if they're properly complying to the extent of avoiding a lawsuit).
Most of these requirements are perfectly reasonable and i don’t see any that are technologically difficult to implement unless you underlying business model relies on selling user data without regards, in which case, good riddance.
I feel like the "GDPR doesn't affect you unless you sell data" line is the new version of "surveillance doesn't affect you unless you've got something to hide". Every time GDPR is mentioned in a HN thread you see dozens+ of comments asking for clarifications on how to "get around" GDPR issues for legitimate uses. The point is you don't have to be a bad guy to be affected by GDPR and need to spend time+money on not only complying (auditing and implementing systems), but also verifying you're actually compliant with an expert, and the smaller you are the more relative time you have to spend on this work yourself (instead of e.g. hiring lawyers+developers to just do it for you).
The GDPR requirements are not that hard to follow. Yes, it takes time to audit your tech stack and website, but small companies can certainly get it to work without paying thousands of dollars. Tools like this one (It was just $49 bucks) help you get started. https://appsumo.com/gdpr-tracker/
Good way to make sure all companies support scrubbing of evidence of crimes so wikileaks or government investigators can't get at the evidence.
Basically Hillary's private email server getting bleachbitted, but for everyone now. Makes running an organized crime gang, political corruption graft ring or chinese espionage ring much easier. Same with banning facial recognition. Makes getting away with crime a lot easier than it would otherwise be. If you are a corrupt politician, this is really important stuff.
These laws may be targeted at companies that deal in advertising data relating to consumers, but the laws as written affect all of us.
Are these the right laws to regulate SaaS companies that build business software? Should a consumer be allowed to request that data about them be deleted if that data are records of legitimate business transactions? If you buy a car from a dealership, do you "own" the data in their systems about your transaction and should you be able to request its deletion?
There are a bunch of exceptions to the requirement to delete user data in the law (full text: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...), the exception for data that is collected "to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business" would probably apply in the cases you cite.
Agreed. It’s been tough for us as well. We don’t monetize customer data in any way yet these regulations add real cost for us. We’re in the business software SaaS world as well, so it’s not really even our data to delete. We end up having to have a 3-way ticket between the business, the customer and us (the SaaS provider) and explain how we are deleting data from their system.
> I totally understand that this will impact a lot of tech companies' profits...but that's to be expected if you're making money selling people's data to third parties without their permission.
Yes, it is also subsidizing what would normally be paid services. Before online advertising, people would pay for services like email. Sure, $5 / month is cheap for us, but what about the developing world and the lower class?
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
If the price of the service is based on the ability to sell data, how is it reasonable to disallow the business from changing the price of the service for those who opt out?
Also, how can you reconcile this with being allowed to offer financial incentives for being allowed to collect it?
If you favor an idea that a private company should be compelled to provide a service for free, even if you don't share your data, would you also agree to the idea that a private company should be compelled to respect freedom of speech on their platform even if they don't benefit from it?
It's pretty presumptious of people to assume that when they visit a website that it's just "their" data. The website receives the user, just as much as the user comes to the website. The data of visiting a website belongs to both the company and the user. To simply assume that it entirely belongs to the user is just wrong.
Yeah this is a really good point and with 50 states that's a lot of things to keep track of. Let's hope it isn't able to be broken down like sales tax.
Remember last year when there was a big hoopla about that Massachusetts court case that hinted that any online vendor would now be responsible for collecting and reporting on sales tax for purchases coming from any US state (even if you as the business owner didn't have a business location there). Basically changing the requirement of the buyer to report sales tax for out of state purchases onto the business. The only problem is there's 9,998 different tax jurisdictions (as of 5 years ago)[1] spread across 50 states.
Lot's of (mis)information floating around regarding CCPA. I recommend taking the time to read the actual text[1]. The text is not particularly long or dense. There has been a lot of speculation about complex compliance procedures, but the main thrust of the bill is to provide users with information about how their data is collected, who it is shared with, and the rights to prevent certain types of selling or sharing of said data. The leginfo site also includes non-partisan analysis (under the "Bill Analysis" tab) of the bill and amendments as it moves through the legislature, which is useful for getting an understanding of how specific issues are being considered and addressed. Something to consider is that bills change substantially through the amendment process, so often critiques you read are based off old versions of the text that have already been addressed.
Agree to disagree on this example I guess. "household" is referred to in the bill when defining re-identification, and this is an important improvement over the language in GDPR, especially when it comes to geolocation data, which is often sold at the household level (ie: Experian sells household level market segmentation profiles that tell you a lot about a person's behavior without directly linking to an individual).
The only other place households are referred to is in the section defining which companies the rules apply to, which is also pretty straightforward in a plain reading. If a company's number of consumers, households, or devices exceeds 50k, they qualify.
> (B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
> (4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
Well, thanks for the link. For example, informing people that a user is located in a dormitory in The Netherlands sounds like free speech to me. So is location tracking information exempt from deletion?
Location data is explicitly called out as sensitive personal information in the text of the bill, so it's definitely not exempt as a category of data.
> (e) Many businesses collect personal information from California consumers. They may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer’s personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks, to name a few categories.
As to how this will interact with free speech - in this case, speech of the company - is a bit of an open question. One of the assumptions of the bill though is that selling telemetry data about a consumer is not a form of protected speech, and that adding some restrictions to this practice is reasonable.
For a law to cover the set of data which is not necessary to exercise free speech would infringe on free speech, because the set and its complement are not disconnected sets. So either the company has stay on the safe side, and delete information necessary for it to exercise free speech, or miss the other way and be subject to penalties.
Yep. This law is nothing like the draconian extremes of GDPR. One can even say it's good because it weeds out the really shady businesses but allows the ad ecosystem to work.
We need to have a conversation about jurisdictions in the digital age. The way governments have decided that having a website accessible in a country makes you liable to respect the law of this country is a convulted and hacky notion that has been accepted way too fast.
The physical establishment rule was the only sound approach. The fact that some countries started to lose shouldn't have allowed them to rewrite the rules (especially in such a hacky manner).
Can you imagine owning a grocery store and having to ask every customer their nationality to check which law you must follow to do business with them? Then multiply this hell by 10 and soon 1000 considering new laws created left and right and you have the environment these dishonest politicians have created.
> We need to have a conversation about jurisdictions in the digital age. The way governments have decided that having a website accessible in a country makes you liable to respect the law of this country is a convulted and hacky notion that has been accepted way too fast.
You know if you turn that around and say "How come we have to respect the laws of every country we do business in?" it sounds a lot more self serving.
Nobody said your website had to serve Californians. Nobody said your iPhone game has to be accessible in North Korea. Nobody said your movie has to be viewable in China.
If you're intending to serve any product to an entire planet composed of nations, states, societies all pulling from different experiences, different cultural attitudes, I think expecting a completely friction-free experience in doing so is more than a little unreasonable.
And more to the point that this particular discussion is about, these are principles that pretty much every society could reasonably get behind. Sorry that means mining data isn't a solid business model anymore, but I'm also not even remotely sorry. Adtech should die. It's a blight on our society.
> Nobody said your movie has to be viewable in China.
You will of course forgive me if I do not find economic favoritism that benefits politically connected industrialists, the restriction of freedom of thought by oppressive governments, and the general Balkanization of the Internet, to be things that we ought to celebrate.
Once upon a time the memes of Internet culture would suggest that "information wants to be free!" Oh, sweet halcyon days of yore!
All of these argument apply to national sovereignty in general. When different countries can have different laws, it does indeed mean that France can have tax laws favoring French companies, a US company might have a harder time setting up shop in Germany, and North Korea can oppress its people with impunity.
This. Imagine if you said the same thing with taxes. "Gee, why do I have to pay taxes differently in every country?" Well, because that's what you have to do if you want to do business there. You're not forced to do anything in here if you don't want to; if the opportunity is worthy, others will take your place.
Same with the laws, especially those that remove agency from the users.
If I am from South Africa and I buy a US product from a smaller website I don't pay South Africa sales taxes. If I buy from Amazon I would because they have offices or a physical presence.
When you buy a product from a website hosted/incorporated in a different country you are literally going into another country and buying a product under their laws. Your local taxes (national/stat wide/city wide) shouldn't matter and don't.
If this is your experience buying things internationally from smaller websites, that surprises me greatly. When I purchase items from US retailers in European countries, before the item arrives, I get a little slip to pay the duties on the item. If I don’t pay, the item doesn’t arrive.
My experience has been that I need to pay VAT, as well as any specific duties for the category of item I’m bringing in. This can be a lot, as VAT is currently 20%. I’m okay with it though. Any item I buy locally have VAT, and I think it’s unfair if you don’t charge that on imports. It’s the beauty of a VAT that it won’t hurt production if you’re reselling the goods anyway.
That's unfortunately not the case. You might be abstracted from all the things Amazon or a small website should do in order to get you your stuff where you are. That's why there are Incoterms in order to agree who pays what.
Take for instance the issue with tariffs and China: if you were right, someone might say "Ha, I'll buy it on Amazon/AliBaba and I'll go around your unfair tariffs". If only!
But the point is, it's not the US company's responsibility to deduct your country's sales tax for them. Some companies do as a courtesy to their customers, but they're not required to do so. It's your responsibility when importing the item into your country to pay your local sales tax. The US company can treat you like any other local customer.
Isn't there kind of an opt-out? Whenever I use a US VPN to read some non GDPR compliant website blocking EU users, I can hardly expect that law to protect me.
Thing is whatever is necessary to "literally going into another country" cannot be easy & automatically done to everyone and thus effectively allow companies to circumvent the law.
The tax problem could be solved by requiring a shipping manifest, including declared value, and applying taxes at the shipping carrier level. This would make more sense anyway since the delivery carriers have to establish a physical presence.
My machine tooling comes in little padded envelopes with standardized shipping labels that have the customs declaration info. They all say "phone accessories".
If the origin country is not willing to track it back to the source and do enforcement for you and you don't want to categorically block or have invasive monitoring everything from that country then it's a fool's errand. The same goes for websites.
It's absurdly easy to get around these laws. For example: I had a motherboard shipped from China a few months ago. The shipper lied on manifest and claimed he was sending the motherboard back to me after repairing it. Neither the US government nor China got any duties or taxes on that shipment.
Lying on manifests also lets people import quasi-legal things such as cell phone jammers. The manifest will usually say something like "laser pointer" or "wifi repeater".
As a user, I want to be able to access any website online without providing them my location data (even approximate).
As a user, I want to be able to pay or donate to a company or individual without providing them my identity or location data. This is already an extremely hard thing to do because of tax laws like VAT. Please don't make it harder for me.
As an activist, I want everyone to use technology that by-default masks their physical location from websites they access. I want them to feel free not to provide their physical location to anyone online, including businesses like Facebook.
As an activist, I want the majority of popular online payment systems to avoid revealing a buyer's physical location by default, and I want users to feel free to not provide their physical location when paying for a digital product or giving money to another individual. This is already a (nearly) impossible goal because of the sheer amount of tax and money-laundering laws that need to be addressed first. Please don't make it harder.
Laws that force websites to geo-lock based on consumer location are going to be (in the long run) bad for privacy and bad for the open Internet. I don't care about what businesses do or don't want, but the strategies we use to take down advertisers and data-hungry corporations matter.
My less-charitable reading of this situation is that people are generally fine with using user-location as an indicator of jurisdiction because the laws working on that principle are primarily pro-privacy right now. If these laws were being passed in other areas, I wonder if people would be more nervous about the precedent they set.
A completely friction free experience is exactly what you should expect.
Every political obstacle we create for data traveling through wires undermines the entire point of having an internet, and cedes more power to legislating bodies who are clueless about technology.
An individual should be empowered to serve data to another individual anywhere in the globe without barriers, period. If people can’t get behind that idea, then just get the fuck out of the way.
In the same sense as "Lawerence vs Texas" is anarchism of the bedroom. "If it is between two parties why is it anyone else's business?" as the default assumption instead of coversheet on your TPS report regulations as default.
The problem is that both views are essentially correct. The business is located in one country, but the customers can be in any country, and customers are not really entering another country and the businesses are kind of, but not really doing business "in" another country, to the extent that they know what country they're doing business in at all. We're still at that stage in the computer of using physical analogies to reason about how things "should be" even though those metaphores don't really work anymore.
The issue is that with the internet, the default option is “available everywhere” whereas basically any other commercial thing is only available in a physical location, because that’s where the good is being sold/ the service is being offered. The main thing similar to tech is media, but even if someone in a country where some media content is banned is caught consuming that media, the consumer is punished rather than the producer.
I am actually in favor of privacy regulations. But there are two major issues that most people don’t understand
- Compliance is not easy if you do anything much more complicated than serve a static website. Basically anything business related will have PII. And you can introduce PII accidentally with things like logging, putting it in places it shouldn’t be
- Because the internet is open by default you need to comply with basically every single regulation on the planet, and the burden is fully on you to know how and why you comply with those regulations. (Some places will just firewall you, which in many ways is better, but others just want to make money off you)
> The issue is that with the internet, the default option is “available everywhere”
This is very often not true. A generic website will be visible everywhere, but new online stores will typically sell domestically only by default and may expand later. Even tech giants like google will roll out services to US customers first, like when they launched the play store. Amazon in Australia is nearly unheard of, not ubiquitous like they seem to be in the US. It took netflix a decade to start here.
> If you're intending to serve any product to an entire planet composed of nations, states, societies all pulling from different experiences, different cultural attitudes, I think expecting a completely friction-free experience in doing so is more than a little unreasonable.
Is it so unreasonable? Given that the Internet essentially solves the problem of technically doing this, perhaps it is in fact the laws which are unreasonable.
Your statement isn't so different from saying "it's unreasonable to expect to be able to have a nearly-instant audio conversation with virtually anyone on the planet for very little cost." I would give the same response: that no, that's really not that unreasonable given that the technical problems are essentially solved, and if there are laws preventing that, perhaps the laws are unreasonable.
The GDPR doesn’t apply to European IPs, it applies to Europeans. It would be like a French guy showing up at the grocery store you run and now you have to obey EU regulations or be subject to massive fines. Also, half of the grocery stores in the US now flat out refuse to do business with the French, or any American expatriates. The other half make people with French accents fill out a disclaimer form before they can enter which is also somehow against EU regulations in some cases... but it’s mostly OK for now, because the law weirdly seems to only be enforced against large US multinational food chain suppliers who were able to out compete local French companies. To top it everyone thinks this was such a success that they are racing to pile on with California leading the charge.
This happens with brick-and-mortar banks already. They will ask "Are you an American citizen?" and then follow up with "Sorry FATCA is too complicated, can't serve you".
Not everyone has data mining and adtech as a business model. Why should people running legit online businesses that do not involve mining data be punished for unscrupulous actors in the adtech biz?
We need a principle-based approach, sound societies can only be built with sound principles.
If I have interesting ideas, I could write a book and sell it in every country of the world. Then this product would be taxed and would need to respect the publication-related laws of that country. On the other hand, if someone reads my book and then travels across the country to hold free seminaries to teach my ideas to the masses, it is not reasonable to try to tax this value transfer, but this is exactly what governments have decided to do.
You see: values vs principles. We can have values but we need to articulate sound principles to give life to these values. What you describe are values.
And what I contend is that we already had sound principles, principles developed across decades and even centuries. The physican establishment rule is the only sound and workable principle.
What we have now is a mess encouraging anti-democratic dynamics (centralization, fingerprinting, and ironically data collection since you need to know more about consumers to know how to apply the laws), in addition preventing innovation and making business difficult.
All of this while for every non-taxed value under traditional principles, a taxable value is actually created... but for some reason nobody is interested in investigating this correlation... for example, the person holding seminaries pays a tax on the room he rents for the seminary. But government prefer to go hard on their propaganda.
If a country wants to tax the books royalty, it should focus on upping its game to attract intellectuals instead of hacking together unsustainable notions to tax "learning".
Similar things could be said for advertising company. When an advertiser
advertises in a country, it is by definition to sell a product that most of the time will be taxed into the country (and even if it doesn't, this value transfer will at the 2nd or 3rd degree lead to an activity that can be taxed).
This is why principles based on physical presence and not abstract fictions are not only sufficient and sound but they are also fair. The same is true for privacy, which are after all transactions of their own kind. If you want to regulate data, make sure people use services based in your country by creating the proper environment instead of hacking together extraterritorial laws based on wacky principles.
Just compare these new frameworks, with the readability of the physical establishment principles, that been able to accomodate even the most complex business models for centuries.
Principles should be a foundation, not something you throw out of the window as soon as you start losing to avoid confronting your difficult challenges at the cost of creating an international mess. Digital is not complex, and does not require complex regulations. Trying not to adapt to the world and not to confront your true problems is the only that is complex.
> The physica[l] establishment rule is the only sound and workable principle.
I don't think you can state this as fact without some justification. I think it's very debatable, and, frankly, I disagree. The physical establishment rule was borne out of practical enforcement considerations, not out of any principled approach.
This is manifestly bullshit. When I as an Engineer build a physical product, I have to take care that it fulfills the legal and normative requirements of every place I plan to sell it. The product of a software company is said software. The "storefront" is their website. When I cater to a global audience, I have to make sure I fulfill all requirements. Period. No matter what I sell.
Now, there are ways around it. Either agree on a supernational legal frame , for example a car which is certified in one EU-Country is deemed certified everywhere (something Tesla used to great effect) or have one reliable entity for certification (like the FAA was in Aerospace, which is most likely bound to change).
But putting the onus on the customer to find the legalities in the origin country of the software/website provider is not the solution. Especially for large providers. Just an example question: Where is the website "legally" located?
The company's HQ?
The local office?
The office of the developers?
The main database?
The CDN-Server for your location?
Why do you have to respect national norms? Because there will be health and safety implications within their country.
In the case of visiting a website, the customer is the one visiting you, there is no good rational to put the burden on the business. It is much more sound and natural to either put it on the consumer, a business may be visited by nationals from hundreds of juridisction, while a consumer will only visit 1 or 2 businesses.
You can also decide that the laws of the country in which the business is based apply.
You make it sound more difficult than it actually is, every website selling software products already mentions the address of the owner, at the very least to define a party for the contract / terms of service.
It's a myth that the internet is about "information" that has no power to do any harm. Anything that can be beneficial must, by definition, have the power to change whatever you consider reality, and almost that power can have negative consequences as well as positive ones.
Here, we're talking data and privacy, and it's commonly accepted fact that the disclosure of personal data can be harmful. Countries want to protect their citizen from such harms. Hence regulation.
> , there is no good rational to put the burden on the business. It is much more sound and natural to either put it on the consumer, a business may be visited by nationals from hundreds of juridisction, while a consumer will only visit 1 or 2 businesses
This seems completely, and obviously, be the opposite of reality as I experience it, as both a consumer and startup founder. Businesses have repeated transactions of similar types and products. Since there are fewer businesses than consumers, they also have more resources, and locating any burdens of transactions that occur once per country is vastly more efficient.
A company like Facebook has a theoretical upper limit of a little less than 200 jurisdictions to consider, using billions in revenue. Their customers would have to the same, only they number in the billions, and have few resources nor structures for sharing this burden (except, of course, their governments).
> while a consumer will only visit 1 or 2 businesses.
I'm pretty sure I interact with dozens of businesses every day.
I think a good metaphor to think about this is how a book store in new york will be visited by people from hundreds of countries, where some of the products they sell there are illegal in some countries because of obscenity laws.
If the EU made a law that made the NYC bookstore liable in the EU for selling "obscene" books to europeans, and then arrested the unaware bookstore owner in a vacation to france, is that really right?
> Can you imagine owning a grocery store and having to ask every customer their nationality to check which law you must follow to do business with them
Can you imagine a grocery chain who wants to profit from potential customers all over the world but doesn't want to obey local laws in the jurisdictions it operates in?
If people don't want to serve people outside their jurisdiction, do an IP lookup as some US outlets chose to do.
Hacky US start-ups don't get to dictate the rules of the game to the world.
Yeah, and you know what, if I called Walmart and tried to buy half the groceries they sell to then resell to UK customers, I’d probably end up paying massive fines or even in prison. I can’t source products that don’t comply with the law, even if they are legal where I bought them. I can probably get away with it for personal use, but there isn’t free movement of goods like that.
I mean... An international customer can call a US business to place an order, that doesn't mean the US business needs to follow through with or accept this order. Lots of US small businesses I know about don't serve international markets in the hobbyist circles I come from, even though they most definitely have demand there.
If a purchaser calls a suppler from state Y from state X and ask to buy something. Which laws do I follow?
* The purchaser follow laws from state X
* The supplier from state follows laws from state Y
* We then pay any duties to ship from state Y to state X
This is the way things have been done, since, well... forever. No one thinks it's weird if this kind of business is conducted in person or over the phone.
Now, with the internet - it's believed that the supplier must now take on the burden of knowing the laws for purchaser - that's kind of strange.
The supplier is not operating in country X, so it probably wont be punished by country X.
Anyway, as a developer and maintainer of making a fair amount of cross boarder trade. I host my servers in one location, the state in which I operate. Good luck punishing me.
The reality is that my only burden is the state in which I operate, otherwise we're interfering with the sovereignty of the state in which I reside... don't think they'll like that. Good luck challenging that one.
You can't have two partners in a transaction following different sets of laws. That's why contracts routinely specify a jurisdiction. Otherwise you couldn't even agree on a court to hear your case.
In B2B transactions, there are often international standards. Even where the supplier's location is set to be the relevant jurisdiction, this only follows from the assumption that a purchaser of industrial goods tends to have the experience to navigate foreign law. This cannot be assumed for consumers.
> The reality is that my only burden is the state in which I operate, otherwise we're interfering with the sovereignty of the state in which I reside... don't think they'll like that. Good luck challenging that one.
I mean, that's exactly what's going on. You can choose to
follow State Y's laws when serving customers in State Y, or you can choose to not serve customers in State Y. But if you choose to not follow State Y's laws while serving customers in State Y, then State Y can use whatever leverage they can get their hands on to keep you out of State Y. That's State Y flexing their own sovereignty when it comes to protecting their citizens, which is the flipside of your argument about your state protecting you.
I'd suggest that in your example, the purchaser isn't having all details about himself being recorded and monetized by the supplier, just simply for contacting the supplier: no agreements of trade have been entered into, but even if they had, there's little cause for selling the information to other 3rd parties.
Surely the purchaser has some rights to sovereignity?
> Can you imagine owning a grocery store and having to ask every customer their nationality to check which law you must follow to do business with them?
Thats a bad metaphor. If you open a grocery store in one country you follow the relevant law of said country. If you extend you business to another country the new store has to follow the law of the other country.
The problem with physical establishment is that it could create a 'race to the bottom', similar to tax laws.
With non-tangible elements like privacy, what stops big players like the USA to implement weak privacy protections to get a competitive edge?
A natural consequence of your suggestion would be the legislative/EULA analogue of "tax inversion", whereby major companies would move "physical presence" (for some technical definition) to a legislatively lax state/country, and states would have a race to the bottom to attract companies (like with tax benefits).
While I understand your point about the impediments to unfettered interaction, this seems to me to be a fundamental problem with "globalized" interactions where the different parties to a transaction expect to be governed by different laws.
> Can you imagine owning a grocery store and having to ask every customer their nationality to check which law you must follow to do business with them?
It is, unfortunately, a little too easy, to implement filters based on whitelists/blacklists at the DNS level, since those are largely organized geographically (proximity by packet travel time, and what not)
I heavily disagree that the physical establishment rule was the only sound approach. It's certainly a valid approach, but not the only sound approach.
The problem with the physical establishment rule is that it leaves the end user with no leverage to actually protect themselves or their data.
The EU and California taking a stance that you must obey their data handling rules in order to do business there is a direct result of the lack of a robust system between states and nations to give users the ability to control their own data when the company's physical establishment is in a different legal system. This approach is the most immediately practical one: I vote for the politician who is willing to enact laws that actually have teeth to regulate the use of my data.
The industry has certainly shown a lack of desire to put teeth into any sort of self-regulation. I worked in ad tech - that industry standard body (the IAB) pretended to care at best, and actively lobbied to erode privacy rights most of the time. Real privacy enforcement mechanisms that actually respected users only started to show up once the GDPR boogeyman showed up.
At the time when we were generally happy with the physical establishment rule, the set of problems we were dealing with was very different. We were more worried about individual freedom in terms of access to services and communications, not individual freedom in terms of safety from bad actors.
Not sure why you think this is so odd. This is how interstate commerce has worked in the US long before the Internet came around. Mail- and phone-order businesses were (and are) required to obey the laws of the state they're shipping to.
> The physical establishment rule was the only sound approach.
The only reason that rule exists is because enforcement was much more difficult when your target doesn't have a physical establishment within your own borders. If you can enforce it for foreign entities (via some kind of side leverage, like a trade treaty, threat of sanctions, etc.), then, at face value, you should: why should the law behave differently based on physical presence? You yourself point out that things are different in the Internet age; that includes the acknowledgement that commerce can now trivially cross borders without having to have satellite offices everywhere.
Agreed. A good rule of thumb is the law applicable is where your HQ is located. Or you have to come up with good reasons why US companies shouldn't comply with the Chinese gov but should with EU ones.
The GDPR only applies to websites / companies that either have offices / legal status in a european country or that specifically target / sell to europeans (e.g. they place ads in Europe, ship merchandise to Europe, etc.). You don't need to block european countries if you have no business or interest there.
It also applies to sites not in the Union if their processing activities are related to "the monitoring of their behaviour as far as their behaviour takes place within the Union". (Article 3 section 2(b)).
Unlike the target/sell case, this doesn't seem to require intent to specifically deal with Europeans.
If you aren't sure that what you do doesn't count as monitoring behavior, then blocking can make sense.
So the author would rather see each state/country implement it’s own laws so that a small startup needs to ensure they comply with hundreds of regulatory jurisdictions... awesome.
Each state can choose to be as restrictive as they like in their laws, and each startup can chose to invest in compliance on a wide scale or in the narrow scale as they'd like.
It'd be nice if this was unified but it ain't because:
1. Tech companies lobby like hell at a national level
2. The national government is sort of broken right now
so that's how the cookie crumbles. The fact that a number of companies have skirted local regulations and abused data usage so much is why this is happening, so don't blame the victims of this activity that want sane privacy laws - blame the bad actors that have forced this issue to need to be dealt with.
> Each state can choose to be as restrictive as they like in their laws, and each startup can chose to invest in compliance on a wide scale or in the narrow scale as they'd like.
There's a special hell that exists where one state mandates records must be held for at least seven years and another mandates deletion at five. When the two states border one another and you may not have home addresses, how do you determine how to comply for a given user?
You're absolutely right, in every way, that tech companies have brought this regulatory backlash on themselves. Yet, it might still be worth considering the potential costs.
Pass a federal law that allows any American to choose the state jurisdiction they want their account managed under at sign up. Corporations can choose to incorporate in Delaware without any real presence, consumers should be able to pick and choose jurisdictions as well.
I wonder if California could just permit cases to be filed in it's courts regardless of residence or the locality of the disputed action so long as the defendant has a presence there.
1798.145. (a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:
(1) Comply with federal, state, or local laws.
Now I wonder what sort of dance would occur if, in your example, both states' laws had such a clause.
As far as I know it's a hypothetical, but it is very much the kind of thing that could happen. Regulations don't always align across political borders, which means there's the possibility there being no way to comply with both.
Totally disagree. Complicate is not the same thing as following the spirit of the rules. Compliance is proving you followed the rules. Totally different. Also, you have to define what you mean by “respecting privacy”. Something that I do on my website, like basic retargeting marketing for abandoned shopping carts doesn’t feel to me like an invasion of privacy. To you, it might. The rules have to be defined clearly.
> If you don't collect any information that's not essential to delivering content and services, there shouldn't be any problem.
That's pretty ambiguous. For example, I'm pretty sure everything Google does that can be considered against privacy can and is tied to the service they provide as features. The fact they keep a history of everywhere you went to can be used by users to recall the locations they've been too. That Google keeps one's contacts can be used in case you lose your phone and get a new one. That Google uploads your voice to their servers is to improve their speech recognition. All privacy violations can be made "essential" by tying it to a feature.
That's really stretching the meaning of "essential to delivering content and services". If I search using Google, all I want is the results. If I have Gmail, all I want is an email account. Anything else is clearly extraneous.
Edit: And they can always offer more. With clear explanation of what information they'll need to retain. And users can either accept, or decline.
> If I search using Google, all I want is the results.
They also remember your searches to provide personalized results, and many people do like that.
> Anything else is clearly extraneous.
Isn't the point of a business to provide the best product or service they can (for the price they ask)? What's the point of a business that does the bare minimum? How are they supposed to compete?
In any case, the point is that it's not as clear cut to know what violates privacy and what doesn't. To tie it back to your original comment:
> The gist of these laws are all the same. Just respect ALL users' data from the start, and you shouldn't have any difficulty with compliance.
They aren't necessarily going to be the same. What is to respect all users' data? There's no concrete consensus on what violating privacy consists of. Is saving searches for personalized results consistent across personal devices violating privacy? Some will say yes, others will say no.
Also, if you err on the side of caution and avoid providing features, you're going to lose edge. It seems to me that it's very important to a business's survival to know where the borderline is.
That's why I would agree with rdlecler1 that
> a small startup needs to ensure they comply with hundreds of regulatory jurisdictions
if they want to have a chance for survival and peace of mind that they aren't even technically guilty of anything in any one jurisdiction even if in their own eyes they did everything to respect their users' data.
The internet probably wouldn't have gotten as big if it weren't for the fact that it's largely lawless. If every geographical region makes their own regulations, only big world corporations will be able to comply.
By your rule, companies should not engage in A/B testing to figure out how to make their sites easier to use. Because that involves tracking users for a purpose that is not actually essential to delivering content and services.
Does this outcome make sense to you?
(Disclaimer, I have worked in adtech a little bit, but I have worked a lot more with A/B testing.)
I suspect that A/B testing is doable without collecting user information. Except for the OS, of course. But certainly nothing that's not in server logs.
Do you have an error log on your web server? Does that only collect data that is essential or do you do something like log a referer or IP address or user id in hopes that it might be useful un debugging. Is there an access log? What happens if a user asks to delete their data. Do you go back and scrub all such logs? What about if you have a backend service that logs errors about what data it had problems accessing. Or an SQL server that logs bad queries?
I'm no expert. But typically, when installing web servers, I don't enable logging. I'm more familiar with the issue of logging by VPN services. And I've been assured, by someone who runs one, that logging isn't necessary. Everything can be done in real time, with any "logs" retained briefly in RAM.
I'm an expert. The correct answer is to not log any PII data. Logging obvious PII because it might be useful in some hypothetical future sounds like plain incompetence. If you really need to log PII, log it separately and set clear policies about how this data is stored, how it's replicated, who can access it. If you need to log some PII IDs in common logs, use some fuzzy hashing: good enough for logs, not good enough to restore the original PII.
PII that you don't need can become like radioactive waste. If it gets subpoenaed, and it comes out that you retained and produced it, your reputation may be hosed. But if there's nothing to produce, no problem.
That's actually not quite correct. If you're required by law to retain that PII, you'll be hosed if you can't produce it. But then, maybe you should be doing business in a different jurisdiction.
I'm thinking of Private Internet Access. To my knowledge, logs have been subpoenaed in two US criminal cases. And they just said that they didn't retain logs. But then, VPN services aren't required to retain logs in the US.
Good point, perhaps. I'm not familiar with reporting requirements for online sales in business returns. I did manage a small restaurant at one point, and I don't recall that we had to track customer identity.
I was on a web site with several items in the shopping cart. I went to the bathroom on my way into another room of the house to get my phone to make a payment on my credit card so I could make the purchase. When I got to my phone I already had one of those abandoned cart remarketing e-mails from the company.
I went back to my computer and closed the browser tab. No sale, creeps.
And what's to stop you from selling that data about what was in my shopping cart to a third party? Would you be compelled to notify me, or ask for my permission? After all, I agreed to share that with you in exchange for the product in the shopping cart. But I didn't agree to anything else.
It's not for the operator of a website to decide what is an invasion of _my_ privacy. It's for the consumer to decide. And that's precisely why we can't rely on website administrators, or the "recipients" of data to determine whether something is private.
I'm one of those website administrators who wholeheartedly welcomes something like GDPR here, even though it would make my job harder. But hey, that's fine. Putting privacy back in the hands of consumers is the right thing to do.
This is not true, unless by “respect” you mean “do not collect any at all”. I would argue that you could respect users’ data without implementing data takeout, for instance. I would also argue that cookies not used for tracking do not need disclosure for users to be respected
Anyway, the only companies that will end up being able to collect data at all are there very biggest ones. Everyone else will have to just fly under the radar or use some kind of SAAS solution to comply with the patchwork of regulation. Not sure that’s really the desired outcome
Many companies have to RADICALLY change their architectures just to support these laws. And often the costs will be enormous. How do you scan all the logs that might somehow have an association with the requesting user that are in cold storage and alter data on write only archived optical media? You have to make an entire copy of it with those data removed. It's not about just treating customers better. It's government dictating the technical architecture.
>Many companies have to RADICALLY change their architectures just to support these laws. And often the costs will be enormous.
Bummer dude. As an engineer type, I say, bring it on. Hard for me to have much sympathy ZuckerBrin can't afford another island or whatever because they made unethical decisions in the past. And if companies blow up because of it: good, that's the idea. There needs to be consequences.
Facebook will be just fine and probably come out ahead. Same with google. They have the money and resource to comply. These kind of regulation that don't take reality into account when written are a god send to large corps.
Just a shameless plug here -- we've been building a super developer friendly product to allow your application to comply w/ these laws with minimal (and sometimes NO code changes). You can email me directly mahmoud - @ - verygoodsecurity.com (https://verygoodsecurity.com/) and I can show you how it works.
Our idea is that complying w/ data security & privacy laws should be a devops shift + costs to keep up w/ them shouldn't stop us, as developers, from keeping us just as productive in our application development lifecycle.
We're still trying to figure out the right pricing structure for smaller companies, so if you have any insight there, I'm very interested to hear it.
> Many companies have to RADICALLY change their architectures just to support these laws. And often the costs will be enormous.
This harkens back to the GDPR hysteria. And that was a storm in a teacup: most companies that took compliance seriously were able to get to a good place with a medium amount of engineering work, and didn't suffer financially overmuch. A few companies did go out of business or suffer significantly--and most of those were sketchy, data-abusive entities. In other words, it worked.
Bullshit. "Respect users data" means different, incompatible things to different people and in different circumstances. You can't "respect" all of them at the same time.
Take the data deletion requirement. I know of many instances where users have permanently lost absolutely critical data because of that provision (already found in other privacy laws). When a user (accidentally) indicates they want you to delete their content, the provider has to permanently delete it within a reasonable timeframe, including purge from all backups.
Most users don't give a flying f'ck about all this privacy BS, but they care very much about what happened to their Master's thesis. They want a company who will be able to rescue them from their own mistakes. They want dependability. But they get "privacy" instead, and their accidentally wishes that you purge all their stuff gets obeyed.
Maybe you call that progress. But it really sucks when you purchase vague hypothetical benefit at the cost of real-world misery.
> "Respect users data" means different, incompatible things to different people and in different circumstances.
I admit it was vague phrasing. All I mean by respect peoples' data is to recognize that people should own their own data. You should get explicit permission before collecting it, using it, selling it, etc. At any time it should be just as easy to remove the data as it was for you to collect it.
As for any data deletion, I think it makes sense to have a strong warning any time a company has files that the user themselves have uploaded. Perhaps even listing filenames and folders to remind users what's there.
If there was an easily defined definition of "respecting users data" the we wouldn't be in this situation. Plenty of people think putting a clause in the EULA that says user data can be monetized is being respectful of user data, but this is often prohibited by law. Plenty of people don't think having a tool to dump user data is necessary to respect user data.
> Plenty of people think putting a clause in the EULA that says user data can be monetized is being respectful of user data
Do they really believe that, though? I always thought they were just thinking it was just legal cover to allow them to do whatever they want with the data. Respect doesn't enter into it.
What's wrong with it? The End user license agreement is the document explicitly dedicated to explaining how the interaction between the user and the software will work. If a company explains how the data will be used and the user consents to that agreement what is the issue? I don't doubt that there are people that don't bother to read the EULA but thats a leading-a-horse-to-water situation.
I didn't say that there was something wrong with it, I said that it doesn't count as being respectful of user data.
That said, almost all EULAs and privacy statements I've ever read have not been forthcoming about the use of data. They usually state, in broad terms, that they'll share unspecified user data with mysterious "partners" for nonspecific reasons.
The GDPR is pretty bad for under 5 engineer startups. They can be very privacy respecting small businesses that charge for their product, like sql training courseware[0], and wouldn't mind clearing what little personal data they had on you (user server logs, billing info, etc).
But being privacy respecting and properly complying with GDPR with audit log systems, etc are 2 different things that require hiring 1 or 2 extra engineers or causing them to pause the companies roadmap as 1 or more people implement government bureaucracy infrastructure for half a year.
If they say it's easy and cheap, then they haven't actually tried to do it properly and are exposing themselves to multi-million dollar penalties.
I've heard this line so many times, but there are vanishingly few examples of companies that really suffered for it ("just don't sell in Europe" implies, to me, that Europe wasn't valuable enough to you as a market to take the time engineering GDPR compliance--and that's just fine). The ones that did crash overwhelmingly seemed to be sketchy data brokers.
I think a bunch of them took the "if audited we will probably be screwed unless the enforcing body takes leniency on us" and just kept on going. It opens up everyone to another huge liability but that's business. DPOs only have so many staff to investigate complaints.
I don't think that works quite like you think it does. The Federal government generally does not restrict states from making stronger laws than the equivalent Federal law. Take the Federal minimum wage, for instance: they set one level, but states are free to set a higher minimum wage.
This case follows the same pattern: whatever meager privacy protections in place at the Federal level will continue to apply, but California law will take precedence in the case where it's stronger.
There are certainly exceptions, like how currently Trump and the EPA are attempting to disallow CA's higher vehicle emissions standards, but, again: exceptions. (In this case, the relevant law has specific language that makes the EPA the final authority on this sort of thing, and requires states to get waivers for going their own way. That's not a general, common thing, though.) And I expect that bit to be tied up in court for a while.
Actually, I think you're the one that's incorrect here. California can set a higher minimum wage because it's explicitly allowed to by 29 U.S. Code § 218.
It depends on whether the federal government has decided to preempt or not.
In this case I don’t think there is a national privacy law that preempts CA, but companies are lobbying now for one to be created. I think it would be a good idea, a national sales tax and a national privacy law are a natural fit for the Internet age - needing to know different laws and regulations for 50 states is only going to hurt small businesses and startups.
FTA:
> Since the law passed, tech giants have pulled out their last card: pushing for an overarching federal bill.
> In doing so, the companies would be able to control their messaging through their extensive lobbying efforts, allowing them to push for a weaker statute that would nullify some of the provisions in California’s new privacy law
But you'll start a business which captures some data, and you're on the hook for proving that everything captured is necessary and compliant in hundreds of jurisdictions.
Unfortunately, you’re correct. Post GDPR I’ve been pitched many times by EU companies trying to be my representative for GDPR, so if that is any indication we’ll see a booming industry for that in the US as well...
Funny enough, the emails sent by these companies are not GDPR compliant and they’ve given me no indication as to how they gathered my info, nor do they give me an opt out.
I'm just going to ignore them all until my actual operating jurisdiction implements one, I'm not beholden to the laws of another country, let alone a specific state in it.
I’m not sure this is entirely true. Texas for example has some pretty big arms (long-arm statute) when conducting business in or with a resident or Texas business.
I'm not even in their country, pretty sure I'm not going to get extradited for breaking the privacy laws of a jurisdiction in which I have no physical presence.
That's how it is with lots of things governed by laws though. Even murderers have to deal with a confusing patchwork of laws and penalties. "Do they have to prove premeditation in this state? Can the degree of the charge be changed at trial? Is there a death penalty?" It's getting so small-time murderers have to have a wall of law books just to do business!
If your business is operating so close to the boundary of the law that you could be breaking it in some places but not others, then yea, you should be worried.
If your business operates well above board and is not doing anything close to what might be the danger zone, then you should have nothing to worry about.
It's always the folks walking right next to the cliff complaining about how complicated their path needs to be.
Yeah... CCPA and GDPR have proved that large enterprises will do just fine, because Amazon can always afford enough lawyers to handle regulatory overhead and confusion across territories.
The startups end up either (1) ignoring the laws or (2) giving up.
Good job EU, if making the FAANGs the only companies with the clout to hold customer data or break into new markets was your primary goal.
That's debatable. I imagine that many EU residents who are tired of having their data collected and sold by US companies consider this to be a very good thing.
It also means that an EU-based company can come a long and fill the void left by the former incumbent that doesn't want to play ball, which is likely good for the EU's economy.
Maybe it's not good for the US company, or for the US economy, but the EU (in theory) exists to further the interests of EU citizens.
As a California resident, if the same happens with the CCPA, I will not shed a single tear.
> That's debatable. I imagine that many EU residents who are tired of having their data collected and sold by US companies consider this to be a very good thing.
Until that game you like simply shuts down in the EU. Or until that website you visit simply blocks all EU access.
Just because someone can't prove they comply with the GDPR doesn't automatically mean they aren't in compliance.
You've added a bunch of friction to the little guys in order to punish Google, who won't really notice. Maybe you agree with that, maybe you don't. But you have already made that trade whether you like it or not.
"We've already seen non-adtech companies simply shut down EU access if they don't have enough revenue. That's probably not a good thing." - Why not? I suspect we can live happily without them.
Our EU employees could not file expense reports for months, because our expense management software (FROSCH or something) could not figure out GDPR compliance.
Soooo I kinda suspect you're talking with absolutely no first-hand experience.
I’ve now been at three large multinational companies who have gone through GDPR process. It’s not easy or simple for an established company, but it’s not impossible.
Additionally:
- before GDPR most EU countries already had similar laws (e.g. data protection laws in Sweden). Sometimes for decades
- GDPR gave two years to become compliant
All in all everyone had two to twenty years to become compliant. Those who didn’t? I personally wouldn’t give two shits about them.
Your expense management software? Well, you company chose it. It looks like your company are responsible for making sure that the software you use is GDPR compliant. Someone at your companyand at FROSCH screwed up and now you blame GDPR for the screw-up.
This is a terrible line of reasoning. GDPR came AFTER the expense software, so blaming the company for not forwardly thinking about an non-existant regulation is ridiculous.
You had two years. Plenty of time to figure this out.
Also: is this your line of reasoning? It’s really weak. To take it to extremes: “we’re still using asbestos and lead pipes because the legislation was nonexistent when we started using them”.
I'm not sure how ecommerce works without some information from the user, such as what they're trying to purchase, the quantity, a shipping address, and some form of payment, most likely a credit card.
... and if you plan to handle this type of highly sensitive data, you should be prepared to provide some basic levels of compliance, including appropriate auditing of sensitive data along with informed consent from users.
The main issue is proving compliance. Any website could, in theory, be recording information that counts as "personal data" under GDPR and CCPA without the user realizing it. What happens if a user doesn't believe you when you say you don't store or share anything? How do you prove to a regulator that you actually don't?
It’s jarring to see such headlines on TechCrunch. They fed the valley by giving every little news a place and are ne of the original hype masters for startups. They profit off the area by hosting the disrupt conference as well, which is again a huge pat each other on the back event. So now they turn around and post a headline like that is just somehow ugly to me. It’s absolutely in their right obviously.
Pet peeve: when editors/authors throw their opinions on the end of headlines. [and why it's a good thing / and why you should care / and why it's dangerous / etc]
Just give me the facts and let me decide on my own after reading the facts. I don't need your opinion up front.
Journalists think that bashing big tech because they are rich gives them views. I doubt there is evidence for that but journobloggers tend to be very herdish.
I'm pretty concerned about it, and we are a tiny political digital agency. My reading is that basically any small sized email list, website, service etc that 'receives for the business’ commercial purposes' data on more than 50k 'devices' or 'consumers' must be compliant which is a very low bar. Like small business email lists would hit this, though maybe burden falls onto Mailchimp for most.
It should be fairly easy to add a contact us address for delete and info requests to the bottom of websites. A lot harder and would take development time to automate a UI for a person to see all data associated automatically (e.g. lots of separate analytics; would have to build api to lookup ip/device/user data match across tables/dbs, and then how do I verify a user is requesting their data and not someone else's). Also harder to 'block' new data collection of device/consumer post delete request.
What I'm less sure about is 'inform consumers before the point of collection.'
Does a privacy policy link in footer count? If not what is required for compliance? What about advertising?
Another big concern for me is that this is going to be weaponized in my industry (politics). I think a political campaign wont fit the bill's definition of 'business' (profit seeking for shareholders) but I think it will still be weaponized by opposition campaigns and service providers.
Sounds like you need a Data Privacy Infrastructure provider so you don't have to worry about the implementation details. The startup I'm working at, https://transcend.io, offers that.
Does anyone know the real implications of the CCPA for things like Sift Science, Google's Recaptcha, and maybe even Cloudflare?
All of these are based on many companies contributing information about users to create profiles which curb abuse. And Sift/Google/etc. get commercial benefit from this data sharing, which might trigger the CCPA. But you can't give bad actors the ability to opt out of this kind of data sharing without crippling them.
I think these kind of companies are really important to a functioning internet. I hope there are carve outs of some sort, but seems like they're living on the edge right now.
Do you have a proposed alternative way of preventing spam? Neural networks basically mean that any traditional captcha too hard for a bot is also too hard for a human.
How is this not a violation to the first amendment? Does the first amendment not extend as follows: (?)
As a citizen don't I have the right to create a business and privately take notes on whatever I'd like to about my customers? If i run a dry cleaners and take notes about my customers, should I be obligated to disclose these notes or even the existence of these notes to my customers? I don't see why extending the dry cleaning business to a mobile app or website effects anything. What about journalists, are they required to disclose what data they're collecting about people as they do their job?
I feel like the state constitution granted right to privacy does not supersede the federally mandated right to freedom of speech both the right to take internal notes and documentation and the violation of one's speech rights by forcing this disclosure.
however IANAL and I don't live in California. Could someone share some insights onto the first amendment side of this?
The bill has an explicit carve-out for free speech. So in some sense the bill is going "la la la I don't violate the first amendment," but ultimately it depends on what that clause means.
> As a citizen don't I have the right to create a business
Nope. That's not an express Constitutional limit imposed on states and thus states general police powers extend to regulating that behavior. (To the extend the proposed business engages in, or impacts, interstate commerce there is also federal regulatory power under the commerce clause, but the immediate issue is the broader state regulatory power.)
IANAL, but I think a human needs to be involved in the individuals' processing as a prerequisite to "speech." An automated process has no Constitutional rights.
Many comments here make the false dichotomy of paying for a service with money vs paying with your data. That ship has sailed. In the current market selling user data will win every time. Only laws can make sure that a company you pay for “premium service” or “no ads” won't turn around and sell your data anyway.
Broad wording usually has a higher risk of being ambiguous thus violating the vagueness doctrine. This is not a strictly better thing; all the efforts invested to the law can be easily invalidated by 9 justices due to the poor wording.
Or realistically it means they will collect the same and wait for clarification. Since it's worded so poorly they won't be punished for it or going by past examples in California the fine will be so small it was worth it.
As much as most browsers have implemented a standardised payment API, a generic, browser-level Privacy related GUI would be helpful. By that I mean something less repetitive than the multitude of consent screens people have to deal with (not to mention dark UX patterns in the existing solutions).
People keep comparing this to the GDPR. I have lived in the UK pre and post GDPR and the US. I like the GDPR a lot. It isn’t just internet businesses either. Because it was such a crazy bogeyman, plenty of brick and mortar businesses have paid a bit more attention to their data security. I like being told what’s gonna happen with my PII, and having the right to control my data. Most people seem to like the effects of the GDPR in my (anecdotal) experience. Yeah you have people using it as some bizarre bogeyman to stop you doing normal things, but it makes you think about it. From a business perspective, the ICO provides great advice to people and companies when they need it. It’s not as though what you need to do is a secret. You just need to do business in accordance with peoples’ rights.
This just seems like poorly written legislation with the purpose of pandering to the populist public. I guess if it makes you all at least feel better.
Nothing, except soon there will be annoying legalese on every website form. Just like the GDPR. Large businesses will benefit at the expense of smaller ones. Lawyers will make more money selling these legalese templates, and sometimes when a big company doesn’t pay the right bean counter they’ll end up being investigated by regulators, and paying the state money to continue doing the same thing.
But it will be celebrated as a heroic victory because “privacy good. Business bad. I want a banana.”
The GDPR does a lot to protect user data. As someone that’s implemented stuff at a huge company for GDPR and at my startup, it was waaaay harder at the larger company. The ICO has been beyond helpful with the few questions I’ve had recently and implementation for my startup has been fairly straightforward.
As you proceed to state absolutely nothing. Before GDPR my information was in a bunch of databases managed by other people. After GDPR my information is in the same databases managed by the same people. Except now they have legalese stating this totally fucking obvious fact.
Before GDPR if my information was hacked and used to hurt me, the business was not liable. After GDPR they still are not liable. Oh and if they violate the GDPR the state gets money, but the victims don’t. Such amazing protection of consumer data...
Dude, GDPR's effects just began. Give it time. A sudden enforcement of GDPR would destroy too many business and so it's being enforced gradually. Still, there are beginning to discuss the complete outlaw of the real time bidding in adtech because completely incompatible with the GDPR. That means destroying bilions of dollars of businesses, so they go slow until there's enough political consensus to do so without fear of retaliative lobbying. This is not something that is done overnight.
> Since the law passed, tech giants have pulled out their last card: pushing for an overarching federal bill.
>In doing so, the companies would be able to control their messaging through their extensive lobbying efforts, allowing them to push for a weaker statute that would nullify some of the provisions in California’s new privacy law. In doing so, companies wouldn’t have to spend a ton on more resources to ensure their compliance with a variety of statutes in multiple states.
Is it really that much easier to control a federal vs. state legislator?
I wonder if the idea might actually be to prevent the likely future scenario in which 50+ different privacy regulations need compliance. Setting a national standard could prevent such an outcome.
Privacy advocates should favor the state-by-state solution, though. The more difficult it is to comply with regulations, the more expensive it becomes to collect the data in the first place.
As the cost of compliance increases, the alternative of simply not collecting the data in the first place becomes more attractive.
But that itself can lead to unintended consequences. It would mean that only the biggest companies could afford the regulatory burden of collecting the data. And these are the very companies that have received the most negative attention.
All of which makes me wonder whether at some point we could see a private data settlement along the lines of the tobacco settlement:
> The bill would authorize businesses to offer financial incentives for collection of personal information.
Means it's nothing like the GDPR. This might actually be a sane law. And it doesnt implement punitive fines if you get hacked. Nor does it bring about a massive cookie alert insanity.
The right to delete may work in europe , but i think in the US it is going to clash with free speech laws. So it might not work at all.
This law is a step in the right direction, although in its current form it's toothless and uses disgustingly submissive language (e.g. the user may not out or the user needs to be informed about how theur data is going to be abused). The final goal of such laws should be to poison user data: so that collecting it and storing would open all sorts of legal and criminal troubles and that no company would want to touch user data with even 10 foot pole. This will open more ethical business opportunities that currently can't compete with data mining model. An analogy in real world. If theft and robberry was legal, no other business model could exist: if you sell gas for 3 bucks a gallon and your neighbor sells it for a negative price, but sells user address to theft agencies, you'd be out of business long before everybody realises the true cost of that "free" gas.
I can't help but view it with disgust just at the headline of having the wrong kind of mentality. It is a spiteful logical fallacy of the worst kind. "Soviets terrified of plan to nuclear first strike whole world - good!" Just because even the vilest foe dislikes it doesn't mean it is a good idea.
The whole article seems to be about shutting down thinking and manipulation via playing with emotions.
I am probably an outlier but I view that as an active sign that is terrible because otherwise they would lead on better points. The article made me /less/ supportive of it. It is perhaps unduly harsh but I would call it an outright propaganda piece not because of the message but how it was delivered.
"Shutting down thinking." Reporting on transgressions and laws designed to hold parties accountable is designed to shut down thinking now, and how those who would be affected by it are literally trying to kill the bill is considered "shutting down thinking." This is literally what you just said.
You proved my point ironically. It is all about "punishing the bad ones for their past sins" as opposed to going forward the impact of the law - the part to actually think about. Instead straight to emotionally knee jerk driven narratives of "they are bad and must be punished" instead of what the law is actually about. See emotions come out and the thinking on the topic like "would it actually help with Cambridge Analytica 2.0" go kaput.
It is an old trick narrative for pushing terrible "tough on crime" laws for advancement. If you point out that it isn't a well thought out idea you support bad people!
While I think CCPA is a step in the right direction from the status quo, which is basically a free-for-all, it's still a mediocre privacy law. GDPR remains the gold standard because it's opt-in, CCPA is opt-out.
The only reason it was even passed was because some guy was going to force the issue with a ballot initiative so lawmakers scrambled to do something. If not for that, California would be the last state to pass meaningful privacy regulation.
In short: laws against things that never sbould have been.
One can only hope they make sure it hits big actors more than any other ones, because they are what makes this kind of data collection dangerous for societies.
LMAO, Google should just make itself unavailable in California due to 'involuntary violation' of this law to see it repealed real quick. Those who complain can use bing.
Besides the tremendous onus laws like this may place on small startups and side projects:
Does anyone know how companies are supposed to comply if “user data” literally cannot be deleted? I’m thinking in the case of blockchain type applications, where one users’ actions feed into another users’ actions, and you can’t deleted user A’s actions without deleting potentially tons of other stuff and destroying the application.
Like does this law basically ban GitHub and code collaboration too?
For the 1) you just don't commit data in the blockchain itself. You can commit an ID that points to external data and drop these external data if requested. This clearly looks like an anti-pattern but putting personal data in an immutable data structure is an anti-pattern too, since those data don't belong to you.
What if a bank put the gold of their customers in a concrete pillar instead of a vault? Fuck the back, I guess. I don't see why not.
Again, the GitHub example is a good one. I have some commits in Django core from years ago. What if I “request” my data be deleted from GitHub? What are they supposed to do? If they rewrite the history it will destroy the project; and if anyone can rewrite the history in the future it leaves projects open to hostile actions.
I suppose the argument would have to be made that it’s not personal data; it’s an act of public publishing or something. So in this case it’s akin to me publishing a blog and other people quoting it years later. I can delete the original blog but not the reprints in newspapers or quotes.
Or that it stops becoming “your” data and becomes instead “the other user’s” once eg the Django project accepts the PR. So you can delete user A’s PR but not the Django project’s now-integrated copy. I think this rationale makes the most sense. After all, someone could still have the repository on their computer and push it back to GitHub again.
I realize this is an edge case that doesn’t apply to 99.9999% of companies, but as an engineer I find it interesting!
Edit: after thinking this through more, I suspect that e.g. GitHub could argue they comply as long as they delete User A’s repo. Subsequently integrated PRs, etc wouldn’t have to be deleted because they could argue they’re no longer User A’s.
I kinda feel like if language to allow this was added to the law explicitly it would be open to abuse, so I suppose this kind of thing has to remain vague and open to interpretation in e.g. the courts if someone is being nasty.
>Besides the onus laws like this may place on small startups and side projects:
Startups and side projects are a non-issue. They can just comply from the get go. It's the too small to afford compliance but too big to easily change their business model that are going to be hurt by this. However, that brings up the question as to whether those business models should be able to exist profitably in the first place.
Git does have a mechanism to remove data from history. It's ugly, and you end up with new commit hashes, but it works. It was designed for situations in which a developer accidentally adds something sensitive, like a production database snapshot, to source control.
Yeah so you could do a rebase and remove all of the user’s commits, but their work would likely still remain in the subsequent history- integrated as changes in some way. It would be a real mess.
If the Environmental Protection Agency can hold a straight face while revoking California's ability to protect its own environment with higher standards, I'll hold off on getting excited about privacy laws until we see the FTC/FCC/etc.'s response.
Project Gutenberg currently blocks users from Europe to avoid having to comply with GDPR. Logically the next step would be to block users from California as well.
So many NYC-based journalists who love to spit all over "Silicon Valley".
Is there room for a TechCrunch-like publication with a more Silicon Valley-influenced editorial bent? (There's already a massive surplus of sneering Brooklyn-based scolds in "tech media".)
>Is there room for a TechCrunch-like publication with a more Silicon Valley-influenced editorial bent?
are you actually asking for someone to purposefully preach to the quire? The function of journalism is to speak truth to power, you think facebook et al need any further help? I think they actually paid the telegraph for a series of agitprop articles, you might want to check those out.
"are you actually asking for someone to purposefully preach to the quire?"
He's both rightfully pointing out that TechCrunch is preaching to one minority choir and asking for another publication to preach to a different choir. Ironically the publication he's asking for was TechCrunch before it was bought by AOL and ruined.
- Businesses must disclose what information they collect, what business purpose they do so for and any third parties they share that data with.
- Businesses would be required to comply with official consumer requests to delete that data.
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
- Businesses can, however, offer “financial incentives” for being allowed to collect data.
- California authorities are empowered to fine companies for violations.
I totally understand that this will impact a lot of tech companies' profits...but that's to be expected if you're making money selling people's data to third parties without their permission.