[HN Gopher] 'Delete Act' seeks to give Californians more power t...
___________________________________________________________________
'Delete Act' seeks to give Californians more power to block data
tracking
Author : anigbrowl
Score : 198 points
Date : 2023-04-24 18:24 UTC (4 hours ago)
(HTM) web link (www.kqed.org)
(TXT) w3m dump (www.kqed.org)
| SoftTalker wrote:
| Why make this so difficult? Just ban personally targeted
| advertising. That's what everyone is really trying to achieve.
| Nobody really cares about any individual's personal data beyond
| using it to try to sell him something. Ban using it for
| advertising and it becomes worth less than the cost of collecting
| and storing it.
|
| Sites can just go back to content-based targeting for ads.
| unpopular42 wrote:
| I prefer relevant ads to random ads. Therefore no thanks, do
| not ban personally targeted advertising.
| digging wrote:
| Content-based ads _are_ relevant by definition.
|
| Alternatively, imagine this: you could opt-in to targeted ads
| if you really like them. (I find it hard to wrap my head
| around this as a person who avoids almost all ads, but you do
| you.)
| amelius wrote:
| Yes, and as a result people might consume a little less than
| they did before and that will help the climate as a nice side-
| effect.
|
| I guess we'll get a ban on personally targeted advertising when
| Chinese companies start buying data brokerage firms in the U.S.
| unpopular42 wrote:
| No, people won't consume less, as long as they have the same
| disposable income. Unless you mean that this will hurt the
| economy and people will become poorer. In that case yes, they
| will consume less, but not sure how it can be seen as a nice
| side effect.
| amelius wrote:
| I mean, you don't have to always buy something. You could
| save some money?
| wnevets wrote:
| > Why make this so difficult? Just ban personally targeted
| advertising.
|
| Probably because they think that would cost the economy
| billions of dollars overnight. Very few politicians would want
| that on their resume.
| sjfidsfkds wrote:
| Measurement of conversions (ie. did somebody make a purchase
| after clicking the ad) is even more economically significant
| than targeting, and this is where ad publishers are most
| afraid of losing revenue due to privacy rules. The popular
| commentary on this subject is pretty detached from the
| business. The grandparent commenter's "ban ad targeting"
| proposal manages to be both too extreme while also having
| little effect on data collection.
| falcolas wrote:
| > The popular commentary on this subject is pretty detached
| from the business.
|
| That's because personalized ads are hostile in the extreme
| and shouldn't have been allowed in the first place. It pits
| millions of dollars of psychological manipulation against
| our "self control".
|
| I'd rather the economy burn than continue this unethical
| practice.
| sjfidsfkds wrote:
| My point is that only a fraction of user data collection
| is done for the purpose of ad targeting. So whether or
| not ad targeting should be banned for ethical reasons,
| such a ban is not a replacement for regulations of user
| data collection like those proposed in the article we are
| discussing here.
| bluGill wrote:
| What is wrong with the conversion estimates they used in
| the days of broadcast TV and radio? Or even newspapers?
|
| For that matter conversion metrics are not useful because
| the real high value purchase are not see ad buy thing. They
| are more of see many ads for SUV, when current car gets
| 'old' buy SUV. Many years of advertising are used in that
| targeting, and you cannot easily measure conversion.
| digging wrote:
| > and you cannot easily measure conversion
|
| Easily, no. But you can, at least in theory. With enough
| data, you can essentially tell if a customer has seen
| your ads, plus when and where (and not just your online
| ads - billboards and dealerships could be identified by
| using the customer's car to track their location). If
| they buy your car, and you see that they viewed your ads,
| maybe they even clicked one or otherwise browsed your
| site at some point, you can get some data from that. With
| enough aggregate data, you can begin to see correlations
| between certain ad viewing behavior and certain
| purchases.
|
| Do they actually do this? Probably not, due to
| incompetence. But they could and eventually will if they
| aren't already.
| advisedwang wrote:
| Privacy is about more than just targeted ads. That is just the
| most obvious application. Here are a handful of other practical
| privacy concerns:
|
| * Negative information about you floating free (mugshots
| websites, revenge porn, news articles about past behaviour) *
| Health and other behavioural information (e.g. used by health,
| life and auto insurance. These days your medical info might be
| used to sue you in another state even!) * Privacy in semi-
| public places (ring cameras, uber dashcams) * Financial
| information being used against you (credit ratings obviously,
| but also being deemed a fraud risk makes a lot of transactions
| difficult) * Criminal history is commonly used in job
| applications.
|
| I'm not saying we need to go to one extreme - how would loans
| work without credit ratings, and CCTV definitly improves safety
| in some situations - but I just want to point out the range of
| issues at play. Most of these already have some kind of legal
| compromise.
|
| Also beyond practical concerns there is a principal at stake
| too. We fundamentally deserve some degree of privacy just for
| it's own good.
| gumby wrote:
| > * Negative information about you floating free (mugshots
| websites...
|
| I know that is embarrassing and subject to abuse, but making
| all arrests public is an important human right. The British
| used secret arrests against the 1770s rebellion in north
| america (and not to mention long before then and pretty
| continually since) which is why it's important in American
| law, though the British are hardly the only ones to use this
| tactic. Even the USA has done so too, most notably in the
| early 2000s, though not within US territory as far as I know.
| bsder wrote:
| Can we please remember that things can be "public"
| _without_ being "online"?
|
| The big companies don't want you to think about this
| because they benefit from being able to hoover up
| everything with a couple of clicks. There's nothing wrong
| with having to show up in person at a courthouse to see
| arrest records.
|
| Making a human have to physically show up to make a request
| for a record does a nice job of adding just enough friction
| that you can't create these abusable repositories quite so
| easily.
| anonymousab wrote:
| If the state tried to prevent people from talking about
| officially public information, that seems like something
| that would be slapped down on first amendment grounds
| alone.
| 542458 wrote:
| Yeah, IIRC in New York arrest records are available and
| can be requested online... but there's a $50 fee per
| request, and you don't get mugshots. Enough availability
| to ensure the police can't hide arrests, but also enough
| barrier to discourage mass collection and abuse of the
| data.
| breck wrote:
| Go deeper. End copyright. If we had P2P publishing, the bad
| kind of advertising would largely go away.
| shagie wrote:
| California can't end copyright. Ending copyright as you have
| suggested elsewhere would take the US dropping out of several
| important world trade treaties and make it undesirable for
| any company, publisher, author, or artist that _does_ want
| copyright to be here.
|
| That aside, the current copyright approach does not prohibit
| P2P publishing (publish with a CC0 license and you're about
| as disclaimed of copyright as you can be).
|
| This would do nothing to change advertising.
| AnimalMuppet wrote:
| I'm not following the logic. What's the mechanism? How,
| specifically, do you see and end to copyright making
| advertising go away?
| rootusrootus wrote:
| Right along with this, about we set up enforcement and require
| all data brokers to register with the gov't and give them API
| access for enforcement queries. Then the gov't can have a page
| that lets citizens find out which data brokers have information
| about them. Hell, let's put a button on that page that says
| "Forget me."
| JumpCrisscross wrote:
| > _require all data brokers to register with the gov 't and
| give them API access for enforcement queries_
|
| This codifies a unified surveillance apparatus.
| yieldcrv wrote:
| Other assets classes already have that
| JumpCrisscross wrote:
| > _Other assets classes already have that_
|
| Financial assets. You can even become an M&A advisor and,
| as long as you never touch securities, avoid registering
| with anyone.
| yieldcrv wrote:
| user data is traded like financial assets and the
| burgeoning trend is to recognize it as user property
|
| on the financial side the infrastructure of providers is
| also similar to securities trading
| JumpCrisscross wrote:
| > _user data is traded like financial assets and the
| burgeoning trend is to recognize it as user property_
|
| This is a tortured method. We generally treat things as
| property when we want to facilitate its ability to be
| traded and leveraged. What is the advantage of the
| property route versus enumerated rights?
| rootusrootus wrote:
| Can the government not already purchase access to these
| databases?
| JumpCrisscross wrote:
| > _Can the government not already purchase access to these
| databases?_
|
| Sure. But providing mandatory registration and a legally-
| required API sure makes it easier. (There is also zero
| chance those data don't wind up accessible by every small-
| town cap.)
| runnerup wrote:
| Another column in the row: flag_isForgotten:
| TRUE
|
| Then for the compliance query: SELECT * FROM
| victims WHERE flag_isForgotten = FALSE;
|
| A better model for your purposes might be the "Bottled in Bond"
| model where bourbon had to be kept in government-owned whiskey
| aging warehouses. All PII data would have to be kept solely in
| government-owned databases. Your model would not be many
| citizens' first choice because it makes the government
| surveillance absolute.
|
| However, I don't think there's a good solution for those of us
| who'd like to return to the level of privacy afforded to us in
| the early '90s or before. I don't believe that will ever be an
| option again.
| rootusrootus wrote:
| Well yes, at a certain level we lose visibility into the
| internals and have to rely on penalties to coerce good
| behavior. Maybe a whistleblower law with a healthy reward?
|
| What I want is to get all the private data collection out in
| the open. Average Joe can probably tell you that Google
| collects some information about him, maybe his browsing
| history or search queries. But how many people really
| understand that there are probably 100x or 1000x more
| scrapers out there putting together every bit of data they
| can find and correlating it?
|
| I want to tightly regulate what companies can do with
| information they collect about you, especially once they
| start cross-referencing and selling it. Shine a very bright
| light on it.
| reaperman wrote:
| > Maybe a whistleblower law with a healthy reward?
|
| This would probably be a better framework.
| yieldcrv wrote:
| Brave initially aspired to do this.
|
| They wanted to use attestations on a blockchain to show a chain
| of consent and revoked consent from a user.
|
| But that only works if data brokers are tied to that data
| source. (and the friction of using that data source being way
| lower)
| anaganisk wrote:
| That's what India did with its UID, Aadhar. The initial days
| were so bad with security. Anyone and everyone could take the
| id number and fetch info about you. Now you can lock access
| with biometrics and even after unlocking it auto locks in 5
| minutes. You can also generate a virtual unique id number to
| prevent fingerprinting across various services. There are still
| some cases where the security of data seems to be questionable,
| but it's working there. They also have oAuth support for
| websites to use aadhar profile. But not many services have
| integrated with it yet.
| tayo42 wrote:
| This site you're posting and reading comments on won't let you
| delete your comments and accounts. I think at best if you email
| and ask they might randomize your username.
| anaganisk wrote:
| I don't know if it counts but this site also doesn't collect
| personal information, I don't even remember if I had to verify
| an email.
| r00fus wrote:
| I've always thought - if it's possible for someone trawling
| HN to build a pretty comprehensive profile of users based on
| usage pattern, comment structure, and occasional personal
| details shared (like gender, familial status, location).
|
| I think it'd be pretty easy for most accounts that have >
| 1000 comments.
| tayo42 wrote:
| You still need to have the foresight to do things like not
| reuse usernames, even use your real name, or accidently post
| something that could identify you. It's still an account
| owned by a person
| cm2012 wrote:
| These laws make no sense at all because basically no one is
| actually hurt by ad tracking (it actually improves ad quality and
| relevance), except if you just think advertising in general is
| wrong.
|
| All of these data privacy laws are just a minority of people
| wanting to push back against capitalism and big tech. I get it
| but it's such a waste of energy.
| stainablesteel wrote:
| i saw some youtube advertisements for a service that requests
| data deletion on your behalf, but i was super skeptical of that
| because it just seems like the service you're paying to do this
| would then become the next centralized hub of what information of
| yours once existed.
|
| I don't mind the idea of a government-based interface to all of
| this with strict adherence to privacy
| [deleted]
| [deleted]
| [deleted]
| dan-robertson wrote:
| I hope that other jurisdictions (than the EU) will find different
| policies around data protection to try to achieve something that
| is actually good for people in practice now that they can look at
| how gdpr worked out.
|
| I think the law requiring subscriptions to be easily cancelled is
| a good example of something that is good for people because it
| makes something they already want to do easier/better.
|
| On the other hand, the thought of having to cope with umpteen
| different privacy laws makes me glad I don't work on a website
| for the general public.
|
| My main complaint with data protection laws is that they often
| require actions from users, either some kind of 'informed
| consent' like gdpr/cookie laws, or some kind of deletion request.
| I would much prefer some simpler laws like 'no keeping
| behavioural data more than 45 days' that don't require people to
| opt in to privacy. Though there are flaws with what I wrote -
| what does it mean for training neural networks; there are cases
| where you want that memory, eg maybe if you liked a tv
| show/YouTube channel and there was more than 45 days between
| series/videos, you would want the new series to be recommended to
| you; there are complex chains of causality like if eg I watch a
| cat video, get recommended a bunch more cat videos over time,
| watch some of those, then in some sense the signal from the first
| cat video has caused me to still be getting recommended them more
| than 45 days later.
|
| It seems like this requires taking action to delete a lot of data
| from a lot of places and puts the onus on the consumer, which I
| think isn't great. But the 'data broker registry' might make it
| easier to do? I wonder what the EFF were thinking about when they
| supported this. Perhaps they just considered it to be strictly
| privacy-increasing and therefore good, and didn't worry about
| second-order effects like consumer fatigue. Maybe the second-
| order effects don't matter so much - they are second order after
| all.
| cccbbbaaa wrote:
| Data retention limitations are absolutely a thing in GDPR and
| previous European laws (ie. Informatique et Libertes).
| dan-robertson wrote:
| I don't think the problem with GDPR is that it is lacking
| rules.
| cccbbbaaa wrote:
| I get that. I'm saying that what you think is missing in
| existing privacy laws, actually already exists.
| [deleted]
| [deleted]
| emodendroket wrote:
| Hey, sure. Keep inventing stuff for me to do at work. I don't
| mind.
| hadrien01 wrote:
| Just copy-paste GDPR, and enforce it.
| givemeethekeys wrote:
| If by GDPR you mean the cookie banner that appears on most
| websites? It's as if we ask for something and are punished for
| it. I'd like to see some proof that GDPR has achieved major
| changes in data privacy before a copy-paste.
| minsc_and_boo wrote:
| Nitpick: EPD is responsible for the cookie consents
| everywhere, not GDPR - https://gdpr.eu/cookies/
|
| GDPR primarily concerns the user with information and
| takedown requests, the latter which could be considered
| deletion.
| taosx wrote:
| GDPR doesn't work as described and companies have found many
| ways to make the process difficult. There is a clause (last
| case scenario) where the company can say that the data is
| critical to the system and can't delete it.
| anticristi wrote:
| No, they cannot https://www.enforcementtracker.com/
|
| You probably refer to "legitimate interests". If you play
| that card, you are required to show a "Legitimate Interest
| Balancing Test", in which you show that your interests are
| arguably more important than the interest of the consumer:
| https://ico.org.uk/for-organisations/guide-to-data-
| protectio...
|
| Source: I love to watch Facebook becoming the first GDPR
| unicorn, i.e., a company with more than 1 billion EUR GDPR
| fine.
| JumpCrisscross wrote:
| GDPR isn't a good fit for the American system. The
| principles that animate it [ _i.e._ rights of access (Art.
| 15), erasure (17) and objection (21)] should be
| incorporated into law. But a combination of public and
| private enforcement, plus a strong civil regulator (but one
| who isn 't obligated, by law or practice, to respond to
| complaints), is a better start.
|
| > _watch Facebook becoming the first GDPR unicorn_
|
| They're paying $725mm to users in America [1]. Difference
| being the damages go to users, not a regulator.
|
| [1] https://www.popsci.com/technology/meta-725-million-
| lawsuit-c...
| mindslight wrote:
| The problem is that no form of data personal protection
| is really a good fit for the American (political) system,
| because the US leans heavily into the fallacy that if
| it's legal for one individual to do some as private
| activity, then allowing to be scaled up to mass corporate
| behavior is inherently reasonable. So telling
| Surveillance Valley to stop building Stasi 2.0 is akin to
| telling your friends that they must forget your birthday.
|
| Furthermore, the American concept of "consent" mostly
| functions as a legal fiction whereby less powerful
| parties are coerced into signing a bunch of binding legal
| documents. Hence the desire to copy the GDPR verbatim -
| because if a privacy law used the American version of
| "consent", why even bother?
|
| One way to port the overall idea of the GDPR into the US
| legal system might be to define a non-transferable
| property right in personal information (information about
| yourself), which could only be licensed _revocably_.
| Those two key bits would be tough though, given
| widespread deference to the Coase fallacy that has
| blessed much corporate looting.
| JumpCrisscross wrote:
| > _no form of data personal protection is really a good
| fit for the American system_
|
| Not true. We have the Privacy Act of '74, HIPAA, GLBA and
| COPPA, to say nothing of _e.g._ California 's CCPA and
| Virginia's CDPA [1]. Or Illinois' biometric privacy
| protections [2].
|
| > _the US leans heavily into the fallacy that if it 's
| legal for one individual to do some as private activity,
| then allowing to be scaled up to mass corporate behavior
| is inherently reasonable_
|
| This is true for rights, which don't get diluted through
| assembly. Not rules or the law. Plenty of laws exempt
| small businesses and natural persons.
|
| > _the American concept of "consent" mostly functions as
| a legal fiction whereby less powerful parties are coerced
| into signing a bunch of binding legal documents_
|
| Not entirely true. See: EULA enforceability as it
| pertains to natural persons [3].
|
| > _to define a property right in personal information
| (information about yourself), making it non-transferable
| and revocable at any time_
|
| One generally defines a property right to _enable_
| transferability. Revocable property isn 't property, it's
| a license. Making information one's inalienable property
| that can only be revocably licensed sounds neat, but it
| doesn't add value over enumerating data rights.
|
| [1] https://www.comparitech.com/data-privacy-
| management/federal-...
|
| [2] https://www.jacksonlewis.com/sites/default/files/docs
| /Illino...
|
| [3] https://en.wikipedia.org/wiki/End-
| user_license_agreement#Enf...
| mindslight wrote:
| > _This is true for rights, which don 't get diluted
| through assembly_
|
| Calling it "assembly" is disingenuous (this is directed
| at the legal canon, not you). Generally companies aren't
| just mere assemblies of people, but rather are separate
| legal entities whose members have limited liability. Just
| as it's accepted for a company to say to an employee "if
| you want to get paid your 1st amendment rights are
| irrelevant", it would be reasonable for the government to
| say "if you want to have a statutory liability shield,
| your 1st amendment rights are irrelevant for activities
| facilitated by the shield".
|
| > _Not entirely true. See: EULA enforceability as it
| pertains to natural persons_
|
| I didn't say there weren't exceptions. Just
| overwhelmingly when a new regulation is created that
| requires "consent", the main result is for there to be a
| new piece of paper that people are forced to sign to
| "give consent". Rarely is there spelled out a path where
| the individual can refuse to give consent and still
| obtain a service that didn't intrinsically require it.
|
| > _Making information one 's inalienable property that
| can only be revocably licensed sounds neat, but it
| doesn't add value over enumerating data rights._
|
| The value is that trying to carve out new rights is an
| uphill battle, whereas dovetailing into the customs of
| commerce might just be possible. For example you had
| mentioned carve outs in the various state attempts at
| privacy laws due to the 1st amendment. Whereas those
| carve outs (unfortunately) don't exist for copyright!
|
| But sure, I do support trying to carve out completely new
| rights to repudiate our burgeoning surveillance society.
| It's just that the way the legislative process works in
| this country, it will be an amazing feat if the drafting
| process doesn't end up gutting most individual rights
| while still creating a bunch of red tape to stifle
| competition. Hence the attraction to copying GDPR
| wholesale and letting the courts sort it out.
| JumpCrisscross wrote:
| > _when a new regulation is created that requires
| "consent", the main result is for there to be a new piece
| of paper that people are forced to sign to "give
| consent"_
|
| You'll see my suggestions purposely skirt the question of
| consent. Access, erasure and objection. You can access
| your information held by others. You can require its
| deletion. And you can object to how it's used. (In
| practice, revocable consent. But avoiding the concept
| directly.)
|
| > _those carve outs (unfortunately) don 't exist for
| copyright_
|
| Copyright is in the Constitution [1]. Its interaction
| with the First Amendment is why we have the fair-use
| doctrine [2]. I doubt the Congress could enact copyright
| without the Copyright Clause.
|
| Incorporating privacy through commercial code strikes me
| as messy. We have _many_ mechanisms for abrogating
| property rights. Do we really want to deal with _e.g._
| civil forfeiture of a person 's privacy, banks seizing
| possession of personal data in obscure foreclosure
| proceedings, or an employer holding parts of an
| employee's privacy rights in bond?
|
| > _the attraction to copying GDPR wholesale and letting
| the courts sort it out_
|
| This would involve a decade plus of anarchy, litigation
| and uncertainty. That is enough time for generational
| backlash. Lazy legislating rarely pays off.
|
| [1] https://en.wikipedia.org/wiki/Copyright_Clause
|
| [2] https://www.law.cornell.edu/constitution-
| conan/article-1/sec...
| mindslight wrote:
| > _You 'll see my suggestions purposely skirt the
| question of consent. Access, erasure and objection. You
| can access your information held by others. You can
| require its deletion. And you can object to how it's
| used._
|
| Sure. I just see the legislative meat grinder turning
| "information" into narrowly construed red herrings like
| SSN's and account numbers, "access" into the ability to
| file individual written requests (which include more
| personal information) to specific entities you happen to
| know about, "deletion" into the null operation because it
| "infringes freedom", and "objection" into a strongly
| worded protest rather than anything actionable. I
| certainly do want to be wrong here, but this is the same
| country where widely-lauded healthcare reform ended up
| including a provision that everyone had to pay the
| parasites.
|
| Good point about the perils of making one's interest in
| personal information more property like. I had wanted to
| head that off by making it non-transferable, but you're
| right to point out the slippery slope that legislative
| corruption would surely push us down.
|
| As far as copyright, it grows ever stronger in spite of
| patently obvious free speech concerns (eg DMCA "anti-
| circumvention"), because legislation that benefits
| corporations wins out over legislation that benefits
| individual rights.
|
| And for "lazy legislating", what I see really not paying
| off is when congress addresses an issue a single time and
| then considers the matter solved, regardless of the
| actual result.
| JumpCrisscross wrote:
| > _what I see really not paying off is when congress
| addresses an issue a single time and then considers the
| matter solved, regardless of the actual result_
|
| This is incrementalism. It's the solution preference of a
| deliberative, consensus-building democracy. We make a
| move. See the effects. Iterate. It works in the long run.
|
| The opposite, forcing through chaotic legislation, tends
| to result in alienation, repeal and the resignation of
| the issue to the partisan trash pile.
| mindslight wrote:
| Read my sentence again - I'm bemoaning the _lack_ of
| iteration. Are the disastrous bits of the CFAA and the
| DMCA ever going to be repealed? Will any of this new
| privacy legislation apply to the traditional surveillance
| industry ( "credit bureaus") ? It seems like once
| commercial interests get their sponsored laws into the
| endzone, we're left to suffer them indefinitely. It's why
| we're always reaching for "constitutionality" as the main
| hope for eliminating oppressive laws, rather than
| thinking that congress could reverse course.
| Hamuko wrote:
| > _Difference being the damages go to users, not a
| regulator._
|
| Doesn't a class-action lawsuit just mean that like a
| third of it goes to private law firms?
| andygeorge wrote:
| > GDPR doesn't work as described
|
| could you expand upon or clarify that? i work in systems
| infrastructure and have been a part of implementing GDPR-
| driven changes in both apps and infrastructure, so it
| certainly seems to be working in my line of work
| taosx wrote:
| I'm not saying that systems are not in place, I'm just
| saying that it's too hard for the average consumer.
|
| - After you've requested deletion the company has 30 days
| to "respond" but they can extend that with two additional
| months. - They can go to extreme lengths to verify the
| identity of the user which they have the right to do so and
| if you don't respond to the confirmation they are not
| obligated to delete anything.
|
| I've encountered both practices in the past (and I've only
| made 3 requests, ever).
|
| The dream would have been an automated way to do it,
| something like a government service where each company
| would have to publish metadata about captured user data and
| once you request deletion through the service the company
| would receive an event, a webhook call...
| andygeorge wrote:
| > it's too hard for the average consumer
|
| oh yeah, hard agree with this
| Robotbeat wrote:
| I wonder if this will effectively ban LLMs like the similar
| legislation in Europe?
| gaogao wrote:
| Likely not, but it depends on the language around anonymizing
| that the bill uses
| superkuh wrote:
| I can't help but notice in the bill itself there's no definition
| of what a data broker is. Does anyone know the legal definition
| in California? Do you have to be an incorporated person to be a
| data broker or can human persons have this force applied to them
| as well?
|
| _edit_ :
| https://leginfo.legislature.ca.gov/faces/codes_displayText.x...
| "California's definition of a "data broker" is set out at Section
| 1798.99.80. (d) of California's Data Broker Law"
|
| It sounds like data broker has to be a "business" that collects
| information about someone they don't have a direct relationship
| to and sell that to a third party. This might still include sole
| proprietorship businesses but it sounds like normal non-
| incorporated human persons and personal websites wouldn't be
| forced to delete things.
|
| It's interesting to note that "Financial institutions" are given
| an exception from the "data broker" tag and regulations and can
| still do whatever they want.
| JumpCrisscross wrote:
| > _it sounds like normal non-incorporated human persons and
| personal websites wouldn 't be forced to delete things_
|
| Natural versus artificial person is probably irrelevant. (Sole
| proprietorship _is_ a "normal non-incorproated human" doing
| business.) If your personal website is somehow collecting
| information from non-visitors and then selling it, that's a
| data broker. In practice, I can't see why or how that would
| accidentally occur.
| r00fus wrote:
| This makes sense. How would they regulate, for example, sales
| of ad targeting information (which might be very exact) based
| on said personal data?
| superkuh wrote:
| I think your implicit assumption here is that all websites
| are businesses in some sense? But people often run websites
| that have no monetary transactions involved (except hosting,
| domain, etc costs). Since I'm one of these I worry about
| being forced to delete data just because some random persons
| who came to my metaphorical backyard BBQ didn't realize there
| was a metaphorical photographer there taking pictures.
|
| I get the spirit of the law and I'm glad incorporated
| entities will be regulated. I just anticipate substantial use
| of the 'Delete Act' for frivolous cases and malicious uses.
| Much like GDPR. With the good comes the bad.
| bee_rider wrote:
| It is hard to modify photos without ruining them. If
| someone's data accidentally gets added to your site, why
| not just delete it?
| breakingrules wrote:
| [dead]
| JumpCrisscross wrote:
| > _your implicit assumption here is that all websites are
| businesses in some sense_
|
| It's not. I'm saying it would be hard for a personal
| website to accidentally stumble into being a data broker.
| [deleted]
| koito17 wrote:
| From the senate press release,
|
| > The CPPA would create a simple way for Californians to direct
| all data brokers to delete their personal information, free of
| charge.
|
| I wonder how something like this would actually be enforced. At
| the moment I can request my personal information to be deleted,
| but there is no way for me to determine whether such request was
| actually fulfilled. Even with this option to direct "all data
| brokers", the problem remains, and it seems to be briefly
| acknowledged in this sentence
|
| > Tsukayama said that what most experts in the field agree on is
| that California law leads the nation in this space, but that it's
| still barely enforced.
|
| I don't know of any good way to enforce this kind of legislation,
| even if I totally support it.
| thewebcount wrote:
| I wonder if some sort of "do not call"-style list that the
| government keeps would do the trick? The government maintains
| the list so some company can't say, "We never received any
| notice from them!" and the government can also audit whether
| each person on the list has data associated with them in any
| given company's database. The government would have to audit
| companies when a consumer contacts them (or just do it
| periodically for all companies, if that's feasible).
|
| I think the bigger problem is how does a consumer know whether
| any random company has data on them? I mean, sure, I can figure
| that Google, Amazon, and Meta probably would be on that list,
| but the real problem is all the smaller 3rd party resellers of
| such data. I don't even know their names, let alone how I would
| figure out if they have info on me.
| digging wrote:
| It would not work. Not enough people would use it, for myriad
| reasons.
|
| The real answer is privacy by default. Opt-in for invasive
| harvesting. The science of design is well enough known that
| we could even legislate against dark patterns if we wanted
| to.
| djfm wrote:
| Random audits in data brokers' data centers?
|
| Software on consumers' devices that records ads seen and file
| complaints if consumers are still being tracked? It's very easy
| to detect algorithmically that you're being shown personalized
| ads.
| anigbrowl wrote:
| One popular (and somewhat successful) legislative strategy is
| to create a 'private right of action' whereby an injured party
| can sue an offending one easily by meeting a specific burden of
| proof - eg if you file a complaint with a data broker and the
| data is not removed within a defined reasonable period, you can
| go to court armed with a rebuttable presumption of the broker's
| liability and claim some statutorily specified amount of
| compensation. A well-known example would be violations of the
| Americans with Disabilities Act.
| InitialLastName wrote:
| The comparison to the ADA is a good one, but it also
| illustrates the issue of how verifiable the remedies are.
| It's much easier to prove whether a business has a ramp than
| that they deleted some piece of data from all of their
| servers everywhere
| anigbrowl wrote:
| I think it will be based on availability rather than
| verification of deletion, but I'm just guessing.
| bobthepanda wrote:
| It sounds like a recipe for enforcement by lawsuit, which is
| similar to the ADA for example.
| kevingadd wrote:
| It's surprisingly tough to find a lawyer willing to file an
| ada suit. Most search results are for companies to defend
| against suits, and my local bar association only had one firm
| to refer me to that didn't return my calls.
| mlyle wrote:
| In order to enforce by lawsuit, the people who have standing
| to sue (or a regulator acting on their behalf) need to
| somehow know that an organization is out of compliance.
|
| For the ADA, you can see whether there's enough parking
| spaces or whether the ramp is legal or whether you were
| denied a reasonable accommodation.
|
| Here, there's a mandatory audit mechanism, but it's unclear
| whether the proper recordkeeping will be required to really
| allow issues to be spotted at audit.
| d4mi3n wrote:
| Is there any way to know if any audit mechanism works
| before it's actually been put into practice?
|
| I share your concerns, but it seems a bit early to worry
| that auditing + lawsuit enforcement isn't worth giving a
| spin.
|
| Do we have examples of similar legislation that has or
| hasn't been successful with similar contexts/enforcement?
| The closest examples I can think of are in finance, like
| fair lending laws or SOX compliance; both of which are
| heavily dependent on auditing data.
| mlyle wrote:
| As a sibling commenter puts out, a uniform deletion
| "certificate" or other notice that could be used as
| verification of requests would be useful to ensure that
| audits would have a corresponding record to use to
| determine what records should not be present.
|
| Then, data broker keeps a list of such deletion notices.
|
| If any of those notices ends up having data still stored,
| that's a violation. If any customer presents such a
| certificate but isn't in the list of such notices on the
| data broker, that could be a violation.
|
| This way there's an effective, enforceable mechanism.
| Otherwise, a broker can just lose deletion requests
| entirely and no one would know.
| anticristi wrote:
| If it's any consolation, it look GDPR 7(-ish) years to make a
| difference. Hang in there!
| emodendroket wrote:
| Yeah, all those annoying "we use cookies" pop-ups are
| inspiring
| fknorangesite wrote:
| You're welcome to blame the people putting those pop-ups
| there, not GDPR.
| bobwaycott wrote:
| This is at least the billionth time it's been pointed out,
| but the GDPR is not responsible for those annoying pop-ups.
| The GDPR is erroneously _blamed_ for them, when in reality,
| the pop-ups are a deliberate choice made by site operators.
| Feel free to brush up on the GDPR, the EPD, and how they
| work together: https://gdpr.eu/cookies/
| scarface74 wrote:
| The GDPR is very much responsible. They exist solely
| because of the GDPR.
|
| And you don't just "brush up" on an 11 chapter 99 section
| law.
| digging wrote:
| I don't think the GP is suggesting that the GDPR mandated
| those shitty popups, I think they're upset that the GDPR
| _allowed_ them. They 're basically a massive loophole. Of
| course the site operators are to blame for their
| individual popups.
|
| That's without addressing the fact that the EPD is what
| triggered them.
| [deleted]
| [deleted]
| rekoil wrote:
| > I don't know of any good way to enforce this kind of
| legislation, even if I totally support it.
|
| What the EU does with GDPR is put a huge fine on actors caught
| ignoring GDPR deletion requests. It's up to EUR20m or 4% of the
| companies global turnover, whichever hurts the most.
| frogblast wrote:
| I was wondering if a "chain of custody" law for personal
| information can make this enforceable.
|
| You can request your personal information from a holder of it,
| and along with that comes the identity of where/when/who that
| data was acquired from (and transitively who they got it from).
|
| Then you can tell who sold it, both to gauge violations and
| also to name and shame.
|
| And if they don't have the chain of custody, then they are
| immediately in violation, and it is easily proven.
| emodendroket wrote:
| I think this is a pretty common problem with any kind of
| business regulation -- how do I know that a factory isn't just
| illegally dumping its waste? Regulators are usually working
| with less complete knowledge than the entities they regulate.
| You'd have to set up penalties large enough that the risks
| weren't worth it, but that ironically works better with larger
| companies since fly-by-night operations are free to just shut
| down and don't care that much about their reputations.
| scrum-treats wrote:
| There are relatively simple ways to enforce this. For instance,
| requiring companies to register all trackers prior to use. And
| in that registration process specify all metadata that would be
| collected. Terms of service for implementing trackers in
| California could include something along the lines of
| permitting independent E2E auditing of all trackers and any
| software linked to it, e.g., software related to
| personalization and feature creation/selection/optimization.
|
| There could also be something like more comprehensive
| enforcement of "(meta)data flushing," including a tighter turn-
| around time to ensure customer data that was supposed to be
| deleted is actually deleted, at more regular intervals. This
| would better ensure novelty at the time of model training/fine-
| tuning. These training logs would be audited as well.
|
| Training data size would decrease. It would also act as a
| natural guard against data hoarding, which disproportionately
| benefits huge corporations (e.g., Google, Amazon).
|
| Does it make personalization harder? In some ways yes. It also
| challenges us to invent solutions more sophisticated than "just
| feed the model more data."
| fallingknife wrote:
| Easy way to enforce is to give anyone who reports a breach and
| provides evidence half of the fine. People will be constantly
| trying to buy data from the broker that they aren't supposed to
| have to get the reward. And any time they find something, it's
| payday.
| SnowProblem wrote:
| "Data brokers would have to undergo an independent third-party
| audit every three years to ensure compliance with the DELETE
| Act provisions and submit audit reports to the California
| Privacy Protection Agency."
|
| Source: https://privacyrights.org/resources/california-delete-
| act-bi...
| jerf wrote:
| Well, I can see how that means well, but this doesn't scale
| to dozens of other jurisdictions doing the same thing. The
| audits would have to either be cheap and toothless or
| impossibly expensive, or, given the dozens of jurisdictions
| eventually doing these, probably both and other combinations
| besides. One can only imagine the nightmare of this
| jurisdiction deciding this bit of data is private, some other
| jurisdiction deciding it's mandatory to keep (e.g., "you must
| record this user's legal identity in order to ensure that
| future data you may receive is also deleted"), and yet a
| third jurisdiction deciding that it must be deleted but _if
| and only if_ the user explicitly asks for it in the request.
| It won 't take much for (real) compliance to exceed what even
| the big tech companies could afford.
|
| At least something like the EU legislating this covers a
| significant fraction of the world economy in one go.
| minsc_and_boo wrote:
| Most jurisdictions copy the main tenets* from each other,
| to make it easier for actors to enforce in their region -
| i.e. GDPR -> CCPA.
| chrisweekly wrote:
| tenets, not tenants
| unpopular42 wrote:
| I wonder how do they plan for those requests to be authenticated.
| Easily proving that you are you over the internet is not a solved
| problem.
| jeppester wrote:
| One would think that tracking companies are experts in that
| specific field.
___________________________________________________________________
(page generated 2023-04-24 23:01 UTC)