They need to make it eligible for Class Action lawsuits to be filed if these are ignored. I wrote a script to routinely test opt out on websites and was stunned to see almost 50% had it implemented incorrectly. This includes high-flying tech companies that went public recently.
Under California’s CCPA / CPRA, most enforcement power lies with the California Privacy Protection Agency (CPPA) and the California Attorney General, not private individuals. This limits the actual downside to a company vs. an unbounded downside of class-action lawsuit threat.
Widespread pre-dispute binding arbitration agreements with class-action waivers and bans on mass arbitration kind of put a damper on that, and the Supreme Court has upheld those nationwide in ways California can't easily override.
But sure, there are still other legislative tricks they could do, like making it mandatory by default for CPPA / CA AG to do the enforcement when they're made aware of a qualifying situation, overriding any NDAs which prohibit any California resident from informing CPPA / CA AG about such a situation, and allowing California residents to sue CPPA / CA AG for a writ of mandamus ordering them to proceed with the enforcement if they're stonewalling - with an award of attorneys fees if the writ is issued, so as to make such lawsuits financially affordable to ordinary plaintiffs. (I say "mandatory by default" to allow for exceptions which the legislature thinks appropriate, but at least those would be subject to democratic disclosure and debate.)
On topics such as this one, I think the CA legislature and governor are more interested in ineffectually making it seem like they're solving the problem than in effectively solving the problem.
There’s actually a more powerful legislative tool available: citizens can be empowered to sue on behalf of the state for what is effectively class relief, and to partake in the recovery (with attorneys fees). This creates a market incentive to prosecute claims like this, and it also circumvents arbitration. PAGA is such a statute.
It’s weird that laws exist where private individuals can’t take action. We need a constitutional amendment to make it so that laws can be enforced more easily. I’m not sure how it would work but I’m sure someone more legally minded could come up with something.
This is what Texas did for abortion. SB8 allows private citizens who have nothing to do with an abortion to sue the of said abortion. Since the state isn't involved I don't believe it can be challenged in federal court.
I think this is dangerous and not worth the benefits in this case
Excellent news, but also: Let's see the penalties, and let's see the vigorous enforcement. If this doesn't have teeth, it'll be pointless. Let's see a serious fine that puts a scumbag company out of business.
I don't get this. Many years ago there was "Do not track", a header that was sent based on browser configuration. As a data subject, I loved it. As an engineer I also loved it - it was easy. If the header was present don't render any tracking code. If all services acted in good faith, it could have been epic. But there was pushback, and it went away. Sadface.
For what it's worth I think the browser is the right place for tools like this. If the same thing could have been applied to cookies, we'd not be experience cookie-preference-popupageddon.
The article suggests browser vendors are somehow on the hook for implementing "do not sell". Is the idea the same as do not track?
The opppsite would be more logical. Selling data should be opt-in, in the absence of explicit consent no company should be able to sell data.
In case we agree on selling our data we should be able to set our price and get paid for sell, use and resale of data. It's crazy that those parasite companies get that for free.
But why would anyone opt-in to that? You could do what some site are doing put up a "Either pay us or opt-in to cookies and tracking". The problem is I don't think people fully understand how much tracking we're talking about.
Right now a Danish radio station is running a number of news stories about being able to track people who work for military intelligence or as police officers and prison guards. They do this using a free sample a data broker provided. Everyone act surprised when the journalists are able to show up at the home address of military personal or prison guards who have their home address protected/secret.
I don't think there's a safe way to opt-in to selling your data, because most people cannot comprehend how much data, what type or the ramifications.
It's even worse than that now. In privacy circles, it is widely advised to not enable Do Not Track headers, as they are rarely respected and are actually unsurprisingly and commonly used as an additional identifier/data point during browser fingerprinting—in effect, making you less tracked if you deselect "Do Not Track" and more tracked if you enable "Do Not Track."
One easy free-market-friendly libertarian-approved solution would give citizens and residents of California a choice - your data can be kept private, or you can get a sizeable precentage of the value if you opt-in to data collection and sharing.
I'm not really sure how much this would be worth - and would it scale? How much value does the data from a worker at the lower end of the labor pool wage scale have in relation to that from the C-suite members of a mid-size corporation? Should we all have the right to climb up on the block and sell our data to the highest bidders, while collecting the majority of the profits from the transaction ourselves? It might make more sense to sell your data in five-year future contracts - opportunity to renegotiate rates now and then makes sense.
It's informational data, and in worlds like the commodity markets, information is invaluable. Traders have access to everything from satellite data of oil tankers to insider information from drilling rigs and they pay a lot to keep their data current and accurate, get access to proprietary databases and even nation-state classified sources.
Thus, if human data is so valuable, the humans generating the data should be the ones collecting the majority of its financial value if they opt to sell it. From this view, the real crime here is theft of worker value by data collectors and resellers in a monopolistic market system.
The are two projects that I know which attempted to solve that problem.
India's has DEPA (Data Empowerment And Protection Architecture) framework that addresses the data consent problem. (e.g bank will ask your consent before sharing the data). The advantage here is it providers legal framework as well.
The solid project from Tim Berners-Lee (who invented world wide web) is an attempt to solve that. https://solidproject.org/. This is pure consumer owned but there is no legal protection from the government.
> One easy free-market-friendly libertarian-approved solution would give citizens and residents of California a choice - your data can be kept private, or you can get a sizeable precentage of the value if you opt-in to data collection and sharing.
Some business models that depend on unscrutinized unlawful or antisocial behavior turn out to be unviable when they're forced to operate in a way that is lawful / not an attack on the public.
The "universal opt-out" bill really has no teeth on its own. Combined with the existing CCPA though, it has potential (CCPA is limited to sharing for cross-context behavioral advertising). It just says that browsers and mobile operating systems need to have an easy-to-find setting to signal that the user wants to opt out. The whole bill can basically fit in a tweet. No requirements on what the signal actually looks like, and no requirements that it's respected. There are other laws passed this week with more teeth.
Oh, and we don't have to worry about the "Cookie banner" problem, because a separate law (CCPA) requires a 12 month cooldown before prompting the user for opt-in consent again.
From the law, defining the signal:
> “Opt-out preference signal” means a signal that complies with this title and that communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information.
I would love to drop some of the extensions that I currently have loaded for this purpose, but sadly I'm not confident the positive signal instructing opt-out will be honored, and I'll need to retain my defensive extensions.
Nice. But if you really gave a shit about privacy it’d be opt in.
Nobody in their right mind wants their information shared for marketing purposes. Turn it off.
Readit News
Under California’s CCPA / CPRA, most enforcement power lies with the California Privacy Protection Agency (CPPA) and the California Attorney General, not private individuals. This limits the actual downside to a company vs. an unbounded downside of class-action lawsuit threat.
But sure, there are still other legislative tricks they could do, like making it mandatory by default for CPPA / CA AG to do the enforcement when they're made aware of a qualifying situation, overriding any NDAs which prohibit any California resident from informing CPPA / CA AG about such a situation, and allowing California residents to sue CPPA / CA AG for a writ of mandamus ordering them to proceed with the enforcement if they're stonewalling - with an award of attorneys fees if the writ is issued, so as to make such lawsuits financially affordable to ordinary plaintiffs. (I say "mandatory by default" to allow for exceptions which the legislature thinks appropriate, but at least those would be subject to democratic disclosure and debate.)
On topics such as this one, I think the CA legislature and governor are more interested in ineffectually making it seem like they're solving the problem than in effectively solving the problem.
Deleted Comment
I think this is dangerous and not worth the benefits in this case
I predict another popup to close on every damn website.
> Businesses must wait at least 12 months before asking you to opt back in to the sale or sharing of your personal information.
https://oag.ca.gov/privacy/ccpa#sectionb
YES or YES ?
For what it's worth I think the browser is the right place for tools like this. If the same thing could have been applied to cookies, we'd not be experience cookie-preference-popupageddon.
The article suggests browser vendors are somehow on the hook for implementing "do not sell". Is the idea the same as do not track?
In case we agree on selling our data we should be able to set our price and get paid for sell, use and resale of data. It's crazy that those parasite companies get that for free.
Right now a Danish radio station is running a number of news stories about being able to track people who work for military intelligence or as police officers and prison guards. They do this using a free sample a data broker provided. Everyone act surprised when the journalists are able to show up at the home address of military personal or prison guards who have their home address protected/secret.
I don't think there's a safe way to opt-in to selling your data, because most people cannot comprehend how much data, what type or the ramifications.
I'm not really sure how much this would be worth - and would it scale? How much value does the data from a worker at the lower end of the labor pool wage scale have in relation to that from the C-suite members of a mid-size corporation? Should we all have the right to climb up on the block and sell our data to the highest bidders, while collecting the majority of the profits from the transaction ourselves? It might make more sense to sell your data in five-year future contracts - opportunity to renegotiate rates now and then makes sense.
It's informational data, and in worlds like the commodity markets, information is invaluable. Traders have access to everything from satellite data of oil tankers to insider information from drilling rigs and they pay a lot to keep their data current and accurate, get access to proprietary databases and even nation-state classified sources.
Thus, if human data is so valuable, the humans generating the data should be the ones collecting the majority of its financial value if they opt to sell it. From this view, the real crime here is theft of worker value by data collectors and resellers in a monopolistic market system.
India's has DEPA (Data Empowerment And Protection Architecture) framework that addresses the data consent problem. (e.g bank will ask your consent before sharing the data). The advantage here is it providers legal framework as well.
The solid project from Tim Berners-Lee (who invented world wide web) is an attempt to solve that. https://solidproject.org/. This is pure consumer owned but there is no legal protection from the government.
Good luck operationalizing that
they are one of the most ideologically inconsistent groups i can think of besides the hardcore maga crowd.
Oh, and we don't have to worry about the "Cookie banner" problem, because a separate law (CCPA) requires a 12 month cooldown before prompting the user for opt-in consent again.
From the law, defining the signal:
> “Opt-out preference signal” means a signal that complies with this title and that communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information.
https://legiscan.com/CA/text/AB566/id/3117187
https://oag.ca.gov/privacy/ccpa
In spirit this is great.