(Of course Big Tech plans to fight back: tech lobbyists look forward to improvements to address the many unintended consequences of the law.)
posted by RedOrGreen at 7:51 AM on August 15, 2018 [1 favorite]

Well, this will definitely keep all of those people hired for GDPR compliance employed
posted by NoMich at 8:10 AM on August 15, 2018 [7 favorites]

Speaking of GDPR, from the article:

Mactaggart was wary of proposing a sweeping law like the European Union’s General Data Protection Regulation, or G.D.P.R., fearing that Californians would find it mystifying and reject it. He wanted a solution that consumers would embrace and Silicon Valley could live with. “I don’t want to kill businesses — I’m a businessman,” Hoofnagle recalls Mactaggart’s telling him. “I just think the data use by these companies is out of control.”

Media coverage, on the other hand, doesn't always clarify the differences so well (at least in headlines):

• Marketers and tech companies confront California's version of GDPR (Page title: California just passed its version of GDPR), from Digital - Ad Age

  Call it "GDPR Lite." California Gov. Jerry Brown signed the Consumer Privacy Act on Thursday, giving residents of the state significantly more control over how their data is collected, used and handled. Although the law will not go into effect until January 2020, it will without question have massive implications for every brand, agency and tech company both here and abroad. Here's the TL;DR In short, California just passed its own digital privacy law, allowing consumers to know what information companies are collecting about them, why they are collecting that data and who they are sharing it with. It also arms residents of the Golden State with the ability to tell tech behemoths such as Google and Facebook to delete their data, not to share their data or not to sell it. People can also opt out from a company's terms of service without losing access to its offerings. And companies are barred from selling data on anyone under the age of 16 without explicit consent. The new law will moreover hold brands accountable for any data breaches, allowing consumers to sue them up to $750 for each violation. The California attorney general can sue for $7,500 for each intentional violation of privacy. Translation: Companies such as Target, Adidas, FitBit, Home Depot, Chili's, Equifax, Facebook, among the many, many other companies that have experienced data breaches, will now be held significantly more accountable for failing to protect consumer data.

• California's New Privacy Law: It's Almost GDPR in the US -- But Tech Giants are Taking Aim at the Law, Which Can Be Amended Until 2020 (Bank Info Security)

  The law, AB 375, gives consumers the right to ask businesses for the types and categories of personal information being collected. It also requires businesses to disclose the purpose for collecting or selling the information as well as the identity of the third-party organizations receiving the data. Consumers can also request data be deleted and initiate civil action if they believe that an organization has failed to protect their personal data. "AB 375 responds to the recent data breaches that have affected millions of people - those experienced by Target, Equifax, Cambridge Analytica, and many more," Assemblymember Ed Chau and fellow co-authors of the bill say in a press release. "The collection of our information combined with data breaches has raised concerns from internet users worldwide."

• And in contrast, Why California’s new consumer privacy law won’t be GDPR 2.0 (Digiday)

  The consumer privacy law that California’s governor signed into law on June 28 is considered the strongest, most aggressive privacy protection measure in the U.S., according to legal experts. The new California law, which takes effect on Jan. 1, 2020, will require that companies tell state residents what information the company is collecting and how it’s used. It also gives people options to ask the company to delete or stop selling that information. The law does not prevent companies from collecting people’s information or give people an option to ask a company to stop collecting their information, differentiating it from GDPR.

Emphasis mine, to highlight how this is not the same as GDPR.
posted by filthy light thief at 8:21 AM on August 15, 2018 [11 favorites]

And just in case y'all missed it on Monday: Google tracks your location, even if you have location history turned off
posted by humuhumu at 8:23 AM on August 15, 2018 [12 favorites]

hmm. Can anyone clarify how I, someone living in Michigan, will be impacted by this?
posted by rebent at 8:27 AM on August 15, 2018

> Can anyone clarify how I, someone living in Michigan, will be impacted by this?

Variety: California’s New Privacy Law Could Have Big Impact on Tech, Media

Opponents of the ballot measure had argued that it would force companies to “disconnect California” and effectively operate under different rules in the State than elsewhere. With the passage of AB 375, many observers [expect] that the opposite will happen: Tech and media companies will adopt stricter privacy rules and make them available to all users, regardless of whether they reside in California or not.

(Sorry, I compiled a lot of stuff and then decided that the single long-read link was what was most interesting for the post.)
posted by RedOrGreen at 8:36 AM on August 15, 2018 [7 favorites]

...or other states could also pass laws like this...
posted by amtho at 8:51 AM on August 15, 2018 [5 favorites]

Tech and media companies will adopt stricter privacy rules and make them available to all users, regardless of whether they reside in California or not.

Much the same as all US cars meet CA emissions standards, regardless of where they're made or finally sold. It's just too complex to have two sets of cars for sale in the US. When a big state like CA passes a bill like this it becomes a de facto regulation nationwide. Similar with NY state securities laws - since both the NYSE and Nasdaq are located there, it's effectively national law.
posted by GuyZero at 9:31 AM on August 15, 2018 [17 favorites]

Tech and media companies will adopt stricter privacy rules and make them available to all users, regardless of whether they reside in California or not.

This is just not going to happen. Yes, GDPR means that lots of sites now show disclosures to everyone, but that doesn't mean that everyone can take advantage of the more substantial rights provided by the GDPR--for example, to have your data deleted. Name a single site that extends the right to be forgotten, for example, to non-EU-residents. And the same will be the case here. This is no substitute for federal legislation.
posted by enn at 9:44 AM on August 15, 2018 [4 favorites]

It's interesting that their solution to "no consumer reads all that stuff" was to give the consumer the option to read even more stuff. And:

“A lot of people who we talked to told us these were evil people,” Mactaggart said later. “But they seemed nice.”

That's how you make lots of money as a lobbyist. You have the ability to seem nice while working for an institution that's evil.
posted by clawsoon at 9:44 AM on August 15, 2018 [7 favorites]

The legislation would not take effect until 2020, and both the Legislature and the tech industry would have a chance to amend the new law beforehand.

Sounds like Mactaggart got played in the end. Should've gone with the ballot initiative.
posted by clawsoon at 9:59 AM on August 15, 2018 [4 favorites]

Name a single site that extends the right to be forgotten, for example, to non-EU-residents.

Which companies are telling their non-EU customers that, unlike their EU customers, their non-EU customers don't get to have their data deleted? Do they ask for proof of residency?
posted by pracowity at 10:26 AM on August 15, 2018

Which companies are telling their non-EU customers that, unlike their EU customers, their non-EU customers don't get to have their data deleted?

Pretty much every ad tech company.

Do they ask for proof of residency?

I can't imagine that they wouldn't. For example, here is Twitter's GDPR Article 17 request form. Note that it asks where you live.
posted by enn at 10:36 AM on August 15, 2018 [2 favorites]

So it's not a matter of can't, but won't. And if you move over here to Europe (temporarily? fictionally?), they will? Shitty companies.
posted by pracowity at 10:58 AM on August 15, 2018

Some misunderstandings here, but based on my reading of the legislation the GDPR does not apply to EU citizens. It applies to human beings who happen to be in the EU, regardless of citizenship. This is an important distinction.
posted by zerolives at 11:18 AM on August 15, 2018 [9 favorites]

...or other states could also pass laws like this...

Illinois already had privacy laws that meant that Facebook couldn't auto-tag people in photos. It also eventually stopped Google Fit from reporting what activity percentile you were in for your local area. It is pretty easy for Internet companies to roughly geo-locate users and alter their service provision. They already do it at U.S. State level for tax collection and such and they definitely do it internationally for all kinds of reasons.
posted by srboisvert at 11:23 AM on August 15, 2018 [1 favorite]

Should've gone with the ballot initiative.

Ballot initiatives in CA can only be changed by another ballot initiative. Imperfectly crafted initiatives, or just ones that need updating, are a huge pain for us. All things being equal I'd prefer to have an imperfect law that moves in the right direction and which can be updated as needed to the blunt instrument of a ballot initiative.

This broader dynamic of using the threat of an initiative as a bargaining chip, which I think was here used mostly for good, has it's own issues however.
posted by feckless at 11:57 AM on August 15, 2018 [3 favorites]

I don’t think companies should be able to sell your data period. Opt in shouldn’t be an option. If I’m not directly exchanging money for a service I don’t think it’s possible to really grasp the impact of saying yeahhhhh I guess I’ll click accept. If that means Facebook costs 9.95/month tough shit. It’s worth it or it’s not.
posted by freecellwizard at 3:56 PM on August 15, 2018 [1 favorite]

I don’t think companies should be able to sell your data period.

All of the big tech companies don't actually sell your data. Smaller ad tech companies and telecom companies may sell your data. But FB and Google sell access to your data. A small difference, but an important one. Both in terms of privacy and in terms of how these companies make money.

Honestly, keeping data as secret as possible is far more lucrative than just selling it.
posted by GuyZero at 4:11 PM on August 15, 2018 [2 favorites]

It's rather pathetic, and telling, about our society that it took a real estate business owner and a financial executive to successfully lead this campaign. In the arena of public policy new money types can only be beaten by old money types?
posted by Apocryphon at 5:05 PM on August 15, 2018 [1 favorite]

“I thought it was a joke at first, to be contacted by someone named ‘Alastair Mactaggart,’ ” says Chris Jay Hoofnagle

It shows how frivolous I am that this is what I remember most from the article. Carry on.
posted by hilberseimer at 6:03 PM on August 15, 2018 [9 favorites]

AB-375 mentions "California consumers" and "Californians," and has several parts that begin, "a consumer has the right..." It seems obvious that it covers California residents; the interesting part is whether it covers CA residents visiting other states, or people who are visiting California.

A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

Emphasis added - this, I think, is the real meat of the law. Not just, "consumers have the right to know things," but "you must tell them FIRST exactly what info you are gathering and how you will use it, and you must tell them FIRST before you change that."

This is also interesting (emphasis added):

A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

Then there's a long list of exceptions for things like business transactions. The question is: Do consumers have the right to require a company delete info gathered from other consumers? If you're tagged in Facebook pictures, can you demand they delete that? This looks like a loophole that will make companies hungry to buy data from other companies - because that can't be forced to be deleted.

And wait, there's more:

A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
(1) The categories of personal information it has collected about that consumer.
(2) The categories of sources from which the personal information is collected. ...
(5) The specific pieces of personal information it has collected about that consumer.

Note that "a business that collects personal information" is not limited to social media sites; it includes debt collection agencies. Demanding that they tell you what kind of sources they got your info from, and exactly what info they have, would be incredibly useful in the struggle to get rid of zombie debt.

The phrasing seems to apply to any business that collects personal info, although some of the parts only make sense for companies that collect that info from consumers directly.
posted by ErisLordFreedom at 6:46 PM on August 15, 2018 [4 favorites]

Sigh.

The New York Times Magazine recently published a lengthy cover story on “The Unlikely Activists Who Took On Silicon Valley—And Won;” it’s about the battle to pass a privacy law in the country’s most populous state. It’s great and definitely worth reading, but it forgot something: the woman who helped win the battle.

how-a-woman-disappears-from-the-history-books
posted by obliquity of the ecliptic at 6:18 AM on August 21, 2018 [5 favorites]

The only universal belief among the women I know in professional or corporate careers is this:

Never, ever, ever trust a man you work with. Ever. Because they will fuck you over, and they won’t even know they’re doing it. You are just a helper to them, and you always will be.
posted by schadenfrau at 8:05 AM on August 21, 2018 [2 favorites]