Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form. Then make data customers (e.g. marketing agencies, major retailers) and data collectors (e.g. those that collect telemetry data from libraries included in their app, auto manufacturers, wireless providers) civilly liable for any privacy violations dealing with uncertified brokers, making sure there’s an uncapped modifier based on the company’s annual revenue. That seems like it puts the bulk of the compliance responsibility on the parties that can do the most wide-scale damage with unethical and dodgy practices, while leaving some out there for others that need incentive to not ignore the rules.
Haven’t really thought this through and I’m not a policy wonk… just spitballin’.
I would hope for something stronger. Put a currency value on some kinds of info. To store my SSN and full name and military ID totals 20 units. Maybe a full name and home address is 15 units. If I agree to give you my info, you agree that I can keep the CEOs home address, stored as safely and hygienically as I can. Part of our contract mandates when we mutually delete. Because of course we trust each other.
For starters, it provides protection and accountability for those who don't have the prior presence of mind to demand deletion.
An act which mandated deletion in all cases for data once business needs are addressed (often 30--90 days for much data), might address your question. But the Delete Act isn't that.
Excited to see this! Because completing the CCPA "delete my data" process for 300+ data brokers just isn't feasible.
Though I wonder what the second order effects of this might be. Imagine a service that vets tenants for landlords. If I've had all my data deleted, might I start failing background checks because the sketchy data brokers have no records of me? I fear a future where the complete absence of my data leads to bad side effects.
Not all data brokers are sketchy, some are very good. Data brokers help assess who is creditworthy and lowers rates for more trustworthy people, and allow the creation of more specialty lending products.
Credit checks, and the 3 big companies that do it, are already pretty regulated. I don't think they're counted as data brokers that'll have to comply with Delete Act. Can anyone confirm?
> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.
Does this apply to political lists too? I know political calls/text are excluded from Do Not Call and hence I get a crap ton of political spam texts (most recently from "Adam Miller for Congress OH-15", despite never living in Ohio). I'd really, really like to remove myself from all these political lists.
I've had that, though it was from a different state. Also recently started getting texts from some MAGA related organization, though I'm about as far from MAGA as it's possible to be. How does my number get on these lists, anyway?
Absolutely. What sound pretty cool, and different, here is CalPrivacy would be required to build a request mechanism that's one request sent to every data broker.
> Sounds an awful like The Right to be Forgotten under GPDR Article 17
Does DROP let you censor search records?
I’d encourage anyone in Europe to compare California’s CCPA to the EU’s GDPR. It was inspired by the latter, and fixes a lot of its problem. (The Swiss referendum system was based on learning from and improving on California’s.)
According to that page Texas also requires data brokers to register. As a Texan it seems unlikely that they do this to protect consumers. It feels more like they want to know who their market is as they surveil their citizens and rake in as much moola as possible. Identifying which broker will pay the highest premiums for real-time information about Texans' travel from license plate and traffic cameras, which businesses they visit, etc will allow them to get sweet kickbacks from the industry lobbyists who can openly pass around envelopes of cash on the floor of the legislature.
>information about Texans' travel from license plate and traffic cameras, which businesses they visit
Texas is already doing this to track women seeking out-of-state healthcare. Whatever "side" you're on (for that argument): THIS. IS. WRONG.
In addition to ditching your cell phone, consider ditching Texas, too (as a Native™, I did so almost a decade ago). Still toying with the idea of expatriation, but honestly I feel too old for that, now =P
----
We seem to have a lot in common, fellow retired Xeon user. My PO Box is in my profile.
Texas has robust laws against facial recognition (and biometrics in general), including winning a major lawsuit against Facebook. Texas also has pretty good privacy laws in general. Right now, flock cameras are still permitted - but there's been talk about cracking down on them. There are also a first set of restrictions on ALPRs - not as restrictive as I would like, but generally data can only be retained for people suspected of committing a crime.
If you are a Texas resident, you also have a right to request data deletion (or correction) from brokers or other sellers of data, and permanently opt out of personal data profiling for a wide swath of industries including insurance and finance purposes.
Texas is one of the best states for privacy laws, even though we can obviously do better. I'd still like to see a general prohibition on things like flock and more restrictions on ALPRs, but much better than most states.
I wonder how well this will work without other the states not being in on it and what other unintended consequences this may bring. sounds like a good start though.
One of the ways federal legislation gets passed is by state's passing their own laws, eventually industry gets fed up with having to comply with a dozen or more variations of the same law and starts harassing congress to take care of it.
California represents 12% of USA population, 14% of US GDP. Effectively that means CA can throw its weight around and companies are forced to at least pretend to comply. Whether they actually comply depends on enforcement.
Now if Delaware were to adopt such a law for every company “headquartered” there …
When the CCPA launched in 2018 companies had to comply when a consumer requested a Data Subject Access Request (DSAR). Because the consumer had to request a DSAR not all companies felt this compliance pain acutely (e.g. it was mostly big companies with A LOT of users that got more DSARs, so they adopted workflows and tools to alleviate the pain).
The Delete Act has more teeth. Independent compliance audits begin in 2028 with penalties of $200 per day for failing to register or for each consumer deletion request that is not honored. GDPR spurred organizations to compliance, partly because of the steep penalty (up to €20 million or 4% of revenue, whichever is higher), maybe The Delete Act (and its much smaller penalty) will also spark organizations to comply.
They define data broker as someone who collects and sells your data. Companies like Facebook and Google do not sell data they collect, contrary to what a lot of people assume.
The page refers to 500 data brokers, but I’d like to find the complete list they use.
Google does "sell" your data to other Alphabet companies except they call it "partnership" or "strategic sharing" and it should be completely illegal and be called data brokerage too. Same with Meta.
There is a reason the FTC and DOJ force this companies to break up, except they have hordes of lawyers and the law will always be catching up to reality so it doesn't do much in this day and age.
> 1798.99.80. (c) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. [1]
If you want to be both obtuse and pedantic about it, the answer is yes to all three.
The GDPR lets someone request deletion of their data and there are legal teeth to force a business to comply, but that's 1:1. Maybe I need to dig deeper, but this specifically applies to data brokers it seems. That's great and it being a one to many request is fantastic, but sounds like it may not apply to just anyone who has data on you like the GDPR...
The CCPA is far better than the GDPR. For one, they actually managed to make an effective privacy law that didn't have the knock-on effect of polluting the entire internet with pointless cookie banners. The EU is already making moves to scrap huge parts of their misguided privacy regulations and adopt rules more like what California did with the CCPA.
California lawmakers "adopted the GDPR" only insofar as they studied it to learn what not to do.
Only tangentially releated but I thought the EU required that you can delete selective data. Example: Being able to delete a single email vs having to delete all emails.
And yet, Gemini does not seem to let me delete queries. This is unusual for Google who provides ways to delete pretty much all data on selective basis. Maybe I just can't find the option. Or maybe this option only exists if I'm in the EU
The gist of the GDPR in that respect is it allows someone to request a record of what data a particular business has gathered about them as well as request deletion of that data. It also introduced a lot of restrictions around what can be done with a particular subject's data, like sharing with third parties.
I don't know why this is downvoted, it's a great question.
1st Amendment: Congress shall make No Law
14th Amendment: Due process... incorporate the Bill of Rights against the states
I often wondered whether the next case after MacDonald vs Chicago and Heller would do the same for the 2nd amendment, i.e. wipe away the ability of cities to require gun licensing and registration.
It seems anti-free speech. If the same thing were done via physical media, would we still support this? I am definitely no fan of data brokers, but I also am no fan or suppressing speech. This seems like the equivalent of banning old phone books before the internet.
I guess, but even that I don't think I'd support making that a legal requirement. If it's public data I have no problem with it being searchable on the internet. I know that's not always convenient but I think to do anything different starts to set bad legal precedents which will not be in favor of the public.
Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form. Then make data customers (e.g. marketing agencies, major retailers) and data collectors (e.g. those that collect telemetry data from libraries included in their app, auto manufacturers, wireless providers) civilly liable for any privacy violations dealing with uncertified brokers, making sure there’s an uncapped modifier based on the company’s annual revenue. That seems like it puts the bulk of the compliance responsibility on the parties that can do the most wide-scale damage with unethical and dodgy practices, while leaving some out there for others that need incentive to not ignore the rules.
Haven’t really thought this through and I’m not a policy wonk… just spitballin’.
Bonding and/or insurance.
Make this cost and practices will change.
Yeah good call.
I would hope for something stronger. Put a currency value on some kinds of info. To store my SSN and full name and military ID totals 20 units. Maybe a full name and home address is 15 units. If I agree to give you my info, you agree that I can keep the CEOs home address, stored as safely and hygienically as I can. Part of our contract mandates when we mutually delete. Because of course we trust each other.
Sure, but that will never happen, and we shouldn't let perfect be the enemy of good.
> Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form
Why is this better than requiring deletion?
For starters, it provides protection and accountability for those who don't have the prior presence of mind to demand deletion.
An act which mandated deletion in all cases for data once business needs are addressed (often 30--90 days for much data), might address your question. But the Delete Act isn't that.
4 replies →
Excited to see this! Because completing the CCPA "delete my data" process for 300+ data brokers just isn't feasible.
Though I wonder what the second order effects of this might be. Imagine a service that vets tenants for landlords. If I've had all my data deleted, might I start failing background checks because the sketchy data brokers have no records of me? I fear a future where the complete absence of my data leads to bad side effects.
It's the same as credit checks, I know people who no credit (because they don't own a credit card) get denied housing for rent.
Not all data brokers are sketchy, some are very good. Data brokers help assess who is creditworthy and lowers rates for more trustworthy people, and allow the creation of more specialty lending products.
The big US credit score trio, Transunion, Equifax and Experian, have all had multiple, massive data leaks. This is not very good at all.
1 reply →
Credit checks, and the 3 big companies that do it, are already pretty regulated. I don't think they're counted as data brokers that'll have to comply with Delete Act. Can anyone confirm?
1 reply →
Are Experian, Transunion and Equifax included in the one-click deletion?
1 reply →
Well they should have found a more transparent way to run their business, so they are still sketchy to me.
> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.
-- https://consumer.drop.privacy.ca.gov/
Wow this is a huge negative. I wonder if this was necessary to make it workable, or if this was done to placate corporations.
There’s a link to submit a DROP request at the bottom of the page. Is this live? I want to sign up.
Unfortunately following the link results in an infinite redirect.
It's not live yet (https://consumer.drop.privacy.ca.gov/coming-soon.html), you can subscribe to email updates (https://cppa.ca.gov/webapplications/apps/subscribe/).
It’s now live.
https://consumer.drop.privacy.ca.gov/
Per the timeline, the DROP service is supposed to be live by August 1, 2026.
You can submit your request now. They aren't processing requests until August.
Does this apply to political lists too? I know political calls/text are excluded from Do Not Call and hence I get a crap ton of political spam texts (most recently from "Adam Miller for Congress OH-15", despite never living in Ohio). I'd really, really like to remove myself from all these political lists.
I've had that, though it was from a different state. Also recently started getting texts from some MAGA related organization, though I'm about as far from MAGA as it's possible to be. How does my number get on these lists, anyway?
Typically pure spam not even from MAGA phishing cc info from the most gullible. Replying STOP usually does the trick.
I think of it as the side effect of first amendment protections that people do not report it for what it is.
This is a great first step, but I’m actually interested in
1. Getting a list of everyone that bought my records from data brokers 2. Reverse record linking to know who joined me, when, where, and how
Just deleting myself from 500 of these databases is a good start that’s decades over due.
Time to flip the scripts.
Word
Sounds an awful like The Right to be Forgotten under GPDR Article 17
Absolutely. What sound pretty cool, and different, here is CalPrivacy would be required to build a request mechanism that's one request sent to every data broker.
Dare I ask, what happens to data brokers that don't care about Californian laws? Must be many such instances operating from outside the USA?
2 replies →
> Sounds an awful like The Right to be Forgotten under GPDR Article 17
Does DROP let you censor search records?
I’d encourage anyone in Europe to compare California’s CCPA to the EU’s GDPR. It was inspired by the latter, and fixes a lot of its problem. (The Swiss referendum system was based on learning from and improving on California’s.)
More like The Right to Rewrite History
According to that page Texas also requires data brokers to register. As a Texan it seems unlikely that they do this to protect consumers. It feels more like they want to know who their market is as they surveil their citizens and rake in as much moola as possible. Identifying which broker will pay the highest premiums for real-time information about Texans' travel from license plate and traffic cameras, which businesses they visit, etc will allow them to get sweet kickbacks from the industry lobbyists who can openly pass around envelopes of cash on the floor of the legislature.
>information about Texans' travel from license plate and traffic cameras, which businesses they visit
Texas is already doing this to track women seeking out-of-state healthcare. Whatever "side" you're on (for that argument): THIS. IS. WRONG.
In addition to ditching your cell phone, consider ditching Texas, too (as a Native™, I did so almost a decade ago). Still toying with the idea of expatriation, but honestly I feel too old for that, now =P
----
We seem to have a lot in common, fellow retired Xeon user. My PO Box is in my profile.
I’m pretty sure the “abortion is murder” side will not consider it wrong to track women who travel out of state to, as they see it, murder a baby.
6 replies →
Texas has robust laws against facial recognition (and biometrics in general), including winning a major lawsuit against Facebook. Texas also has pretty good privacy laws in general. Right now, flock cameras are still permitted - but there's been talk about cracking down on them. There are also a first set of restrictions on ALPRs - not as restrictive as I would like, but generally data can only be retained for people suspected of committing a crime.
If you are a Texas resident, you also have a right to request data deletion (or correction) from brokers or other sellers of data, and permanently opt out of personal data profiling for a wide swath of industries including insurance and finance purposes.
Texas is one of the best states for privacy laws, even though we can obviously do better. I'd still like to see a general prohibition on things like flock and more restrictions on ALPRs, but much better than most states.
Data brokers made in California can now wreck all the world but California.
< Red Hot Chilli Peppers Song >
Yes only CA residents can use this.
I wonder how well this will work without other the states not being in on it and what other unintended consequences this may bring. sounds like a good start though.
If a data-collecting company doesn't do business in California, that tells me a lot.
One of the ways federal legislation gets passed is by state's passing their own laws, eventually industry gets fed up with having to comply with a dozen or more variations of the same law and starts harassing congress to take care of it.
> without other the states not being in on it
California represents 12% of USA population, 14% of US GDP. Effectively that means CA can throw its weight around and companies are forced to at least pretend to comply. Whether they actually comply depends on enforcement.
Now if Delaware were to adopt such a law for every company “headquartered” there …
what other unintended consequences this may bring.
A "right to rewrite history" that will distort reality for historians in the future.
How did HN become effectively pro-DRM?
How do you see that working?
Went through all the rigamarole of texts and verifications and backup codes and was met with a:
This auth.cdt.ca.gov page can’t be found
-- blank page from Chrome.
Imagine that, a government website that's broken. Wait, and I just put in all my personally identifiable info. Grrrrrreat.
hmm (thinking) infinite loop, eh?
> one of four states (also Oregon, *Texas*, and Vermont) who require data broker registration.
This does feel like an area where there could be useful bipartisan agreement if packaged properly.
Can only hope this spreads like wildfire throughout the world.
When the CCPA launched in 2018 companies had to comply when a consumer requested a Data Subject Access Request (DSAR). Because the consumer had to request a DSAR not all companies felt this compliance pain acutely (e.g. it was mostly big companies with A LOT of users that got more DSARs, so they adopted workflows and tools to alleviate the pain).
The Delete Act has more teeth. Independent compliance audits begin in 2028 with penalties of $200 per day for failing to register or for each consumer deletion request that is not honored. GDPR spurred organizations to compliance, partly because of the steep penalty (up to €20 million or 4% of revenue, whichever is higher), maybe The Delete Act (and its much smaller penalty) will also spark organizations to comply.
Is Facebook a data broker? Reddit? Google?
They define data broker as someone who collects and sells your data. Companies like Facebook and Google do not sell data they collect, contrary to what a lot of people assume.
The page refers to 500 data brokers, but I’d like to find the complete list they use.
Google does "sell" your data to other Alphabet companies except they call it "partnership" or "strategic sharing" and it should be completely illegal and be called data brokerage too. Same with Meta.
There is a reason the FTC and DOJ force this companies to break up, except they have hordes of lawyers and the law will always be catching up to reality so it doesn't do much in this day and age.
1 reply →
https://cppa.ca.gov/data_broker_registry/
It would be unexpected if signing the form meant that your gmail is deleted and your facebook account is closed.
> 1798.99.80. (c) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. [1]
If you want to be both obtuse and pedantic about it, the answer is yes to all three.
[1] https://legiscan.com/CA/text/SB362/id/2845350
Sounds similar to GDPR here in Europe.
They adopted gdpr some years ago. This goes further and creates infrastructure to delete records at scale.
I hope this is good and turns global. We need this, because consent banners do not work.
The GDPR lets someone request deletion of their data and there are legal teeth to force a business to comply, but that's 1:1. Maybe I need to dig deeper, but this specifically applies to data brokers it seems. That's great and it being a one to many request is fantastic, but sounds like it may not apply to just anyone who has data on you like the GDPR...
> They adopted gdpr some years ago.
The CCPA is far better than the GDPR. For one, they actually managed to make an effective privacy law that didn't have the knock-on effect of polluting the entire internet with pointless cookie banners. The EU is already making moves to scrap huge parts of their misguided privacy regulations and adopt rules more like what California did with the CCPA.
California lawmakers "adopted the GDPR" only insofar as they studied it to learn what not to do.
1 reply →
Saw the domain "ca.gov" and mistook it for Canada. Then wondered why it started mentioning California a lot.
Only tangentially releated but I thought the EU required that you can delete selective data. Example: Being able to delete a single email vs having to delete all emails.
And yet, Gemini does not seem to let me delete queries. This is unusual for Google who provides ways to delete pretty much all data on selective basis. Maybe I just can't find the option. Or maybe this option only exists if I'm in the EU
The gist of the GDPR in that respect is it allows someone to request a record of what data a particular business has gathered about them as well as request deletion of that data. It also introduced a lot of restrictions around what can be done with a particular subject's data, like sharing with third parties.
glad the timelines are short and hope its user friendly
[flagged]
This is the kind of thing the federal goverment would be doing if it gave a shit about its people.
California is a real country, United States is a joke
I suppose that these records of personal data does not constitute "speech" in a First Amendment context?
That’s right, and haven’t for a long time.
I don't know why this is downvoted, it's a great question.
1st Amendment: Congress shall make No Law
14th Amendment: Due process... incorporate the Bill of Rights against the states
I often wondered whether the next case after MacDonald vs Chicago and Heller would do the same for the 2nd amendment, i.e. wipe away the ability of cities to require gun licensing and registration.
It seems anti-free speech. If the same thing were done via physical media, would we still support this? I am definitely no fan of data brokers, but I also am no fan or suppressing speech. This seems like the equivalent of banning old phone books before the internet.
The equivalent is that you could ask to be removed from the phone book.
I guess, but even that I don't think I'd support making that a legal requirement. If it's public data I have no problem with it being searchable on the internet. I know that's not always convenient but I think to do anything different starts to set bad legal precedents which will not be in favor of the public.