← Back to context

Comment by DrewADesign

8 days ago

Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form. Then make data customers (e.g. marketing agencies, major retailers) and data collectors (e.g. those that collect telemetry data from libraries included in their app, auto manufacturers, wireless providers) civilly liable for any privacy violations dealing with uncertified brokers, making sure there’s an uncapped modifier based on the company’s annual revenue. That seems like it puts the bulk of the compliance responsibility on the parties that can do the most wide-scale damage with unethical and dodgy practices, while leaving some out there for others that need incentive to not ignore the rules.

Haven’t really thought this through and I’m not a policy wonk… just spitballin’.

11 comments

DrewADesign

Reply
sigwinch  7 days ago

I would hope for something stronger. Put a currency value on some kinds of info. To store my SSN and full name and military ID totals 20 units. Maybe a full name and home address is 15 units. If I agree to give you my info, you agree that I can keep the CEOs home address, stored as safely and hygienically as I can. Part of our contract mandates when we mutually delete. Because of course we trust each other.

JumpCrisscross  8 days ago

> Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form

Why is this better than requiring deletion?

  • dredmorbius  8 days ago

    For starters, it provides protection and accountability for those who don't have the prior presence of mind to demand deletion.

    An act which mandated deletion in all cases for data once business needs are addressed (often 30--90 days for much data), might address your question. But the Delete Act isn't that.

    • JumpCrisscross  8 days ago

      > it provides protection and accountability for those who don't have the prior presence of mind to demand deletion

      Perhaps. I just see another compliance-industrial tax on consumers backed up by a nonsense checklist.

      > act which mandated deletion in all cases for data once business needs are addressed (often 30--90 days for much data), might address your question

      Or opt out by default.

      Perhaps California should give counties the power to do that. Then we can watch the experiment for unintended consequences.

      3 replies →