back to article Google weeps as its home state of California passes its own GDPR

California has become the first state in the US to pass a data privacy law – with governor Jerry Brown signing the California Consumer Privacy Act of 2018 into law on Thursday. The legislation will give new rights to the state's 40 million inhabitants, including the ability to view the data that companies hold on them and, …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Zuck on that Bitch!

    Good news for those lucky enough to live within CA's realm. Which is also a bone of contention, as no one really knows how the territorial scope of GDPR works. i.e. If you travel or move or have family/friends between jurisdictions... Do you get privacy raped, saved, then data raped again???

    But the speed the law passed is notice to Zuck & Cult, that blatant lies and evasiveness on key issues such as offline and non-user tracking isn't on anymore. People aren't going to sleepwalk to the kind of dystopian nightmare that gives Zuck & PageBrin orgasms everyday. Even if most people are zombies about their privacy, the NOYB crowd of lawyers are suiting up!

    1. Anonymous Coward
      Anonymous Coward

      No 'Meaningful change' in user numbers

      Zuk is fond of saying that. But two recent surveys confirm: teens are turning away, and people are looking elsewhere for their news. So while Facebook can claim there's no meaningful change, they rely on perpetual growth, therefore stagnation is a cancer...

      Only 2 family members dumped Facebook since March. But they were the ones keeping the lights on. They had FB on all devices, all of the time. That's a story telling metric, as it says lots about quality. User count is deceptive, if users share, post & pm less...

      1. JohnFen

        Re: No 'Meaningful change' in user numbers

        " teens are turning away,"

        In fairness to Zuckerberg, this trend began well before Facebook's latest adventure, so it really isn't a "meaningful change". Teens are leaving Facebook because they (correctly) perceive that Facebook is for businesses and old farts.

        1. Anonymous Coward
          Anonymous Coward

          Re: No 'Meaningful change' in user numbers

          ... and because the kids perceive facebook as farties business, the Zuckerbergers, being well paid, smart people, have already (actually quite some time ago) invested into a couple of "platforms", to extend a helping hand to those ungrateful kids who try to bail the ship. In other words: they own the boat, the rafts, life jackets and life buoys. And, I bet, they didn't forget to bribe the sharks...

        2. BillG
          Happy

          Re: No 'Meaningful change' in user numbers

          @JohnFen wrote: Teens are leaving Facebook because they (correctly) perceive that Facebook is for businesses and old farts.

          Teens are leaving Facebook because it's harder to be anonymous on FB, and parents are demanding access to their teen's FB page.

          So teens use Twitter instead because they like how Twitter is much easier to use while being anonymous. They also like how it's easier to hide a Twitter account from parents.

          1. JohnFen

            Re: No 'Meaningful change' in user numbers

            "Teens are leaving Facebook because it's harder to be anonymous on FB"

            I doubt this explanation, as it's trivially easy to be anonymous on FB.

            1. Orv Silver badge

              Re: No 'Meaningful change' in user numbers

              You can be anonymous on FB until someone reports you. Which has become a pretty common form of revenge.

    2. Remy Redert

      Re: Zuck on that Bitch!

      How GDPR works: Are you a legal resident or citizen of any country inside the EU? If yes, GDPR applies to you and your data regardless of where you reside at any given moment. If you go the US, some company collects your data without informed, freely given, consent, they are in breach of GDPR.

      Now getting a remedy against such cases might be hard if they have no presence in the EU, but that is a whole different matter. I have not read the new Californian bill, so I don't know how its language defines whom it applies to.

      1. This post has been deleted by its author

        1. This post has been deleted by its author

      2. Mike 137 Silver badge

        Re: Zuck on that Bitch!

        "getting a remedy against such cases might be hard if they have no presence in the EU"

        If they process the personal data of 'data subjects who are in the Union' and are 'a controller or processor not established in the Union' (GDPR Article 3(2)) they are obliged to designate a representative in the EU (Article 27(1)) and declare the representative's contact details (Articles 13(1(a)), 14(1(a))).

        However the interpretation of the term 'in the Union' under Article 3 (and elsewhere) remains to be fully established by precedent.

        1. Mike 137 Silver badge

          Re: Zuck on that Bitch!

          "getting a remedy against such cases might be hard if they have no presence in the EU"

          If they process the personal data of 'data subjects who are in the Union' and are 'a controller or processor not established in the Union' (GDPR Article 3(2)) they are obliged to designate a representative in the EU (Article 27(1)) and declare the representative's contact details (Articles 13(1(a)), 14(1(a))).

          However the interpretation of the term 'in the Union' under Article 3 (and elsewhere) remains to be fully established by precedent.

          -----------------------------------------

          I'd be fascinated to know why this post got a down vote!

    3. Anonymous Coward
      Anonymous Coward

      Big Deception

      What's interesting is that most of the preparation or hard work for GDPR was done well before the Facebook-Cambridge-Analytica-Palantir news ever broke. So what we're seeing now, is what Silly 'con' Valley thought they could get away with. So its going to be interesting to see where things really are in about a year or two...

      Also, I don't buy the point at all about Microsoft offering more transparency. I think its more likely, and if true quite scary, that they actually knew far more about their users, and could predict with a high probably that most of them wouldn't even venture into those privacy setting screens. So, Microsoft simply weren't worried!

      1. bombastic bob Silver badge
        Big Brother

        Re: Big Deception

        well, a broken clock is right twice a day. slow-clap for the Cali-fornicate-you legislature. clap. clap. clap.

        I'm glad they did it, but this from the article is probably correct (and a bit frightening):

        "with the chance to change it later through normal legislative procedures"

        They'll emasculate it as soon as they can with loopholes, "but if" exceptions, and other weakened features that are bought and paid for by the Silly Valley liberals that PWN them. For the Cali-fornicate-you legislature is one of *THE* most corrupt organizations ON THE PLANET.

        if enough states do the same, the feds will act and federal law will take precedence over state laws. That would help prevent them from being weakened in the future.

        NOW - will Micro-shaft have to UPDATE their EULA policies with respect to the Micro-shaft Login, "the slurp", "the ads", etc. in Win-10-nic? And, their plans for GITHUB...

        icon, because it's what "they" *REALLY* want.

        1. Teiwaz

          Re: Big Deception

          From a east side of the pond perception, the only 'liberals' in this story are the thoughtful individuals who managed to get this thing through.

          A rare win, even if it was done with the usual game the political system method and will be shat on the moment oligarchs find someone willing to take a 'donation'.

    4. Charles 9

      Re: Zuck on that Bitch!

      The thing about California is that, through their sheer size, they can create trends that reverberate throughout the country. Don't believe me? Look up "California Emissions".

    5. Michael Habel
      Black Helicopters

      Re: Zuck on that Bitch!

      NSA vs CIA learn the difference (It could save a life!).

      But, in case you weren't aware the CIA does NOT have jurisdiction to officially operate on American Soil. As any good pleb should know that's the boy from Fort George Meade (Odenton md.). a.k.a. the National Security Agency's turf. To spy on its fellow 'Merican's

      1. phuzz Silver badge
        Black Helicopters

        Re: Zuck on that Bitch!

        "the CIA does NOT have jurisdiction to officially operate on American Soil"

        That's a very different sentence from "the CIA does not operate on American soil". The first sentence is true, the second sentence though...

        (And it's probably better to compare the CIA with the FBI. Roughly speaking, the FBI do domestic, while the CIA does overseas. The NSA can spy at home and abroad, but their main focus is abroad.)

    6. TheVogon

      Re: Zuck on that Bitch!

      "a hefty $7,500 fine."

      LOL. Not quite as hefty as the €20 million of GDPR.

      1. Eltonga
        Mushroom

        Re: Zuck on that Bitch!

        "a hefty $7,500 fine."

        LOL. Not quite as hefty as the €20 million of GDPR.

        It's per user. Do the math.

      2. MrAverage

        Re: Zuck on that Bitch!

        I read that as being $7,500 for each offence. i.e. 5,000,000 peoples data breached = 5,000,000 x $7,500?

  2. Blockchain commentard

    I seriously hope that's $7,500 per person else Google, Facebook etc will be breaking the law every day and not notice it on the bank balance.

    1. Anonymous Coward
      Anonymous Coward

      'I seriously hope that's $7,500 per person'

      Looks like its better than that... Its per 'each violation'! Which could be multiple 'per user'... If so, that will be a nice bite out of investors profits! After all, its the investors & advertisers that need to take the hit, as Google & Facebook show they're incapable of changing!

      1. DCFusor

        Re: 'I seriously hope that's $7,500 per person'

        How about companies you have no prayer of opting out of normally, like say Experian, Equifax...???

        I guess you can at least opt out of being in the Office of Personnel Management database...by not working for that jobs program called government.

        How about that huge recent ad agency leak- you know, the one no one even knew the name of, reported here? In usual CA style, flawed law and no way to really enforce it. How can you ask outfits you don't know exist - and who have a lot more effect on you (credit rating...and so on)?

        Yeah, this author is parochial as hell, and thinks CA is somehow all more computer knowledgeable than the rest of us...(which doesn't explain a lot of totally daft things done there in silly valley) and is obviously a google hater due to gentrification (And him not getting one of those good jobs) but hey.

        I'd bet money he can't name all the outfits that hold data on him himself.

  3. Zwuramunga

    Easy Enough

    Requests immediate deletion of all records.

    1. tfewster

      Re: Easy Enough

      Y'see that's tricky. They can delete it, but then just collect it again. I think the solution is to say "You don't have permission to hold data on $ME, except that minimal info that identifies $ME - Say, name, address* & possibly date of birth. If anyone enquires about $ME, you can only tell them 'We are not permitted to hold or share any information about $ME' " But even that is information of a sort.

      * home, business, email or website address. e.g. tfewster@myisp.com is unique and identifies me completely - anything linked to that email is protected. Same for all my other email addresses :-)

      Exactis "timed" their breach just right - a few days later and everyone in California would have had a case under the new law.

      1. Danny 14

        Re: Easy Enough

        not so with GDPR, with GDPR a right to erasure needs to be permanent both historical and going forwards (including if backups are restored). If they can prove you started a new relationship agreement with them then the erasure will be null from THAT point onwards and only within scope of that agreement.

      2. bombastic bob Silver badge
        Devil

        Re: Easy Enough

        some level of common sense data retention, such as the fact you did business with a company, or bought items and had a receipt for those items, is reasonable to retain (such things are really needed for proper bookkeeping standards and income reporting to government agencies, sales tax collection, and so on). But then, GDPR and related laws SHOULD take over to prevent that data from being used for 'other than that' purposes, such as tallying up what you purchase for advertising purposes.

        So the 'right to forget' might mean including "your identification number" into a list o' IDs to exclude from statistical analysis and reporting to 3rd parties. The data would be effectively 'forgotten'. But things needed for accounting purposes and legal requirements would not be.

        At some point you can't assume the data was actually "deleted". it might be illegal to actually delete it. It might also break most accounting systems.

        it might be possible, however, to change your customer ID to "anonymous customer" and aggregate all anonymous customers into one. I'm not sure if that would violate legal requirements on accounting practices, though.

        as for slurping and targeting ads based on your clicking and browsing and e-mail history - DELETE is the way to do it.

      3. Eddy Ito

        Re: Easy Enough

        Sadly Exactis wasn't so much a breach but, as I understand it, more matter of leaving the database accessible to all and sundry on one of their servers. To me a breach is more when one gets past defenses but it assumes that one at least puts the lid on the garbage bin and it doesn't look like Exactis did even that.

  4. Chronos
    Flame

    Legitimate business interests

    The more I hear this phrase, the more I want to kick whoever first coined it. The only "legitimate business interest" is "more profit."

    Adding the word "legitimate" to something does not automatically make it good. For example, I have a legitimate interest in anyone trying to con me out of my personal information being force-fed a large bag of plump donkey dicks until they explode. That doesn't make it right, recommended or a reasonable path to take. Far better to let objective legislation take care of the problem.

    1. DJO Silver badge

      Re: Legitimate business interests

      "User privacy needs to be thoughtfully balanced against legitimate business needs."

      An apparently innocuous phrase which is wrong in every detail. User privacy is paramount and inviolate without informed permission given.

      That's it, no if's, no buts, no exceptions.

      1. Pascal Monett Silver badge
        Thumb Up

        Re: Legitimate business interests

        Completely agree. I nearly jumped out of my chair when I read that phrase, and I had to force myself to finish reading the entire article (a very interesting read, BTW) before coming here to say the same thing, but in slightly more profane terms.

        In any case, it is refreshing to see that, for once, political machinations can be used for good. Hats off to the people who got this law pushed through.

        1. Da Weezil

          Re: Legitimate business interests

          Google.. let me make this absolutely clear. you have NO legitimnate interest in my personal data, it is MINE not yours and I am the only arbitor of "legitimate" use of that data. I have spent too many moment in my life trying to shield my life from your pervasive and unwanted voyeurism.

          You... and your "partners" can go and perfect the art of self penetration - preferable with large impliments lacking any form of lubrication.

          Its MY data not yous, you have no legitimacy in respect of such data.

          1. Clarecats

            Re: Legitimate business interests

            "Google.. let me make this absolutely clear. you have NO legitimnate interest in my personal data, it is MINE not yours and I am the only arbitor of "legitimate" use of that data. I have spent too many moment in my life trying to shield my life from your pervasive and unwanted voyeurism."

            Okay, it's your data. I agree we need more privacy.

            Are you now going to pay Google or others every time you conduct a net search? How else will this work? Getting advertisers to pay more to Google won't necessarily improve your life either; and more of us would use ad blockers.

            I suggest some kind of a happy medium would work. You could tell data collectors what you agreed would be stored, sold or traded. Any other use would be in breach.

        2. John Brown (no body) Silver badge

          Re: Legitimate business interests

          "In any case, it is refreshing to see that, for once, political machinations can be used for good. Hats off to the people who got this law pushed through."

          Although it's very much worth bearing in mind that the whole point of pushing it through was specifically to make it easier to change later, unlike a ballot version which, as the article states, would be much harder to change once passed. That should be concerning to everyone. If the politicians were really up for this type of privacy legislation, why didn't they just let it go to a ballot? Let's hope that Mactaggart & co are keeping a close eye on the legislation as written and any future modifications (which may be hidden in other bills as riders etc.) and are ready to act again.

          1. Alan Brown Silver badge

            Re: Legitimate business interests

            "unlike a ballot version which, as the article states, would be much harder to change once passed"

            Of course, a ballot now could lock-in the existing law and any changes could be undone with a ballot too.

          2. Number6

            Re: Legitimate business interests

            Although it's very much worth bearing in mind that the whole point of pushing it through was specifically to make it easier to change later, unlike a ballot version which, as the article states, would be much harder to change once passed. That should be concerning to everyone. If the politicians were really up for this type of privacy legislation, why didn't they just let it go to a ballot? Let's hope that Mactaggart & co are keeping a close eye on the legislation as written and any future modifications (which may be hidden in other bills as riders etc.) and are ready to act again.

            I can see some merit in having it easily changed in case there is an issue where someone got something wrong. If the only way to fix it was another ballot initiative then fixing errors might turn out to be hard. On the whole though, I'd prefer the ballot version because it's harder to subvert as I see that as more likely than incremental improvements through the normal legislative process. I agree, I hope that they keep the ballot stuff in a safe place, ready to haul it out if someone offers the legislators enough money to change the existing version to something weaker.

        3. Jamie Jones Silver badge

          Re: Legitimate business interests

          Pascal - haha, I had the exact same reaction!

          Obviously (to us), the only legitimate needs would not be considered a privacy violation (e.g. a company that delivers you stuff having your postal address)

          If anyone needs to think about whether a "'legitimate'(!) business need" has privacy issues, they've already answered their own question.

          1. Anonymous Coward
            Anonymous Coward

            Re: Legitimate business interests

            "If anyone needs to think about whether a "'legitimate'(!) business need" has privacy issues, they've already answered their own question."

            You mean.. Like an IMAP email server, or a cloud server, or a video hosting server, or any photo or other data sharing service, or any "social media" platform including The Register?

      2. Doctor Syntax Silver badge

        Re: Legitimate business interests

        "User privacy needs to be thoughtfully balanced against legitimate business needs."

        Turn it round: legitimate business needs need to be thoughtfully balanced against user privacy.

        1. DJO Silver badge

          Re: Legitimate business interests

          Of course a lot depends on who defines "legitimate", from Googles perspective everything and anything qualifies, my perspective is pretty much diametrically opposed.

          GDPR got this dead right, the information demonstrably necessary to provide the service and no more is all a company can keep and none of it can be transferred to any other entity be they another company or a different division of the same company.

    2. katrinab Silver badge

      Re: Legitimate business interests

      "For example, I have a legitimate interest in anyone trying to con me out of my personal information being force-fed a large bag of plump donkey dicks until they explode."

      Seem totally reasonable to me.

      1. Chronos

        Re: Legitimate business interests

        Seem totally reasonable to me.

        Also to me at the time. Of course, when I've dabbed away the rabid foam from my chin, can see without a red mist or dancing spots and my diastolic is back to double figures, I'll quite happily admit that this is not nearly a capital offence - except for the storage medium that holds the data which does need to expire in a conflagration.

        That should be why we have laws, to keep the torch and pitchfork industry from being the largest employer in the world.

    3. Anonymous Coward
      Anonymous Coward

      Re: Legitimate business interests

      User privacy needs to be thoughtfully balanced against legitimate business needs.

      Copyright needs to be thoughtfully balanced against legitimate business needs.

      Due process needs to be thoughtfully balanced against legitimate business needs.

      Ending slavery needs to be thoughtfully balanced against legitimate business needs.

      Democracy needs to be thoughtfully balanced against legitimate business needs.

      1. bombastic bob Silver badge
        Unhappy

        Re: Legitimate business interests

        yeah, 'legitimate business needs' - when the l[aw]yers get ahold of THAT one, watch your wallet. And your privacy.

    4. Filippo Silver badge

      Re: Legitimate business interests

      If a new law is passed, and some "business need" is in violation of it, then that "business need" is NOT legitimate. That's literally what "legitimate" means.

    5. Pen-y-gors

      Re: Legitimate business interests

      User privacy needs to be thoughtfully balanced against legitimate business needs

      "User privacy takes precedence over unjustified business desires"

      FTFThem

    6. Montreal Sean

      Re: Legitimate business interests

      @Chronos

      "...I have a legitimate interest in anyone trying to con me out of my personal information being force-fed a large bag of plump donkey dicks until they explode. That doesn't make it right, recommended or a reasonable path to take."

      I disagree, it is a very reasonable path to take. :)

    7. Orv Silver badge

      Re: Legitimate business interests

      The phrase "legitimate business" mostly just makes me think of old mobster movies, where their associates were always "legitimate businessmen."

  5. Anonymous Coward
    Anonymous Coward

    49 to go

    Mr. Mactaggart, please come to Texas. And every other damned state. And please add a small amendment to your bill that excludes these protections for any Congressmen or Senator who takes money from lobbyists affiliated with data collection companies.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like