Doesn't look like it will be a private action. We will still need to get the State Attorney General to initiate it which will mean nothing will happen.
DC Attorney General Karl Racine has been the most impressive on data privacy. More than CA, WA, NY, MA.
It probably keeps him pure that he represents a district that mainly feels the impact of the credit industry, and doesn't proportionately have that many tech jobs (as CA).
> This bill would provide that a data broker that fails to comply with the requirements pertaining to the accessible deletion mechanism described above is liable for civil penalties, administrative fines, fees, and costs, as specified, and would raise the amount of the existing civil penalty provisions described above. The bill would require that moneys collected or received by the agency and the Department of Justice under these provisions be deposited in the Data Brokers’ Registry Fund, which the bill would require to be administered by the agency, instead of the Consumer Privacy Fund and would expand the specified uses of moneys in the Data Brokers’ Registry Fund to include the costs incurred by the state courts and the agency in connection with enforcing these provisions and the costs of establishing, maintaining, and providing access to the accessible deletion mechanism described above.
> The bill would, beginning January 1, 2028, and every 3 years thereafter, require a data broker to undergo an audit by an independent third party to determine compliance with these provisions and would require the data broker to submit an audit report to the agency upon the agency’s written request, as specified.
Thanks, that spurred me to read about it given the link above.
> "This bill would require the agency to establish, by January 1, 2026, an accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The bill would specify requirements for this accessible deletion mechanism, and would, beginning August 1, 2026, require a data broker to access the mechanism at least once every 45 days and, among other things, process all deletion requests, except as specified. Beginning July August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to the bill’s provisions, the bill would require the data broker to delete all personal information of the consumer at least once every 45 days, as specified, and would prohibit the data broker from selling or sharing new personal information of the consumer, as specified....
> "This bill would provide that a data broker that fails to comply with the requirements pertaining to the accessible deletion mechanism described above is liable for civil penalties, administrative fines, fees, and costs, as specified, and would raise the amount of the existing civil penalty provisions described above...."
I guess it all comes down to the implementation level how specific and "actually deleting" they will be. And whether the new agency (ugh) charged with enforcing this will actually have teeth in the details.
And I don't know why such a long 45 day period is required. For reasons we're all too familiar with, people are quite able to gather data within seconds, but somehow need 45 days to delete it?
Deleting data from backups (or, more often, aging out backups and deleting them wholesale) is usually a batch process. You really don't want to have to do online modification of backups... they're not really backups at that point. 45 days doesn't seem unreasonable.
Well... doesn't that circumvent the point of backups? Backups in my mind are supposed to be like read-only, can never be modified so that the system that was corrupted can't do anything harmful to the safe previous checkpoint.
I guess it has to have some method of what you mention then. If someone wants their data deleted, yes, what about the backups?
Back when interest rates were low, Rocket Mortgage incorrectly tanked my credit score. They refused to fix it, which means they were liable for whatever economic damage that causes.
When I refinanced, I explained the situation to the other bank's loan agent. They emailed their underwriting division, and the underwriters simply issued an override.
Not sure if that works these days or not, but my point is that credit scores are complete bullshit. Hopefully most people will push the button, inadvertently opting out of credit reporting, and that corner of the industry will simply stop existing.
Lenders already do more due diligence than the credit agencies do.
If you default on a loan, there could be a central record (say, at the court house) of this, and lenders could consult that. That would fill in the remaining missing functionality of the score (and do so in a way that is transparently free of institutional racism, etc).
Besides defaults how would you get precision in a model without any other data? Payment history and total outstanding credit wouldn’t be there. You would have to trust the customer to provide you with all these details.
Without precision in the risk model, cost to the consumer will go up to mitigate risk. Someone who has paid all their credit lines for 10 years but and has never defaulted has the same risk profile as a person who has frequently missed payments.
So what here determines if the score goes up instead of down? I’m planning on getting a mortgage soon but wife’s credit score is in high 600s. If we can make it past, 720, we are told we’ll get a better rate. So I’m curious as to how to bump up the score.
There's lots of articles everywhere, but the basics are: make sure everything is paid on time; if you have any earned negative items, see if you can get them removed by asking nicely etc.
Then there's things like age of oldest account, average age of accounts, etc. You may be able to add her to your accounts to improve this factor, if your accounts are older than hers.
Then balances. You get dinged for having a balance on too many accounts. I think you also get dinged for having zero balance everywhere. I think 'ideal' is 3ish cards with balances (you can (and should) pay the whole balance every statement, reporting is usually done just after the statements). Highest ever balance should be less than credit available or you get dinged; ask for credit increases on cards where you ever went over the limit. Total balance shouldn't be more than some % of total credit, I think 35%? You also get dinged for high % current balance on any one card. Again, you can add her on high limit, low usage cards to help her score. She'll get more score points as a joint account holder than an authorizer card holder.
You get dinged for recent (6 month?) credit inquiries, but inquiries are grouped, so if you apply for new credit, try to get it all done in a few days; mortgage inquiries have longer to be grouped.
If you know when your creditors do reporting, you can adjust your payment dates to tweak things. You might make a payment to your credit card before the statement closes even in order to show a lower utilization % and that could move your score a lot depending on details.
Find a way to pay down revolving balances to zero.
If you have cash sitting around, great. Otherwise borrow from a 401(k), friends or family, send non-reporting payments in late et cetera. Running balances rapidly to zero tends to cause a 50 to 100 point bump. After you’ve got approval, rebuild the balance and use that credit to repay the loan. In summary: transfer the debt from reporting to non-reporting sources.
If you’re thinking longer term, find bullshit collateralised reporting loans and take them out. Securities-based loans, HELOCs. Low rate. Manufactured borrowing. But it’s a credit line paid back on time. The algorithm likes those.
The legislation appears to be limited to data brokers. While this is nice and welcomed, this also means it doesn't cover entities like Google or Facebook.
The standard answer (at least for Google, not sure about Facebook) is that they're not considered data brokers because they only sell ad placement based on the data, not the data itself.
One could make a case for splitting the data collection activities from the ad sales business as part of an anti trust case. Or pass regulations and laws to that effect.
> One could make a case for splitting the data collection activities from the ad sales business as part of an anti trust case. Or pass regulations and laws to that effect.
That would be a net negative for privacy, because it would mean more parties having access to your data (without your consent or even knowledge). And given the state of security in ad-tech aside from Google, that means the chances of your data getting breached and leaked would increase exponentially.
That would be a pretty weird case to make. Typically anti trust is used to prevent a business from using market dominance in one market from entering another market. Considering they don’t participate in the data sales business it’d be a weird scenario to force them to start. I’d prefer we don’t force them to start.
Gmail with ads seems way preferable to Gmail who sells your data to others.
Google helped craft these laws. This is classic regulatory capture.
In particular, it is banning horizontally integrated surveillance capitalism (which requires the sale of data between the data gathering companies and the people using it), but not vertically integrated surveillance capitalism.
In all likelihood, some companies in this ecosystem will be forced to sell at fire sales to conglomerates (like Google) simply to avoid having to comply with this law. Of course, this benefits organizations that are large enough to acquire the companies, and no one else.
So, people with financial conflicts of interest are picking winners and losers, which is pretty much standard practice in US politics these days.
I personally think this whole consumer tracking industry should be shut down. It should be illegal to gather the types of information that this bill regulates.
Exactly, for data sales, the advertiser gets the information up front.
For ad placement, they only get it after you click on the ad, and it's only linked to you personally by your IP address and browser fingerprinting, or more directly if you log in or buy something.
Who knows what they'd sell if their business declined for a while and there was a hostile takeover or they otherwise got desperate for new revenue streams.
And then if you were paying attention you could make a new one of these requests... but maybe you'd miss it for a bit, and then it would be too late.
The law should be based on what you collect instead of what you sell to better protect against this sort of thing.
Thats not relevant of what they could do. This laws covers what you are doing and applies to entities selling your data. Big ad players don't sell their data because that is their secret sauce in ad targeting.
Companies selling your data are your bank(credit card purchases), mobile carriers(location), your DMV(photos, driving record, misc PII including address, dob etc), state/county government(public records like marriage licenses). Its weird everyone bashes on google and FB for something they don't even do.
... except when they sell their domain registration business.
And yes, I realize that there's a (technical) difference between selling data and selling a business including its data assets.
But then again, maybe a really big chunk of the value of that business is its customer data.
For some business acquisitions special terminology like "aqui-hiring"[0] has evolved so it's understood that not every sale of a business is of the same nature.
And since the value of data has arguably become much higher than ever before, the distinction of selling data by itself and selling the entire business is becoming smaller as time goes on.
This misses the point. The issue is not whether or not Google/Facebook should be classified as data brokers or not. The issue is that they are data collectors who invade our privacy.
I want the means to tell companies "Do not collect information on me." And I want that to be enforceable by law.
CCPA already requires Google to delete your data on request. Though AFAIK CCPA didn't produce any changes as Google already allowed you to do that.
The same applies to any non-small business that you have a direct relationship with and provide your information to; CCPA requires that business to delete the info if you request it.
Data brokers are a special case because they don't get their information directly from you, instead they slurp up whatever public and private data they can scrape or buy, and then resell that to other companies. Given you don't have a direct relationship with the data brokers, it's hard to even figure out who has your information.
Note, CCPA seems to have excluded the credit bureaus from designation as data brokers, even though those guys are responsible for leaking SSN and full personal information on the majority of US citizens.
The US system of credit surveillance is pretty unusual (EU countries don't do anywhere near that much stalking and they have functioning debt markets) so I'd love to learn what would actually break if people were allowed to opt out of that tracking. Presumably there are some government records you can't opt out of like UCC filings and bankruptcy, and any potential creditor could just look up the primary sources themselves.
I've been grateful as a Californian for our regulations of online businesses. I regularly invoke our right-to-unsubscribe and the CCPA gives us something similar to the GDPR in various ways.
To what extent do companies extend these rights to all Americans because it's easier than building a California-specific version of a website or online product?
I would think a lot. Everyone would rather not have wait for legal to answer a new set of questions every time a state changes their laws. Easier to align on the strictest legislation and go from there, IMHO.
Likely depends on the scale of the company. The likes of Google (I know they aren't specifically on the line for this law anyways) will have more than enough resources to ensure you're a California resident before allowing such. Hard to see others caring and just adhering your request as a non-California resident when it's always a small margin of people that even take advantage of privacy respecting laws.
Exactly. The Parent comment strikes me as being very naïve.
Right to Unsubscribe? Gmail and other email providers do this for you even if you are not a CA resident and even if the Marketer does not have a built-in Unsubscribe link. From a Marketer perspective, you cost money to send emails to, and if you are not going to open, they kind of don't want you on the list anyway.
CCPA == GDPR? Not even close. Majority of CA businesses do not reach the compliance threshold and therefore do not have to or will not comply with requests. Additionally, you have no way to validate if the request was actually carried out. The company's "best efforts" to remove data from their systems is all that's required at best - and a lot of data can be retained for valid business reasons.
Lastly - despite what CA residents believe (and similar to EU residents with GDPR) - CA laws do not apply to the rest of the country simply because they are unenforceable except in the most egregious cases - and even then it would have to be a very large business anyway.
> because it's easier than building a California-specific version of a website or online product
Nobody is doing this in practice. At best, they use some GeoIP thing or if you are logged into an account (which means they have your data anyway). The law does not require them to validate the user anyway, so it's all "best effort" again which usually means low effort.
But hey, if it makes you feel warm and fuzzy believing these things - more power to you.
The right to unsubscribe being discussed here has nothing to do with emails. It states that if you paid for a subscription online, you must be able to cancel it online within a few clicks as well. No “call us” or “send a registered letter during a full moon and low tide only” nonsense. It’s really great.
I can assure you as a Californian that this law is not ignored. They are taking payment from my credit card so they can’t claim ignorance of my California address.
There's no citizen enforcement clause for most of these laws and therefore this mostly means nothing - and where there is it just turns into a money grab/shakedown by bottom feeding lawyers (see existing FAL & P65 suits). Suits get settled, lawyers get paid, plaintiff gets a cut, no wrongdoing is admitted, and nothing changes.
It's not about claiming ignorance. It's about not caring about CA viral laws and CA's inability to effectively enforce them around the world.
Much like how most companies laugh when some EU citizens tries to flex GDPR in the US... hilarious unless you're Google...
People lock-in on the intent and names of these things and believe they've "won" the privacy war. Just like the "Inflation Reduction Act" these laws do very little if anything for their namesake.
It’s really odd to me that you are telling me that my lived experience is false and impossible. Every subscription I have made since this law passed, I have been able to cancel online. This includes newspapers, store club memberships, random podcasts and other online entertainment, educational software, and more.
Sometimes the government really does work for the people. It is actually possible.
Overwhelming majority of those things you listed could already be cancelled online.
You can read the laws yourself. There's not a lot of teeth for small businesses to comply.
Go look at the state AG website for P65 complaints (they are all by law published). 99% are privately settled without wrongdoing (you can see this on AG website too), and some fee is paid to the plaintiff's attorneys. Sometimes the math says it's cheaper to comply, but often not. Small (and even big) businesses around the country freely ignore P65 despite the law having citizen enforcement. If you search on the AG website you will find many repeat offenders. P65 laws have been around for decades...
There's a difference between what people believe should happen and what actually happens. If you believe these laws have "won" the privacy war - you are mistaken.
Why are you conflating right-to-unsubscribe with P65? They are different laws with different enforcement mechanisms. Also consumers don't find P65 useful whereas we see benefit from unsubscribing.
The point was we have these sort of consumer protection laws and nothing has changed. The enforcement mechanisms are weak and designed to make lawyers money more than actually gain compliance.
Given the decades of P65 enforcement - and given the prevalence of "harmful" chemicals imported into this state every day, we have no reason to believe this unsubscribe law will be any different.
Having this law makes people feel like something was accomplished, despite reality.
Where is this mythical renaissance of new online cancellations?
Turns out - most big businesses did this already... oh, but now it's the law but who's enforcing? Lawyers who gain private settlements? That's not enforcement, that's a racket.
Specifically from your list Comcast, Netflix, AT&T, PG&E were all services that I had to call on the phone multiple times, and sometimes send registered letters to in order to terminate service. I’m taking exclusively about personal experience here, not about helping friends.
Edit: and by “terminate service” I mean “stop fucking taking my money, I don’t even live at the address you are claiming”
I want a bill which would let me just ban all data brokers forever. I don't mind first parties to save some relevant data necessary for them to do their job, I can even understand 3rd parties like Google Analytics involved, but data brokers - I really don't want any of them to have any data about me ever.
Honestly, I don't really care who as long as I can block them altogether. It was curious to find out how many weird companies do. Thanks to the GDPR we now can see the lists. Do I read them? Not anymore, I just make sure all the switches are off.
It can be reasonable for a particular website I visit to save some data (not fingerprinting though) on who visits it. It can be reasonable for Google Analytics or Facebook or a similar system to process the data so they can target ads which make so many good small businesses possible nowadays. Sharing the data with other parties makes no sense I would ever want.
This reminds me of a company my friend used to work for, Ketch [1]. Basically described their service as automation that fulfills this exact requirement on customers databases. Sounds like they were ahead of the game.
Very few things I'm jealous of in blue states, but their online privacy protection is up there. I've pondered why no party has made this a major priority, but the reality is the vast majority of Americans simply don't care.
I would love to tell these big tech companies I want all traces of myself removed from their search engines. I understand it gets a bit nuanced with first amendment n such (what about a news article of me committing "x crime"), but give citizens SOME protection. At least Europe tries and pushes back.
I'm in California - reality is even with this stuff it's hard. I'd say maybe 20% companies you send CCPA request emails to don't know what to do, have broken forms, etc. It does work probably 80% of the time though.
I also use this which seems to work, but it's hard to know how effective it is really: https://joindeleteme.com/
It's not enough to pass a data protection law, you have to actually give it teeth by investigating and suing the companies violating it. The EU has been doing this, California mostly has not.
There’s a clear distinction, from my understanding, between red and blue states on this and it’s an interesting point to discuss. Why don’t the democrats go further? Is it because so many of the tech companies lean towards their ideology? Why don’t red states punish these mostly California tech companies by imposing strict privacy laws? Etc
There is a simpler way. If it’s data about you, it’s your property, wherever it’s stored. As such, you, not the software company, have the right to sell it if you wish.
The article doesn't make opt-out very clear. If you submit a request and ask to opt out of future tracking, are the data brokers able to re-collect your data on the next day and keep/use/share it for 45 days till the next deletion cycle?
> after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every 45 days pursuant to this section unless the consumer requests otherwise
Well fortunately 45 days is within the time span of attributing a click (30 days) and with the best algorithms, you only need about 3 days of behavioral activity of each person to forecast LTV correctly on an aggregate of just dozens of people. So I can’t say this law will have a big impact on the industries that use this data (besides red tape).
Can’t really comment on how effective or ineffective it is for the consumer though.
No version of this bill was ever known as "Delete Act". Press outlets just invented that. There is a proposed federal "DELETE Act" with a similar purpose.
Might this law make it too risky for HN to continue its policy that comments are not editable or deletable after 2 hours unless the site owner / admin manually edits or deletes?
The regulation applies to data brokers, those without a direct relationship with the person in question, who sell information about that person to a third party. I don't see how that applies to a site like this one, where users have a direct relationship and the worthless accumulated corpus is freely available.
Anyone who thought that California's "Do Not Sell My Data" requirements would cause websites to tamp down on the data collection nationwide were sorely disappointed when sites simply implemented an IP Address check to only display the option if they were in California. Other states followed suit, and sites amended their logic to show the banner in California, Virginia, etc.
They are going to cling to data vacuuming for as wide and as long as they can.
It's interesting how so many sites deployed cookie banners even if you weren't in the EU, but decided to only display this option if your IP address is located in California.
Honestly, I live in Los Angeles and feel like I never even see these California-specific opt-out banners. I typically reject all but essential cookies on every website that prompts me, but never see anything related to the CCPA, which is a shame because I really do want to utilize it.
> Anyone who thought that California's "Do Not Sell My Data" requirements would cause websites to tamp down on the data collection nationwide were sorely disappointed
Wyoming resident. Just opted out because Subaru granted those opt outs nationwide. Not everyone is a dick about this.
Also, if you care about this, contact your state electeds. (If even the technically savvy couldn’t be bothered, it isn’t an electoral in your state.)
I'm all in favor of this bill, I think it's an important step in the right direction, but let's temper our expectations and replace "will" with "should" or "might" in the headline.
Perhaps I'm a radical, but if you do not have a current ongoing direct relationship with the company, then that company should not be able to store and sell your private data. I realize this is probably very contrary to Silicon Valley business models, but I think the issue requires a hard line or else people will just violate it.
I want to own my data and allow companies to collect and lease it in exchange for money, goods, or services. I want to be able to sue anyone who uses this data without explicit permission with option for punitive damages.
I want mechanisms to control my data and I don't see that happening without signed contracts.
I want to control what data is collected and how it can be used. I want this in writing in clear language in terms that cannot be changed until the contract termination date, some other specified period (with option to terminate), or with my signed consent. I also want the option to object to the sale of data to particular buyers. And I want the option to have the data deleted when my contract is terminated or when the company is sold.
I think the current hodge-podge of laws surrounding this don't come close to this kind of control and to the degree that they do, they're mostly a lot of work for the consumer; more opt-out than opt-in. Companies rely on people mostly not really knowing what they're doing with data and changing their privacy policies on a whim because how many people really read all these changes or leave? I'm not sure I've really seen any mass migration on privacy policies (although I have seen that on 'we own all your stuff forever' type TOS changes).
I mean what if I want to outsource payroll to say Equifax?
That would require sharing private data about employees with Equifax so that they're able to handle paying them.
Or if I want to ship a package to somebody; can I not give a 3rd party (DHL) the recipients address?
I like your idea but I think it needs some refinement. Perhaps just a time restriction; although I'm sure DHL would love to keep a photo proving that the package was delivered for a year.
The thing this and other privacy laws don't take into account is data derived or mined from the consumer data. Tech companies are smart enough to transform the data just enough to where deleting the original data will have no impact on monetization.
For example, any ML models trained on user data must be retrained when specific users' data is deleted.
So every 45 days, the CPPA will tell these companies to delete your data. I wonder how many people realize that that means the CPPA or these companies have to keep a record of some of your PII, so that they can look you up and delete you from the database. Maybe privacy conscious people are fine with the California government keeping their PII?
This seems fine? PII isn't in and of itself sensitive, it's using PII to link individuals to purchases, actions, other data that's problematic.
Facebook knowing my name isn't that bad, facebook knowing that some individual bought "Hunky Firefighters Pt 7" isn't that bad. Facebook knowing that I'm the individual that bought "Hunky Firefighters Pt 7" is exactly what I would want to prevent.
There are a couple of in-depth threads here on HN discussing the different companies you mentioned.
Here is one in particular that includes some people sharing reviews, plus Optery's CEO going into detail on the different data removal companies:
https://news.ycombinator.com/item?id=30605010
If you're interested in these services, a good approach is to sign up for each company’s free scan and compare the results.
I've been using DeleteMe. It generally works well, with two caveats:
1. They seem to largely rely on automated or semi-automated workflows, and that sometimes breaks down. For me, they removed ~95% of the stuff, but I could still find some breadcrumbs in web searches, and need to file a couple more opt-outs manually. It might be less of a problem if your online footprint is small.
2. They target "frontend" sites, rather than the actual data brokers. This cleans up search results, but doesn't necessarily remove from the commercial databases that are available to commercial and institutional users. Because the frontends come and go, it also means that if you cancel your subscription, you will probably go back to square one in 2-5 years.
These services are great and the best ones will cover removals across more sources than just data brokers. They are in the category of "Authorized Agents".
I work for Kanary (similar to the aforementioned) but have avoided doing manual opt-outs or escalating items to our team in order to get the realistic experience.
It's worked well for me. Outside of info on my own site, there's only one broker that's exposing an old address. That one was newly found or resurfaced within the past month, so it should be gone soon. I moved in December and my new address is not at all findable in correlation with my name, which is awesome.
That said, I think the sibling comment by hunson_abadeer about "95%" sets the right expectation for most. It's a constant whack-a-mole: we're always improving our strategies while data brokers multiply and find new datasets, which they use to resurface previously-removed profiles. Happy to answer any questions.
I've been quite pleased with California and the CCPA thus far. I've submitted a few deletion requests a now, and despite my jadedness all but one went through without a hitch. I reported the one to the California AG and within two weeks the AG had followed up on it and forced the company to delete my data and the company fixed their processes. Color me slightly less jaded.
Of course, it's all still a manual process. Requiring that the deletion of PII be a "single button click" would be great. And making all data collection opt-in, instead of forcing me to fill out Do Not Sell My Data forms on every single website. But the Act mentioned in this article will be the third "Change Logs" we've gotten to the CCPA since its passing seven years ago. So, again, color me less jaded; it seems California is slowly and steadily clawing back our rights. Good on us!
Couldn't disagree more as someone who works in tech and guides companies in complying with laws like this.
So expensive for so little real gain. We're spending more on making companies who don't use your data for anything nefarious (basically all companies outside of the advertising industry, if you even consider advertising nefarious) than we're spending on fixing climate change. Or preventing war. What a joke.
Edit: looks like this law applies specifically to self defined 'data brokers' (no one can find these entities IME and no one admits they are one) so at least it's somewhat targeted. Comment stands for CCPA and CPRA, which apply to all "businesses."
In general I think some privacy concerns are valid and others are not. Specifically I believe government surveillance is problematic and I wish there were more visibility and restrictions on it.
I do believe many companies are collecting data for reasons other than advertising. For example CRM tools (eg Salesforce) have heaps of personal information their customers store with them for a bunch of different reasons. It's really complex for them to comply with these laws - even though they aren't doing any advertising.
Company surveillance is government surveillance. The companies may be collecting information for profit but once the data exists, it can be collected by the Government. In the US, the government can take data and make it so you legally can't even say it happened. But many times they can just buy the data. Companies like Salesforce may not be advertising to individuals, but the companies that use the crm software may be. The existence of the data itself makes it vulnerable to breach. I'd argue that privacy can't be compromised because any data can be used for any purpose (perhaps not always legally, but it doesn't matter since it is irreversible)
It doesn’t cost much at all for companies to have infrastructure to delete user data. That’s just a cascading delete in any relational table. Poof, data gone in a single query. Sure, some systems are slightly more complex but deleting data is one of the easier challenges for any company to solve.
What costs money is companies trying to figure out how to work around legal requirements, obfuscate this option from users, or forcing them to go through support-intensive processes to delete their data rather than just building this like any other core automated business function.
This hasn't been my experience. Do you work in a large company? My experience has been that there are heaps and piles of data including (or potentially including, unstructured) personal information. And lots of reasons why complete deletion isn't possible - because certain other information nearby the personal information is necessary for business purposes (like submitting invoices), or because the person requesting deletion only wants part - not all - deleted, or because the database is structured such that deletion isn't feasible until next year when we roll onto a new technology, etc etc.
I work at one of the largest, and have also worked at startups and in between.
Having PII littered about in ways that aren’t easily deletable is quite a canary. Companies with these issues are the same companies that end up with data breaches due to their cavalier treatment of user data. Perhaps these companies should be grateful they have a regulatory body ensuring they don’t fall too far behind the basic data stewardship practices the rest of the industry has in place.
Not sure why this is being downvoted. It’s precisely these companies that haven’t architected their systems well or prioritized the safety and security of PII by littering it about in various systems and making it “undeletable” in their processes, that need a swift kick in the ass to get it together.
I can’t believe people consider the argument that because companies have poorly managed systems and PII centered databases with no abstraction (and therefore are working right on actual customer record data in their data lakes), that this is somehow a viable argument for why we shouldn’t make deleting data possible.
Companies like this are the next Equifax. Why would you condone their stupidity?
Agree. My argument is more along the lines of, “the companies that aren’t prepared for this are the ones who most desperately need to clean up their act in the first place, cost aside.”
But I’m inarticulate and do understand your reasoned point.
> Having PII littered about in ways that aren’t easily deletable is quite a canary.
"We can't figure out how to delete PII" and "Our schema is flexible" are the same canary in my view.
Everything goes back to founders & business owner giving enough of a shit to force a good architecture from the beginning.
You can't build an effective schema to store complex information if your mission isn't clear yet. If concerns over PII storage are "we'll worry about that later", then whatever schema is invented from that point will mirror that vision.
If the vision is "PII == high-level radioactive waste", then the resulting schema may not even offer places to store it, outside of specially-controlled tables.
The alternative is that they don’t collect the data. If companies can’t afford to shelter the data, delete it when asked, etc., there is an easy fix! Don’t collect and store it!
As a California resident who regularly opts out of data collection (and also, incidentally, works in tech), as a consumer I don't really care what you or your clients think. I just want you to comply with the law.
A remarkably high percentage of our legal framework is designed to protect a very small number of people from being exploited by another small number of people. Yes, the costs of implementing these laws are high, but the societal benefits are, in aggregate, huge.
My personal information is my own, just like my house, my car, my investments, my copyrights, and bank accounts. And I expect there to be laws that protect it, allow me to control it, and restrict how others can use it just as there are for my other assets.
If applying these laws is inconvenient, then that speaks volumes as to how overdue these laws were.
I like laws that say we can opt out of and must consent to email marketing. It leaves companies freedom to implement however they want.
CCPA requires complete deletion, which isn't easy to achieve these days, of data that no one is using in an out of the way data store that otherwise wouldn't need to be touched.
It's just a lot of effort for no benefit. I think you should be allowed to tell a company not to use your information. You shouldn't be able to tell them how not to use it.
Hard disagree. Many security "breaches" are really the discovery of customer data in an S3 bucket "that no one is using in an out of the way data store that otherwise wouldn't need to be touched."
Forcing companies to track and manage the data in their stewardship is necessary because clearly the economic incentive is not high enough - by your own admission. It's easier (and cheaper) to just leave around. But - when, not if - it's hacked, /I/ bear the cost of their negligence, not them.
This is exactly why consumer protection laws are needed.
I think we're forcing them to manage the data in their stewardship inefficiently.
I'd actually love a law that says if my data gets stolen from a company and a hacker uses that stolen data to harm me, the company must pay for (some portion of) those harms.
But today it's setup so even if I don't get harmed they pay some lawyers to make the case go away.
On the other hand I've been highly disgruntled with California after living here a few years.
The DMV, PG&E, and voter registration have all leaked my PII to third parties. F all of them.
I don't intend to register to vote again unless they can prove themselves worthy of keeping my personal information confidential.
I never use USPS forwarding. If you ever register for USPS forwarding, they will GLADLY tell stalkers your new address if they ask. This should have been made constitutionally illegal 100+ years ago if I were in charge of this country.
Governments need to protect PII before waving these laws around at companies. I don't enjoy companies leaking my info either, but as of now governments have done it way more.
On another note, US and California law need to stop requiring residential addresses for everything. Banks, voter registration, DMV, etc. don't need to know where I sleep to a 20-meter radius, they only need to know what state and MAYBE county I file my taxes in.
I'm curious how this will work if we want to delete our data from this site. Will children posts be deleted, or will it just say [deleted].
Furthermore, if someone trains an AI on your data, does the AI have to be "untrained?" If not, I doubt this will have too much effect for some applications.
Hmm I guess the idea is you have a db of training data that you need to flow deletes into. That db contains personal information so you need to keep it up to date. The model itself, once trained, doesn't contain personal information hence no requirement to retrain it.
I've gained a tremendous amount of respect for PII while selling software to banks.
My position on this type of data is that I am simply a temporary custodian over it. The identifiable person owns this information. I recognize it as pure liability for us. All downside in our business models.
We go out of our way to keep this stuff out of our systems. We spent the better part of a month talking about various architectures that would "keep the mess over there" (aka inside the bank's 'secure' environment).
The closest we get to liability is storing salted & hashed PII so that we can correlate business keys within sessions. If we find a piece of PII actually makes it through our layers of redaction, it is treated similar to production going down. Our entire team is trained to respond to a PII incident as if it were a radiation leak at a nuclear power plant.
> The best way to protect PII is to ruthlessly minimize it in your system.
Absolutely, been trying to preach this for ~10 years now at various companies.
Another argument to make is that I can guarantee 100% certainty against leaks with a budget of $0, for all the data columns that I never had. Such a deal!
Any other choice is going to cost a lot more and have reduced chance of success.
Sure, we need to handle some sensitive data to run the business but choose selectively, since every one just adds both cost and risk.
If spying on people is the “lifeline of our digital economy,” maybe that needs to change.
Seems like a deeply positive step towards allowing people sovereignty over their own identities, albiet their identities in digital forms, which is deeply humanistic and a core of a less evil civil cyberpunk future.
Although interesting I always also see this as erase poor people data policy, same as people deleting their reddit comments
In 100 years they'll be investigating the real history of 2023, and most records were deleted, only aggregates survived by CNN and FoxNews, and other billion dollar institucions preserving their point of view
Today you can go 100 back and that John Panini traveled by boat from UK to US on what day and paid 1 cent
There's plenty of unerase-able public data on all of us, especially data that's going to be interesting in 100+ years from now. For example, things like owning property are recorded in the county registrar and will be there as long as the county registrar is.
Everything else, like travel logs and diaries will continue to exist for everyone who wants them to exist. Just as people did 100 years ago, who intentionally kept diaries, these things will remain indefinitely.
Regardless, there's so much content being pooped out right now that a single year will keep future anthropologists busy for centuries.
There may be some overcorrection going on, but there's no way this is a bad thing. We had no idea what Einstein had for breakfast on May 5, 1903, and we're doing just fine.
reply