The legislation appears to be limited to data brokers. While this is nice and welcomed, this also means it doesn't cover entities like Google or Facebook.
The standard answer (at least for Google, not sure about Facebook) is that they're not considered data brokers because they only sell ad placement based on the data, not the data itself.
One could make a case for splitting the data collection activities from the ad sales business as part of an anti trust case. Or pass regulations and laws to that effect.
> One could make a case for splitting the data collection activities from the ad sales business as part of an anti trust case. Or pass regulations and laws to that effect.
That would be a net negative for privacy, because it would mean more parties having access to your data (without your consent or even knowledge). And given the state of security in ad-tech aside from Google, that means the chances of your data getting breached and leaked would increase exponentially.
That would be a pretty weird case to make. Typically anti trust is used to prevent a business from using market dominance in one market from entering another market. Considering they don’t participate in the data sales business it’d be a weird scenario to force them to start. I’d prefer we don’t force them to start.
Gmail with ads seems way preferable to Gmail who sells your data to others.
Google helped craft these laws. This is classic regulatory capture.
In particular, it is banning horizontally integrated surveillance capitalism (which requires the sale of data between the data gathering companies and the people using it), but not vertically integrated surveillance capitalism.
In all likelihood, some companies in this ecosystem will be forced to sell at fire sales to conglomerates (like Google) simply to avoid having to comply with this law. Of course, this benefits organizations that are large enough to acquire the companies, and no one else.
So, people with financial conflicts of interest are picking winners and losers, which is pretty much standard practice in US politics these days.
I personally think this whole consumer tracking industry should be shut down. It should be illegal to gather the types of information that this bill regulates.
Exactly, for data sales, the advertiser gets the information up front.
For ad placement, they only get it after you click on the ad, and it's only linked to you personally by your IP address and browser fingerprinting, or more directly if you log in or buy something.
Who knows what they'd sell if their business declined for a while and there was a hostile takeover or they otherwise got desperate for new revenue streams.
And then if you were paying attention you could make a new one of these requests... but maybe you'd miss it for a bit, and then it would be too late.
The law should be based on what you collect instead of what you sell to better protect against this sort of thing.
Thats not relevant of what they could do. This laws covers what you are doing and applies to entities selling your data. Big ad players don't sell their data because that is their secret sauce in ad targeting.
Companies selling your data are your bank(credit card purchases), mobile carriers(location), your DMV(photos, driving record, misc PII including address, dob etc), state/county government(public records like marriage licenses). Its weird everyone bashes on google and FB for something they don't even do.
... except when they sell their domain registration business.
And yes, I realize that there's a (technical) difference between selling data and selling a business including its data assets.
But then again, maybe a really big chunk of the value of that business is its customer data.
For some business acquisitions special terminology like "aqui-hiring"[0] has evolved so it's understood that not every sale of a business is of the same nature.
And since the value of data has arguably become much higher than ever before, the distinction of selling data by itself and selling the entire business is becoming smaller as time goes on.
This misses the point. The issue is not whether or not Google/Facebook should be classified as data brokers or not. The issue is that they are data collectors who invade our privacy.
I want the means to tell companies "Do not collect information on me." And I want that to be enforceable by law.
CCPA already requires Google to delete your data on request. Though AFAIK CCPA didn't produce any changes as Google already allowed you to do that.
The same applies to any non-small business that you have a direct relationship with and provide your information to; CCPA requires that business to delete the info if you request it.
Data brokers are a special case because they don't get their information directly from you, instead they slurp up whatever public and private data they can scrape or buy, and then resell that to other companies. Given you don't have a direct relationship with the data brokers, it's hard to even figure out who has your information.
Note, CCPA seems to have excluded the credit bureaus from designation as data brokers, even though those guys are responsible for leaking SSN and full personal information on the majority of US citizens.
The US system of credit surveillance is pretty unusual (EU countries don't do anywhere near that much stalking and they have functioning debt markets) so I'd love to learn what would actually break if people were allowed to opt out of that tracking. Presumably there are some government records you can't opt out of like UCC filings and bankruptcy, and any potential creditor could just look up the primary sources themselves.
reply