back to article Google weeps as its home state of California passes its own GDPR

California has become the first state in the US to pass a data privacy law – with governor Jerry Brown signing the California Consumer Privacy Act of 2018 into law on Thursday. The legislation will give new rights to the state's 40 million inhabitants, including the ability to view the data that companies hold on them and, …

  1. Anonymous Coward
    Anonymous Coward

    Zuck on that Bitch!

    Good news for those lucky enough to live within CA's realm. Which is also a bone of contention, as no one really knows how the territorial scope of GDPR works. i.e. If you travel or move or have family/friends between jurisdictions... Do you get privacy raped, saved, then data raped again???

    But the speed the law passed is notice to Zuck & Cult, that blatant lies and evasiveness on key issues such as offline and non-user tracking isn't on anymore. People aren't going to sleepwalk to the kind of dystopian nightmare that gives Zuck & PageBrin orgasms everyday. Even if most people are zombies about their privacy, the NOYB crowd of lawyers are suiting up!

    1. Anonymous Coward
      Anonymous Coward

      No 'Meaningful change' in user numbers

      Zuk is fond of saying that. But two recent surveys confirm: teens are turning away, and people are looking elsewhere for their news. So while Facebook can claim there's no meaningful change, they rely on perpetual growth, therefore stagnation is a cancer...

      Only 2 family members dumped Facebook since March. But they were the ones keeping the lights on. They had FB on all devices, all of the time. That's a story telling metric, as it says lots about quality. User count is deceptive, if users share, post & pm less...

      1. JohnFen

        Re: No 'Meaningful change' in user numbers

        " teens are turning away,"

        In fairness to Zuckerberg, this trend began well before Facebook's latest adventure, so it really isn't a "meaningful change". Teens are leaving Facebook because they (correctly) perceive that Facebook is for businesses and old farts.

        1. Anonymous Coward
          Anonymous Coward

          Re: No 'Meaningful change' in user numbers

          ... and because the kids perceive facebook as farties business, the Zuckerbergers, being well paid, smart people, have already (actually quite some time ago) invested into a couple of "platforms", to extend a helping hand to those ungrateful kids who try to bail the ship. In other words: they own the boat, the rafts, life jackets and life buoys. And, I bet, they didn't forget to bribe the sharks...

        2. BillG
          Happy

          Re: No 'Meaningful change' in user numbers

          @JohnFen wrote: Teens are leaving Facebook because they (correctly) perceive that Facebook is for businesses and old farts.

          Teens are leaving Facebook because it's harder to be anonymous on FB, and parents are demanding access to their teen's FB page.

          So teens use Twitter instead because they like how Twitter is much easier to use while being anonymous. They also like how it's easier to hide a Twitter account from parents.

          1. JohnFen

            Re: No 'Meaningful change' in user numbers

            "Teens are leaving Facebook because it's harder to be anonymous on FB"

            I doubt this explanation, as it's trivially easy to be anonymous on FB.

            1. Orv Silver badge

              Re: No 'Meaningful change' in user numbers

              You can be anonymous on FB until someone reports you. Which has become a pretty common form of revenge.

    2. Remy Redert

      Re: Zuck on that Bitch!

      How GDPR works: Are you a legal resident or citizen of any country inside the EU? If yes, GDPR applies to you and your data regardless of where you reside at any given moment. If you go the US, some company collects your data without informed, freely given, consent, they are in breach of GDPR.

      Now getting a remedy against such cases might be hard if they have no presence in the EU, but that is a whole different matter. I have not read the new Californian bill, so I don't know how its language defines whom it applies to.

      1. This post has been deleted by its author

        1. This post has been deleted by its author

      2. Mike 137 Silver badge

        Re: Zuck on that Bitch!

        "getting a remedy against such cases might be hard if they have no presence in the EU"

        If they process the personal data of 'data subjects who are in the Union' and are 'a controller or processor not established in the Union' (GDPR Article 3(2)) they are obliged to designate a representative in the EU (Article 27(1)) and declare the representative's contact details (Articles 13(1(a)), 14(1(a))).

        However the interpretation of the term 'in the Union' under Article 3 (and elsewhere) remains to be fully established by precedent.

        1. Mike 137 Silver badge

          Re: Zuck on that Bitch!

          "getting a remedy against such cases might be hard if they have no presence in the EU"

          If they process the personal data of 'data subjects who are in the Union' and are 'a controller or processor not established in the Union' (GDPR Article 3(2)) they are obliged to designate a representative in the EU (Article 27(1)) and declare the representative's contact details (Articles 13(1(a)), 14(1(a))).

          However the interpretation of the term 'in the Union' under Article 3 (and elsewhere) remains to be fully established by precedent.

          -----------------------------------------

          I'd be fascinated to know why this post got a down vote!

    3. Anonymous Coward
      Anonymous Coward

      Big Deception

      What's interesting is that most of the preparation or hard work for GDPR was done well before the Facebook-Cambridge-Analytica-Palantir news ever broke. So what we're seeing now, is what Silly 'con' Valley thought they could get away with. So its going to be interesting to see where things really are in about a year or two...

      Also, I don't buy the point at all about Microsoft offering more transparency. I think its more likely, and if true quite scary, that they actually knew far more about their users, and could predict with a high probably that most of them wouldn't even venture into those privacy setting screens. So, Microsoft simply weren't worried!

      1. bombastic bob Silver badge
        Big Brother

        Re: Big Deception

        well, a broken clock is right twice a day. slow-clap for the Cali-fornicate-you legislature. clap. clap. clap.

        I'm glad they did it, but this from the article is probably correct (and a bit frightening):

        "with the chance to change it later through normal legislative procedures"

        They'll emasculate it as soon as they can with loopholes, "but if" exceptions, and other weakened features that are bought and paid for by the Silly Valley liberals that PWN them. For the Cali-fornicate-you legislature is one of *THE* most corrupt organizations ON THE PLANET.

        if enough states do the same, the feds will act and federal law will take precedence over state laws. That would help prevent them from being weakened in the future.

        NOW - will Micro-shaft have to UPDATE their EULA policies with respect to the Micro-shaft Login, "the slurp", "the ads", etc. in Win-10-nic? And, their plans for GITHUB...

        icon, because it's what "they" *REALLY* want.

        1. Teiwaz

          Re: Big Deception

          From a east side of the pond perception, the only 'liberals' in this story are the thoughtful individuals who managed to get this thing through.

          A rare win, even if it was done with the usual game the political system method and will be shat on the moment oligarchs find someone willing to take a 'donation'.

    4. Charles 9

      Re: Zuck on that Bitch!

      The thing about California is that, through their sheer size, they can create trends that reverberate throughout the country. Don't believe me? Look up "California Emissions".

    5. Michael Habel
      Black Helicopters

      Re: Zuck on that Bitch!

      NSA vs CIA learn the difference (It could save a life!).

      But, in case you weren't aware the CIA does NOT have jurisdiction to officially operate on American Soil. As any good pleb should know that's the boy from Fort George Meade (Odenton md.). a.k.a. the National Security Agency's turf. To spy on its fellow 'Merican's

      1. phuzz Silver badge
        Black Helicopters

        Re: Zuck on that Bitch!

        "the CIA does NOT have jurisdiction to officially operate on American Soil"

        That's a very different sentence from "the CIA does not operate on American soil". The first sentence is true, the second sentence though...

        (And it's probably better to compare the CIA with the FBI. Roughly speaking, the FBI do domestic, while the CIA does overseas. The NSA can spy at home and abroad, but their main focus is abroad.)

    6. TheVogon

      Re: Zuck on that Bitch!

      "a hefty $7,500 fine."

      LOL. Not quite as hefty as the €20 million of GDPR.

      1. Eltonga
        Mushroom

        Re: Zuck on that Bitch!

        "a hefty $7,500 fine."

        LOL. Not quite as hefty as the €20 million of GDPR.

        It's per user. Do the math.

      2. MrAverage

        Re: Zuck on that Bitch!

        I read that as being $7,500 for each offence. i.e. 5,000,000 peoples data breached = 5,000,000 x $7,500?

  2. Blockchain commentard

    I seriously hope that's $7,500 per person else Google, Facebook etc will be breaking the law every day and not notice it on the bank balance.

    1. Anonymous Coward
      Anonymous Coward

      'I seriously hope that's $7,500 per person'

      Looks like its better than that... Its per 'each violation'! Which could be multiple 'per user'... If so, that will be a nice bite out of investors profits! After all, its the investors & advertisers that need to take the hit, as Google & Facebook show they're incapable of changing!

      1. DCFusor

        Re: 'I seriously hope that's $7,500 per person'

        How about companies you have no prayer of opting out of normally, like say Experian, Equifax...???

        I guess you can at least opt out of being in the Office of Personnel Management database...by not working for that jobs program called government.

        How about that huge recent ad agency leak- you know, the one no one even knew the name of, reported here? In usual CA style, flawed law and no way to really enforce it. How can you ask outfits you don't know exist - and who have a lot more effect on you (credit rating...and so on)?

        Yeah, this author is parochial as hell, and thinks CA is somehow all more computer knowledgeable than the rest of us...(which doesn't explain a lot of totally daft things done there in silly valley) and is obviously a google hater due to gentrification (And him not getting one of those good jobs) but hey.

        I'd bet money he can't name all the outfits that hold data on him himself.

  3. Zwuramunga

    Easy Enough

    Requests immediate deletion of all records.

    1. tfewster

      Re: Easy Enough

      Y'see that's tricky. They can delete it, but then just collect it again. I think the solution is to say "You don't have permission to hold data on $ME, except that minimal info that identifies $ME - Say, name, address* & possibly date of birth. If anyone enquires about $ME, you can only tell them 'We are not permitted to hold or share any information about $ME' " But even that is information of a sort.

      * home, business, email or website address. e.g. tfewster@myisp.com is unique and identifies me completely - anything linked to that email is protected. Same for all my other email addresses :-)

      Exactis "timed" their breach just right - a few days later and everyone in California would have had a case under the new law.

      1. Danny 14

        Re: Easy Enough

        not so with GDPR, with GDPR a right to erasure needs to be permanent both historical and going forwards (including if backups are restored). If they can prove you started a new relationship agreement with them then the erasure will be null from THAT point onwards and only within scope of that agreement.

      2. bombastic bob Silver badge
        Devil

        Re: Easy Enough

        some level of common sense data retention, such as the fact you did business with a company, or bought items and had a receipt for those items, is reasonable to retain (such things are really needed for proper bookkeeping standards and income reporting to government agencies, sales tax collection, and so on). But then, GDPR and related laws SHOULD take over to prevent that data from being used for 'other than that' purposes, such as tallying up what you purchase for advertising purposes.

        So the 'right to forget' might mean including "your identification number" into a list o' IDs to exclude from statistical analysis and reporting to 3rd parties. The data would be effectively 'forgotten'. But things needed for accounting purposes and legal requirements would not be.

        At some point you can't assume the data was actually "deleted". it might be illegal to actually delete it. It might also break most accounting systems.

        it might be possible, however, to change your customer ID to "anonymous customer" and aggregate all anonymous customers into one. I'm not sure if that would violate legal requirements on accounting practices, though.

        as for slurping and targeting ads based on your clicking and browsing and e-mail history - DELETE is the way to do it.

      3. Eddy Ito

        Re: Easy Enough

        Sadly Exactis wasn't so much a breach but, as I understand it, more matter of leaving the database accessible to all and sundry on one of their servers. To me a breach is more when one gets past defenses but it assumes that one at least puts the lid on the garbage bin and it doesn't look like Exactis did even that.

  4. Chronos
    Flame

    Legitimate business interests

    The more I hear this phrase, the more I want to kick whoever first coined it. The only "legitimate business interest" is "more profit."

    Adding the word "legitimate" to something does not automatically make it good. For example, I have a legitimate interest in anyone trying to con me out of my personal information being force-fed a large bag of plump donkey dicks until they explode. That doesn't make it right, recommended or a reasonable path to take. Far better to let objective legislation take care of the problem.

    1. DJO Silver badge

      Re: Legitimate business interests

      "User privacy needs to be thoughtfully balanced against legitimate business needs."

      An apparently innocuous phrase which is wrong in every detail. User privacy is paramount and inviolate without informed permission given.

      That's it, no if's, no buts, no exceptions.

      1. Pascal Monett Silver badge
        Thumb Up

        Re: Legitimate business interests

        Completely agree. I nearly jumped out of my chair when I read that phrase, and I had to force myself to finish reading the entire article (a very interesting read, BTW) before coming here to say the same thing, but in slightly more profane terms.

        In any case, it is refreshing to see that, for once, political machinations can be used for good. Hats off to the people who got this law pushed through.

        1. Da Weezil

          Re: Legitimate business interests

          Google.. let me make this absolutely clear. you have NO legitimnate interest in my personal data, it is MINE not yours and I am the only arbitor of "legitimate" use of that data. I have spent too many moment in my life trying to shield my life from your pervasive and unwanted voyeurism.

          You... and your "partners" can go and perfect the art of self penetration - preferable with large impliments lacking any form of lubrication.

          Its MY data not yous, you have no legitimacy in respect of such data.

          1. Clarecats

            Re: Legitimate business interests

            "Google.. let me make this absolutely clear. you have NO legitimnate interest in my personal data, it is MINE not yours and I am the only arbitor of "legitimate" use of that data. I have spent too many moment in my life trying to shield my life from your pervasive and unwanted voyeurism."

            Okay, it's your data. I agree we need more privacy.

            Are you now going to pay Google or others every time you conduct a net search? How else will this work? Getting advertisers to pay more to Google won't necessarily improve your life either; and more of us would use ad blockers.

            I suggest some kind of a happy medium would work. You could tell data collectors what you agreed would be stored, sold or traded. Any other use would be in breach.

        2. John Brown (no body) Silver badge

          Re: Legitimate business interests

          "In any case, it is refreshing to see that, for once, political machinations can be used for good. Hats off to the people who got this law pushed through."

          Although it's very much worth bearing in mind that the whole point of pushing it through was specifically to make it easier to change later, unlike a ballot version which, as the article states, would be much harder to change once passed. That should be concerning to everyone. If the politicians were really up for this type of privacy legislation, why didn't they just let it go to a ballot? Let's hope that Mactaggart & co are keeping a close eye on the legislation as written and any future modifications (which may be hidden in other bills as riders etc.) and are ready to act again.

          1. Alan Brown Silver badge

            Re: Legitimate business interests

            "unlike a ballot version which, as the article states, would be much harder to change once passed"

            Of course, a ballot now could lock-in the existing law and any changes could be undone with a ballot too.

          2. Number6

            Re: Legitimate business interests

            Although it's very much worth bearing in mind that the whole point of pushing it through was specifically to make it easier to change later, unlike a ballot version which, as the article states, would be much harder to change once passed. That should be concerning to everyone. If the politicians were really up for this type of privacy legislation, why didn't they just let it go to a ballot? Let's hope that Mactaggart & co are keeping a close eye on the legislation as written and any future modifications (which may be hidden in other bills as riders etc.) and are ready to act again.

            I can see some merit in having it easily changed in case there is an issue where someone got something wrong. If the only way to fix it was another ballot initiative then fixing errors might turn out to be hard. On the whole though, I'd prefer the ballot version because it's harder to subvert as I see that as more likely than incremental improvements through the normal legislative process. I agree, I hope that they keep the ballot stuff in a safe place, ready to haul it out if someone offers the legislators enough money to change the existing version to something weaker.

        3. Jamie Jones Silver badge

          Re: Legitimate business interests

          Pascal - haha, I had the exact same reaction!

          Obviously (to us), the only legitimate needs would not be considered a privacy violation (e.g. a company that delivers you stuff having your postal address)

          If anyone needs to think about whether a "'legitimate'(!) business need" has privacy issues, they've already answered their own question.

          1. Anonymous Coward
            Anonymous Coward

            Re: Legitimate business interests

            "If anyone needs to think about whether a "'legitimate'(!) business need" has privacy issues, they've already answered their own question."

            You mean.. Like an IMAP email server, or a cloud server, or a video hosting server, or any photo or other data sharing service, or any "social media" platform including The Register?

      2. Doctor Syntax Silver badge

        Re: Legitimate business interests

        "User privacy needs to be thoughtfully balanced against legitimate business needs."

        Turn it round: legitimate business needs need to be thoughtfully balanced against user privacy.

        1. DJO Silver badge

          Re: Legitimate business interests

          Of course a lot depends on who defines "legitimate", from Googles perspective everything and anything qualifies, my perspective is pretty much diametrically opposed.

          GDPR got this dead right, the information demonstrably necessary to provide the service and no more is all a company can keep and none of it can be transferred to any other entity be they another company or a different division of the same company.

    2. katrinab Silver badge

      Re: Legitimate business interests

      "For example, I have a legitimate interest in anyone trying to con me out of my personal information being force-fed a large bag of plump donkey dicks until they explode."

      Seem totally reasonable to me.

      1. Chronos

        Re: Legitimate business interests

        Seem totally reasonable to me.

        Also to me at the time. Of course, when I've dabbed away the rabid foam from my chin, can see without a red mist or dancing spots and my diastolic is back to double figures, I'll quite happily admit that this is not nearly a capital offence - except for the storage medium that holds the data which does need to expire in a conflagration.

        That should be why we have laws, to keep the torch and pitchfork industry from being the largest employer in the world.

    3. Anonymous Coward
      Anonymous Coward

      Re: Legitimate business interests

      User privacy needs to be thoughtfully balanced against legitimate business needs.

      Copyright needs to be thoughtfully balanced against legitimate business needs.

      Due process needs to be thoughtfully balanced against legitimate business needs.

      Ending slavery needs to be thoughtfully balanced against legitimate business needs.

      Democracy needs to be thoughtfully balanced against legitimate business needs.

      1. bombastic bob Silver badge
        Unhappy

        Re: Legitimate business interests

        yeah, 'legitimate business needs' - when the l[aw]yers get ahold of THAT one, watch your wallet. And your privacy.

    4. Filippo Silver badge

      Re: Legitimate business interests

      If a new law is passed, and some "business need" is in violation of it, then that "business need" is NOT legitimate. That's literally what "legitimate" means.

    5. Pen-y-gors

      Re: Legitimate business interests

      User privacy needs to be thoughtfully balanced against legitimate business needs

      "User privacy takes precedence over unjustified business desires"

      FTFThem

    6. Montreal Sean

      Re: Legitimate business interests

      @Chronos

      "...I have a legitimate interest in anyone trying to con me out of my personal information being force-fed a large bag of plump donkey dicks until they explode. That doesn't make it right, recommended or a reasonable path to take."

      I disagree, it is a very reasonable path to take. :)

    7. Orv Silver badge

      Re: Legitimate business interests

      The phrase "legitimate business" mostly just makes me think of old mobster movies, where their associates were always "legitimate businessmen."

  5. Anonymous Coward
    Anonymous Coward

    49 to go

    Mr. Mactaggart, please come to Texas. And every other damned state. And please add a small amendment to your bill that excludes these protections for any Congressmen or Senator who takes money from lobbyists affiliated with data collection companies.

    1. ratfox

      Re: 49 to go

      Texas does not have ballot initiatives. About half of US states do not.

      Though I'm actually surprised that about half of US states do have ballot initiatives. Based on the ballots I heard about, I assumed only California had them.

      It does seem an interesting system! In this case, it was really efficient.

      1. bombastic bob Silver badge
        Meh

        Re: 49 to go

        ballot initiatives are an unfortunate necessity because THE LEGISLATURE is so @#$%'ing corrupt!

        Recently they did an 'end around' of one of the first ballot initiatives in this state that requires a 2/3 majority in the legislature to INCREASE taxes. A tax increase on gasoline and large increases in car registration fees was recently passed. A local radio guy, Carl DeMaio, along with a few others, has gotten it on the November ballot, to repeal it. But like a LOT of good measures, "the left" will be spending ZILLIONS to defeat it, like the 'bag ban' initiative a while back [yeah banning single use plastic bags at grocery stores, and REQUIRING customers to PAY FOR RE-USABLE BAGS - needless to say, OVER HALF of the shoppers say "no bags" and won't pay for ANY bag, nor bring in re-usables - all items loose in the cart!!!]

        So ballot initiatives CAN backfire, unfortunately. People are too easily swayed by EMOTION and MIS-INFORMATION (read: fake news). People *NEED* to stop *FEELING* and start *THINKING*, but good luck making THAT happen in a self-centered hedonistic society, where arrogant/smug/hubristic wealthy people exempt themselves from the negative consequences, but then use their wealth and influence to force OTHERS (who really can't fight back) to give up THEIR wealth and freedom, for some pet 'charitable' cause that makes smug wealthy person "feel good about himself", like the environment, ending orca shows at Sea World, and "free" [insert thing here] for "all" (which becomes mediocre "thing for MOST" since demand will go up and quality down to satisfy the new 'need', and 'the rich' will ALWAYS have the best ANYWAY) and so on.

        maybe if we had no ballot initiatives, we'd get rid of the ASSHATS in Sacramento instead of RE-ELECTING THEM!!!

        1. Teiwaz

          Re: 49 to go

          @Bob

          Mostly agree with you until "free" [insert thing here] for "all" (which becomes mediocre "thing for MOST" sounds like you're talking Health Care.

          It's one of those basics, that if you are without, mediocre might well be better than nothing at all.

          You are cutting off the base of the pillar to attack the top.

        2. ardj

          Re: 49 to go

          @bombastic bob

          Two things:

          1. When people start shouting at me – capitals, asterisks &c, I generally go away until they stop. You may want to consider bombasting a bit more subtly.

          2. a) You do not explain why a tax increase on gasoline /increased car reg fees was bad, so little sympathy for you railing against an unidentified scarecrow called “the left” (to which so many of your readers will belong).

          b) Quite what is wrong with people not using plastic bags is unclear – seems to me that was the point of the legislation: or do you feel the carts are getting a raw deal ?

          c) Why do you want to put orcas on display ?

          d) You ask that we stop feeling and start thinking: physician, heal thyself ?

          That’s all for now – have, what I believe you Americans call, a good one.

      2. JohnFen

        Re: 49 to go

        I live in a state (not California) that has an initiative process. Here's my take on it: it's a double-edged sword.

        On the one hand, it makes it possible for the citizenry to address issues and problems that for one reason or another (ahem*money*ahem) the legislators don't want to address or don't want to fix. That's unambiguously good.

        On the other hand, initiatives are often written by people who don't really understand how legislation works, so it is often inherently flawed, doesn't do what the initiative is trying to do, and so forth.

        1. Orv Silver badge

          Re: 49 to go

          On the one hand, it makes it possible for the citizenry to address issues and problems that for one reason or another (ahem*money*ahem) the legislators don't want to address or don't want to fix. That's unambiguously good.

          My favorite recent example is Ohio, which passed an initiative to reform their process for drawing congressional districts. There's no way a legislative majority created by gerrymandering would ever vote to end the practice.

  6. Camilla Smythe
    Happy

    Icon

    Eyes Right -->

  7. Anonymous Coward
    Anonymous Coward

    > "We think there's a set of ramifications that's really difficult to understand," said a Google spokesperson

    Erm... no, it's not difficult to understand. You just don't want to listen, but it's not difficult to understand at all.

    > adding: "Complying with the law needs to be thoughtfully balanced against legitimate business needs."

    Ok, he didn't say exactly that, but that was the gist of it.

    1. John Brown (no body) Silver badge

      "> "We think there's a set of ramifications that's really difficult to understand," said a Google spokesperson

      Erm... no, it's not difficult to understand. You just don't want to listen, but it's not difficult to understand at all

      What he meant was that it's difficult to understand where the loopholes in the legislation are as yet. They need to get the lawyers going over the wording with a fine-toothed comb so they can argue that black is white in court at some stage. (Maybe we should introduce them to a zebra crossing?)

  8. steelpillow Silver badge
    Pint

    Google says

    "User privacy needs to be thoughtfully balanced against legitimate business needs," say Google.

    That can and should be done by the user.

    Oh, you mean "if you aren't buying the product then you are the product" type business needs? Then fuck off, Google.

    California, have one on me - icon.

    1. Anonymous Coward
      Anonymous Coward

      "User privacy needs to

      override business needs"

  9. C. P. Cosgrove
    Thumb Up

    Yayy !

    Good on you, citizens of California.

    Chris Cosgrove

  10. JohnFen

    Good

    Fuck Google and all the other spy companies. Now, here's hoping that other states will do similar things.

    1. Orv Silver badge

      Re: Good

      California often leads the way on such things. It has about 10% of the country's population, making it a big enough market that it tends to make more sense to just apply the stricter rules everywhere, rather than make an exception. For similar reasons, automakers have largely stopped making a distinction between cars with "California emissions" and ones with "Federal emissions" equipment. Technology and market size have made it easier to just standardize on what CA is doing.

  11. Anonymous Coward
    Anonymous Coward

    From the article:

    Of course, Google, Facebook et al are going to spend the next decade doing everything they can trying to unravel it. And as we saw just last week, lawmakers are only too willing to do the bidding of large corporate donors. But it is much harder to put a genie back in the bottle than it is to stop it getting out. ®

    Also, trying to reverse this will always, always look incredibly slimy. Even mentioning it would be a very blatant public admission.

    Personally speaking I find it hilarious how this has come about. The hilarity is the speed with which it's happened, and in a country which looked like it would be the last place on earth for this to happen. Well CA, welcome to the club.

    There's been a variety of warning signs over the past years that the ad funded data slurping business model was on shaky ground, especially in Europe. Well, they've had plenty of time to consider their business model lest some legislative catastrophe smite them from an unexpected angle. And so it's happened.

    If they don't start taking the risk to their continued profitability seriously, their shareholders are quite rightly going to be furious. And they may see an extinction of their business (Facebook), or a severe curtailment of their revenue (Google). I've been saying for a while now that the companies should take a brave pill and just conduct business in a normal way; charge for their services. Microsoft seem to do quite well by that (selling O365). Why can't Google or Facebook charge too? Are they afraid that no one will buy them?

    And that's the problem. Google's search, maps, perhaps gmail are useful services for which Google could probably get away with charging $5 / year. I'd pay that, possibly even a bit more, but it'd better be slurp free. But Facebook? SnapChat? WhatsApp? Instagram? A lot of these are of dubious appeal, especially as they all do basically similar things. A lot of these are going to fall by the wayside.

    The problem that would then arise is that Google and WhatsApp would become actual monopolies, the last ones left standing, followed by regulation, followed then by enforced open standards, and a break up of the companies, just as happened to the telecoms industry all those decade ago. If this happens, it's a disaster for today's shareholders. Also if today's new law leads to the decline of the companies and the burning up of their cash piles to stay in business / maintain share price, one day there's going to be nothing left.

    Sell. Fast.

    1. JohnFen

      "If this happens, it's a disaster for today's shareholders. Also if today's new law leads to the decline of the companies and the burning up of their cash piles to stay in business / maintain share price, one day there's going to be nothing left."

      That would be awesome.

      1. Charles 9

        Oh? AT&T is still standing and arguably bigger than ever. The Baby Bells simply glommed themselves back together through attrition, mergers, and buyouts. It's hard to break up something that big without it naturally trying to come back together through those methods.

        1. Anonymous Coward
          Anonymous Coward

          Hard to break up

          Reminds me of the melty metal terminator in whatever sequel it was he showed up. No matter how much you took him apart he always melted back into the same bad thing he was before.

        2. Clarecats

          "Oh? AT&T is still standing and arguably bigger than ever. The Baby Bells simply glommed themselves back together through attrition, mergers, and buyouts. It's hard to break up something that big without it naturally trying to come back together through those methods."

          Like putting a sponge through a blender.

    2. Charles 9

      Well, I believe the big catch is that the only way to amend a ballot initiative is with another ballot initiative, barring judicial intervention.

      1. ratfox

        @Charles 9: That's precisely why this law was passed in record time, in order to avoid the same rules being forced through a ballot initiative. They can amend the law much more easily.

    3. Doctor Syntax Silver badge

      "trying to reverse this will always, always look incredibly slimy."

      What's more the ballot proposition is already written and ready to go. They can threaten to reintroduce it if there's any weaselling.

    4. John Brown (no body) Silver badge
      Childcatcher

      "Also, trying to reverse this will always, always look incredibly slimy. Even mentioning it would be a very blatant public admission."

      This is why they pay big bucks to the PR teams and lawyers. They will try to spin it so that NOT collecting the data means terrorist and paedophiles and copyright "thieves" won't be caught.

    5. M Mouse

      "search, maps, perhaps gmail are useful services for which Google could probably get away with charging $5 / year."

      but they're greedy, so just as YouTube Red had a fee of $9.99 initially (and was unavailable in many other countries), when it was renamed and launched as YouTube Premium it went up (and in the UK equates to about US$15), and it's a MONTHLY fee. OK, they have added 'play music' too, but I will cancel after my 3 months trial, and see if my other 7 Google accounts can still get 3 months free...

      You don't really think Google would bundle all in your list for $5/ year, do you ?

  12. a_yank_lurker

    Tears

    The tears are real because a couple of well crafted state laws can become the basis of a federal law. It takes a couple of states to start the ball rolling. The real risk for Suck and Chocolate Factory is they could end with 50 similar but different enough laws to make get sales taxes correct look trivial. If they had any functioning grey matter they need to take CA law and have it become the federal toot suit. But that assumes intelligence.

    1. Charles 9

      Re: Tears

      Why don't they just send a puppet to challenge it in court, say on First Amendment grounds or something?

      1. Anonymous Coward
        Anonymous Coward

        Re: Tears

        Why don't they just send a puppet to challenge it in court

        Ajit Pai is undoubtedly already on his way

      2. Orv Silver badge

        Re: Tears

        I don't see a First Amendment case here. The First Amendment says the government can't restrict what you say, not that they can't stop you from collecting information. Also, long-established court doctrine holds that commercial speech is not as heavily protected -- this is why truth-in-advertising laws can exist, for example.

        Now, with the upcoming rightward leap of the Supreme Court, it's possible that'll change and we'll see a ruling wiping out all those regulations. But I don't expect that any time soon. It would happen incrementally, if at all. It's not a case that would provide a big political boost for the Court's current patrons, like Citizens United did.

        1. Charles 9

          Re: Tears

          But what if it could prevent a severe downer on the same patrons? Meaning they may look at it similarly to something that would boost them? I mean, who wants to hassle with red tape?

    2. Anonymous Coward
      Anonymous Coward

      Re: Tears

      I loved that -toot suit- !!!!!!!!!!!!!!!!

  13. Anonymous Coward
    Alien

    many chop up their corporate distribution for legal reasons

    and here is another reason to do so. Parent companies have separate satellite entities in other states and countries to avoid the impact of fines and regulation - this will be another reason, the data will go hide in an unlegislated place while they lease access from their little satellite corps.

    1. Cpt Blue Bear

      Re: many chop up their corporate distribution for legal reasons

      It occurs to me that the GDPR along with pretty much every other data protection law contains a clause banning transfer of data to jurisdictions with weaker protections than their own. This law gets California into that club.

      I wonder if this might have occurred to anyone else?

      1. Doctor Syntax Silver badge

        Re: many chop up their corporate distribution for legal reasons

        "This law gets California into that club."

        It's a thought but is it strong enough to match GDPR?

    2. Anonymous Coward
      Anonymous Coward

      Re: many chop up their corporate distribution for legal reasons

      "and here is another reason to do so. Parent companies have separate satellite entities in other states and countries to avoid the impact of fines and regulation"

      Ah yes, the "Content Delivery Networks" such as Akamai.

      Do you remember that leaked presentation slide from a shadowy agency showing how they gathered user data by MITM Akamai?

      The National Security Agency and Federal Bureau of Investigation have reportedly used Facebook's Akamai content delivery network (CDN) to collect information on Facebook users.[82] This report appears to show intelligence analysts intercepting communications between Facebook and its CDN provider, but does not indicate Akamai as being complicit in this process.

  14. Will Godfrey Silver badge
    Happy

    A breath of fresh air

    Just a breath, mind you, but what a change from the suffocating, seemingly relentless steamroller.

  15. Fazal Majid

    About California's initiative process

    Until 1911, California's venal legislature was fully in the pockets of the Big 4 (Huntington, Crocker, Hopkins and Stanford, yes, that Stanford). They controlled the Southern Pacific Railroad, and were not shy of abusing their monopoly to extract rents from Californians (most of the markets for agricultural produce were on the East Coast, which meant Southern Pacific could charge pretty much whatever it wanted).

    In 1911, Hiram Johnson, a Progressive governor was elected, with a mandate to reform the corrupt legislature. He did that by creating the initiative, referendum and recall processes that give California an unusual level of democracy for the US. In this case the initiative process is working exactly as intended, allowing the people to prevail over entrenched interests that captured the legislature.

    Of course, the lobbies adapted and learned to abuse the initiative process for their own ends, as the sugary-drinks lobby is using the same tactic to blackmail the legislature into preempting city soda taxes like Berkeley or San Francisco's.

    1. Anonymous Coward
      Anonymous Coward

      Re: About California's initiative process

      I'm glad to see another student of California history. This state is quite weird at times and this isn't the first time we've wander off the plot, making it up as we go along. This initiative is good to go if industry should try to water it down as they did earlier this year. Collecting signatures? Hell, I'll do it for free.

      1. This post has been deleted by its author

      2. Charles 9

        Re: About California's initiative process

        Actually, it's too late. The deadline's passed, and all the signatures are now void, unless he lied or pulled a bait-and-switch by presenting a stricter one.

      3. HolySchmoley

        Re: About California's initiative process

        "I'm glad to see another student of California history. This state is quite weird at times and this isn't the first time we've wander off the plot, making it up as we go along."

        As opposed to making it up in return for payment to political parties?

        California's weirdness and wandering off the (corporate funded) plot has much to appeal.

        1. Dick

          Re: About California's initiative process

          Not only corporate, a lot of the political money in California comes from a handful of unions.

    2. Gene Cash Silver badge

      Re: About California's initiative process

      And apparently it worked:

      California governor signs soda tax ban into law

      http://www.foxnews.com/politics/2018/06/29/california-governor-signs-soda-tax-ban-into-law.html

      (however I do think a soda tax ban is a GOOD thing, no matter how it was obtained)

      1. John Brown (no body) Silver badge

        Re: About California's initiative process

        "(however I do think a soda tax ban is a GOOD thing, no matter how it was obtained)"

        I suppose it depends on the sugar levels it kicks in at. The UK "sugar tax" on drinks recently kicked in. It's not really had a huge effect, despite the doom mongers predictions. Most fizzy drinks either went up a little in price or the manufactures reduced the sugar content to be below the threshold. The diet versions were already below the threshold.

  16. John Brown (no body) Silver badge

    Interesting

    The number of comments from USAains on GDPR along the lines of "fuck the EU, block the EU, hah, try and fine us EU" was quite astounding just days ago. (Not all USAians, obviously!!)

    My response to them was that GDPR will likely become a model for other countries to follow and eventually the USA would have to follow suit. Little did I realise that it could happen so rapidly and (part of) the USA would be the first to follow where the EU leads! ;-)

    1. Adam Connelly

      Re: Interesting

      Exactly. A number of US sites like Pottery Barn have taken the approach of blocking users from the EU instead of bothering to become compliant.

      I suspect that trying to block all of California as well isn't going to be an option for them, so this could make things quite interesting depending on what's in the law.

      1. Dan 55 Silver badge
        Facepalm

        Re: Interesting

        Pottery Barn:

        The pace of global regulations is hard to predict, but we have the ultimate goal of being able to offer our products everywhere.

        One thing that GDPR wasn't was hard to predict. It gave two years for businesses to get ready and was four years in the making before that.

        California's law was harder to predict.

    2. JohnFen

      Re: Interesting

      "Little did I realise that it could happen so rapidly and (part of) the USA would be the first to follow where the EU leads!"

      Since the US has essentially given up on being a leader in terms of things like human rights, it looks like the new leader is the EU.

  17. A-nonCoward
    Big Brother

    Wow!

    just wow!

  18. Anonymous Coward
    Anonymous Coward

    Translation

    "User privacy needs to be thoughtfully balanced against legitimate business needs."

    -->

    "Noooooooooooooooooooooo! No no no! Please, leave us alone! We're f****d without your personal data to whore out! Just let us carry on making loads of money"

  19. Pangasinan Philippines

    Sensational!

    you'll be amazed to hear why the privacy law passed so fast

    Tactic copied from the Daily Mail

    Click Bait?

    1. Orv Silver badge

      Re: Sensational!

      Pass laws fast with this One Weird Trick!

  20. Anonymous Coward
    Anonymous Coward

    Now for gun laws?

    Could get interesting..

    1. Charles 9

      Re: Now for gun laws?

      Too polarizing. Plus constant fear of the Day of the Jackboot justified by writings of the Founding Fathers.

      1. Anonymous Coward
        Headmaster

        Re: Now for gun laws?

        Gun laws run into the Second Amendment if they get too onerous. A U.S. constitutional amendment trumps anything a state/county/city might pass.

        So you can pass laws restricting magazine sizes, requiring background checks, banning sawed-off shotguns, setting limits on the number of guns a person can buy per month/year or defining and banning assault rifles, but you can't pass a blanket ban on guns without having that declared unconstitutional.

        1. Charles 9

          Re: Now for gun laws?

          And even then you have to be careful that the courts don't see your tactic as getting to a blanket ban the long way round/by a thousand cuts. Plus, like I said, the Founding Fathers were specifically afraid of the government itself cracking down on its own citizens (the Day of the Jackboot). That's why the country wasn't founded with a standing army.

  21. BebopWeBop

    "User privacy needs to be thoughtfully balanced against legitimate business needs."

    "User privacy needs to be subservient to business needs."

    As it should be.

  22. PNGuinn
    Mushroom

    NO

    ""We think there's a set of ramifications that's really difficult to understand," said a Google spokesperson, adding: "User privacy needs to be thoughtfully balanced against legitimate business needs.""

    Que?

    WHAT IS IT ABOUT F*&@@I*G NO THAT YOU DON'T QUITE UNDERSTAND???

  23. Anonymous South African Coward Bronze badge

    We are Borg.

    Resistance is Fut>KZERRRRT<

  24. Anonymous Coward
    Anonymous Coward

    Cat out of the bag

    As someone who had worked around the Internet for a long time, I think the issue here for the big companies is that people and businesses are going to realise that Internet marketing doesn't work nearly as well as is claimed. I even think they would rather take the hit on Cambridge analytics to maintain the lie. A small number of people will click and buy it, even if it's a political message but most of us won't, but don't tell the people paying by the click!

  25. skalamanga

    Google is known to cause cancer by the state of California...

    10chars

  26. Mike 16

    CA leading the way?

    Before you open that (CA) champagne, note that the current administration is hell bent on eliminating things like the CA emissions standards. And with the recent resignation from SCOTUS, they'll have the power to do it. Say goodbye to regulation of pollution, data-whoring, gerrymandering, purging voter rolls, etc.

    1. Charles 9

      Re: CA leading the way?

      CA leads the way in pollution standards due to Los Angeles (pollution ducks when you live in a thermal inversion zone). And districting remains in each state's hands (per the Constitution IIRC so the Feds can't usurp). Abortion can be a hot topic, but popular opinion still favors the status quo which can make the courts leery.

  27. A-nonCoward
    Headmaster

    2020 !!!

    uh, ain't there yet:

    "This bill would enact the California Consumer Privacy Act of 2018. Beginning January 1, 2020, the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. "

    1. John Brown (no body) Silver badge
      Trollface

      Re: 2020 !!!

      Don't worry, it's a whole two years notice, just like with GDPR and I'm sure the likes of ICANN will be well prepared and not be asking for extensions/exemptions.

  28. Anonymous Coward
    Anonymous Coward

    "that's really difficult to understand"

    according to the recent Norwegian report, the above Google statement best describes how Google explains GDPR options to their users, crocodile tears, etc.:

    https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf

    (via bloomberg:

    https://www.bloomberg.com/view/articles/2018-06-29/facebook-and-google-exploit-loopholes-in-eu-s-data-privacy-rules)

  29. Winkypop Silver badge
    Thumb Down

    It's already been said, but...

    "User privacy needs to be thoughtfully balanced against legitimate business needs."

    "thoughtfully

    Weasel word for a massive legal maze of Byzantium proportions.

  30. Dan 55 Silver badge
    Meh

    Never mind, Silly Valley

    If you're a slurpy business you can always move to Delaware, i.e. open a shoebox office there, keep everything else the same, and say you're treating all your users' data except those from the EU and California according to Delaware's 'privacy' laws.

    There'll always be Delaware.

    1. Orv Silver badge

      Re: Never mind, Silly Valley

      California is 12% of the US population and probably a significantly higher percentage of its internet users.

      They probably can do what you suggest, but the question becomes, is it worth the effort to try to sort users by location (and pay fines when you get it wrong)? It may be that it's more economically feasible to just put up with the regulation than to try to maintain two parallel systems.

      It's different with the GDPR because a lot of US businesses have separate portals for EU countries, or just don't do much business with the EU. Losing those customers wouldn't hurt as much as losing all of CA.

  31. Anonymous Coward
    Thumb Up

    Hooray for the initiative process

    It's not perfect, but it is worth it for the occasional instances where it can outflank well-moneyed interests who want their wishes to be the rules of the road.

  32. Anonymous Coward
    Anonymous Coward

    Excluded

    Any company that holds data on more than 50,000 people is subject to the law, and each violation carries a hefty $7,500 fine.

    I guess that leaves the IBM HR department out then...

  33. John Brown (no body) Silver badge

    Sill Alert!

    I see that almost every single post lauding this new law or dissing the data slurpers has at least one, usually 2 downvotes, but there are no post opposing the law. I wonder who s/he works for and why they are afraid of putting up an argument?

    1. Anonymous Coward
      Anonymous Coward

      Re: Sill Alert!

      Yes, the corporate sock puppets are out in full force on this thread.

      Don't let downvotes from these sub-humans bother you.

      I think of it as a badge of honor when I get downvotes from obvious Sills (or Shills) that would sell their own Grandmother for an advertising dollar.

      So let's hear it, rather than silently downvoting users why not give us examples or scenarios where this could be a bad thing.

      Other than the usual BS about users wanting relavant/targeted ads you got nothing.

    2. Anonymous Coward
      Anonymous Coward

      'Wonder who s/he works for and why they are afraid of putting up an argument?'

      He/she? - More like an 'it' or bot.... Facebook's army of Bots... You don't think Zuk really took a year off to build an AI smart house do you? He was building a defense shield for the coming shit-storm...

  34. Anonymous Coward
    Anonymous Coward

    I find it ironic...

    I am grateful for the hard work and perfectly executed initiative that Alastair Mactaggart and his crew was able to get pushed through and I can only hope the rest of the US follows this example.

    The usual suspects put up a fuss of course (AT&T, ConCast, Google, Faceborg)

    but realizing if they fought it at this level it could get worse for them

    I did a quick search to find where I may be able to assist and/or donate to the cause and found:

    https://www.caprivacy.org/about-us

    It just goes to show you just how bad things are that when I went to the donation page on that site uMatrix alerted me of some Facebook activity.

    I find it ironic that the Facebook Pixel was embedded in there too.

  35. Anonymous Coward
    Anonymous Coward

    Hmmm

    Business needs (read profits) NEVER TRUMP (sorry no pun intended here) citizens right to privacy! Wake up corporate America or you will wake up one morning to find we the people have revoked your corporate charter! "Corporations" have no Constitutional right to exist. Therefore corporations are both created and terminated at the will and please of the people. This idiotic notion held by corporate CEO's the world over that somehow or another it is the other way around is going to spell the end of many evil, vile and essentially undesirable corporate entities in America. Google/Facebook/Youtube, Microsoft etc, you have been repeated warned. Put another way; you need America, but the American people most emphatically do not need the likes of you...................

  36. JBowler

    Why did McTaggart drop it?

    I think that must be the question of the forthcoming election; apparently he dropped it because he doesn't think that he could certainly win the ballot measure. I understand that, but it is that lack of guts that will kill us all in November.

  37. anonymous boring coward Silver badge

    "We think there's a set of ramifications that's really difficult to understand," said a Google spokesperson, adding: "User privacy needs to be thoughtfully balanced against legitimate business needs."

    Yeah, really hard for them, perhaps.

    Whose business is that, then?

    Come to think of it, there is no need for any balance at all, really. Privacy could be 100%, and it would be just be fine by me.

  38. snifferdog_the_second

    Fascinating article, and very well written, thank you.

  39. G Olson

    More of the same

    " that consumers – and especially Californians who tend to be more tech-savvy than the rest of the country given the concentration of tech companies in the state – understand the issues around data privacy rules..." More arrogant, self-centered posturing from the Reg's blatant ego on the US west coast. I'd like to see your data which supports your assertion. Otherwise, stop the self superiority labeling.

  40. Petrea Mitchell

    "California's unusual ballot measure system"

    Not *that* unusual-- roughly half the US has systems like it: http://www.ncsl.org/research/elections-and-campaigns/chart-of-the-initiative-states.aspx

  41. Calin Brabandt

    Now if it could only grow and be applied and enforced to hamper fed.gov spying and data collection too (countless .gov alphabet orgs, including the NSA and FBI, which typically ignore the law and U.S. Bill of Rights regardless). After all, we are all forced to be government "consumers" too!

  42. Clarecats

    Data transfer

    I don't use FB and many young people don't use it because they don't want to be on the same site as their parents. This is why FB tries to grab them with instagram and whats app - also to expand into different countries to compensate for a shrinking base.

    How long before FB says, most of our members are now in the southern hemisphere so let's move our data storage down there?

  43. Remote Wipe

    Quid pro quo

    You really need to read the actual bill https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

    A few things stand out to me:

    1) The fines and penalties are weak:

    (a) Class action suits can be raised for civil action and the fines are for $100 - $750 or ACTUAL damages per consumer per incident. Proving damages is not so easy and in the instances of data breach it can be very difficult unless you can show that a breach caused your identity to be stolen and used to cause you harm.

    (b) In order to be liable for the $7500 penalty the business must INTENTIONALLY violate the law - good luck proving that... Negligence doesn't even play into this!

    2) This entire effort was to rush a bill through in order to get a ballot measure off the ballot. You see if the ballot measure was pushed forward then legislators would be hamstrung because if Californians vote and pass a bill it is law and legislators have a very difficult time changing a measure the public voted into law. The https://www.caprivacy.org/ was pushing for a ballot measure and the giant Silly Valley companies pressures legislators to broker a deal to get this ballot measure stopped by passing something fast. The new law, which doesn't even go into effect until 2020, has an explicit section 1798.198. (b) requiring the ballot measure be dropped.

    3) Government, NPOs, political campaigns, and the like are completely protected... Hmm, I wonder why that is. Essentially, if you are using this data to get re-elected or to manipulate voters then you are not governed by this shat law.

    This bill has all sorts of shortcomings and does little to actually protect the consumer. In fact, if you opt out of data collection the company providing the services can charge you for the services based on what they can make off selling your data. There are all sorts of carve outs if you “Pseudonymize" or de-identify data, keep in mind this is exactly where tech companies are going. If they separate your "personal" data from behavioral data and make it difficult for anyone without deep knowledge and access to the data schema to tie the elements back together then they are good to go and protected. Sure that helps in the event that data is breached but I think the real issue is how are we being manipulated or influenced to make decisions we would otherwise not make. The goal is to be fully informed and transparent not fully duped and deceived. How can we trust that the results we see in a search are not manipulated if we don't know the algorithm used to display the results? Why can't we control what data is or isn't collected about our use of devices, applications, the internet? How do I gain better control of my information and usage patterns without transparency?

    What do you think about the actual law? What should be required of businesses that watch our every move so they can sell "marketing" information. What obligation do they have to protect their end points and other various data compromise threat vectors? Should they require solutions like https://drivestrike.com BitLocker FDE Biometric Security

    Should they be required to tell us how the data could be used to harm us?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like