Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
63% Positive
Analyzed from 2317 words in the discussion.
Trending Topics
#data#law#privacy#action#location#states#car#right#personal#private
Discussion Sentiment
Analyzed from 2317 words in the discussion.
Trending Topics
Discussion (60 Comments)Read Original on HackerNews
Related, General Motors got hit with a $12.75M fine for reselling OnStar location data last month: https://ccpa.world/enforcement/gm-onstar-smart-driver
More importantly, many companies will follow California rules even outside California. My car was built to California emissions spec at a time when very few states had stricter rules.
(The one major exception seems to be the "sell my data" opt-out and such privacy rules, that industry is sleazy enough that they'll go through extra trouble to keep screwing over non-CA residents.)
I will note that many "data brokers" will just honor non-California residents' requests as if they were California residents and subject to the CCPA, simply because they would rather remove a potentially litigious consumer from their databases. Given the relatively low potential revenue for a single consumer's data it just doesn't make sense to hold on to information for the kind of person who currently goes out of their way to make that kind of request.
At the same time, many data brokers do go out of their way to deny as many privacy requests as possible. Given that the CPPA/CalPrivacy is starting audits very soon I don't see this as a winning strategy for them in the long run.
No surprise. I ended up moving here.
Apparently no one at the FTC is smart enough to realize if Bob and anonid both move through the same sequence of approximate locations that the anonid is Bob. Or maybe they aren't that ignorant and just wanted to look like they were doing their job while protecting the surveillance status quo.
The FTC under this administration that just doesn't care about people and only care about helping corporations.
SECTION 1. The General Laws are hereby amended by inserting after chapter 93L the following chapter:-
Chapter 93M. Massachusetts Data Privacy Act
Section 1. As used in this chapter, the following words shall have the following meanings unless the context otherwise requires:
...
“Sale of personal data”, the transfer of personal data in exchange for monetary or other valuable consideration by the controller to a third party; provided, however, that “sale of personal data” shall not include: (i) the disclosure of personal data to a processor that processes the personal data on behalf of the controller if limited to the purposes of the processing; (ii) the disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer; (iii) the disclosure or transfer of personal data to an affiliate of the controller; (iv) the disclosure of personal data with the consumer’s affirmative consent, where the consumer affirmatively directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party; (v) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets; or (vi) the disclosure of personal data that the consumer: (A) intentionally made available to the general public via a channel of mass media; and (B) did not restrict to a specific audience.
* My Subaru runs ads for Sirius XM. (Ad, on the infotainment screen. While the car's in motion.) I did not pay for my car to run ads, obviously, and obviously that was never mentioned by the dealer, ever, before or after purchase.
Which is kind of ironic when you think about how much of their target demographic is driving 1999 Ford Rangers and 2003 Chevy Savannas.
Obviously they'll just augment it with ALPR, but still.
If you read the lawsuits and allegations carefully, they all say that they were tricked into opting in (NOT that they weren't opted in). If you review the setup process you see that the claim is outlandish and likely someone else did setup for them or they "forgot."
Toyota makes you affirmatively click a "yes" or "no" (or maybe it says "Accept" / "Reject" or whatever) for Insurance sharing when setting up a profile.
important because "sharing" is much more prevalent than "selling" data.
that said, I wonder how "precise location", and statistics/algorithms will combine?
for example, what if someone moves from zipcode 1 to zipcode 2? would that work out to a more precise position?
"Did you notice anything odd about the defendants vehicle?"
"Yes."
"What was that?"
"He had disabled his GPS and telemetry systems."
In which case "precise location data" is moot.
(https://epic.org/press-release-massachusetts-senate-unanimou...)
I can imagine loopholes to this... nothing stops facebook/google from buying this data from companies not in Massachusetts? and facebook/google don't have to give advertisers the location information but can still use that information when determining the advertisement to return, right? In theory the big silicon valley "targets" of this bill don't actually have a huge incentive to give this data away, do they? They just need to be able to read/access it, which I don't think this law stops? Assuming the data broker is not doing business in Massachusetts itself
It'll have reach because MA has a long-arm statute and there's a rich history of applying that statute in the context of Chapter 93.
It'll have teeth but probably not to the effect that you hope.
This statute was written such that only the Attorney General can bring action; see Section 10(b). This diverges from a long history in the Commonwealth of allowing private individuals to bring civil suits for most types of Chapter 93 violations.
As a result, I anticipate that the most impactful change will be in the quantity and frequency of political donations to Mass AG candidates (and in the case of contested primaries their aligned block of candidates up and down ticket).
Consumer protection laws should always provide for a private cause of action. Otherwise they just function as a mechanism for legalized corruption.
The concern about poor precedent stemming from poor cases has some rational sense, but we have the benefit of experience. Empirically it just hasn't tended to play out like that in the case of consumer protection statutes in MA. One reason this doesn't happen in practice might be the limited bandwidth of the appellate process. The SJC could (and likely would) prioritize answering questions about the statute in the context of cases brought by the AG.
The longevity pro-consumer laws in MA provides some good empirical data that cuts against the concern about push-back.
even if its only retained until buffer refresh, its still given away.
if its read frombuffer space and transformed into a persistent structure, its a gift that indefinately keeps giving.
* to the extent to which MA can do that… I mean it’s one state, so we should judge it’s accomplishments by that standard. One possibility could be that the rest of them get their act together, or at least, every state that engineers are willing to live in does.
There is no fine nor imprisonment for failing to follow the law.
In the current environment, tech companies have to bribe 50 states plus the federal legislature in order to block privacy bills. If you have federal preemption, then you just have to bribe Congress, because states can't pass ANY privacy laws whatsoever. And we already know the feds do not want a privacy law: the entire legality of the federal surveillance apparatus hinges on the fact that buying your data from third parties does not trip constitutional scrutiny. Preemption freezes the requirements in time so they will always be a few steps behind the TLAs[0].
The ideal is that every sovereign entity passes their own privacy law that applies to their territory, with a private right of action, and adtech companies are forced to adopt a "50 states legal" posture. This is, deliberately, a ratchet: it's easy for any state to require a higher standard but hard to get every state to reduce it, so privacy laws cannot be walked back in secret.
[0] Three Letter Agencies: CIA, FBI, NSA
You put this so well it kind of dislodged where I was coming from on my other comment you had responded to. I don't want to be disheartened and cynical. It's just hard to have seen this privacy issue openly festering for over two decades now, and think that things are ever going to change.
I think a private right of action with a two year delay would be great. And perhaps county DA's should be able to bring actions as well as the AG (legal policy adjacent actions aren't really in their wheelhouse, but it could help nudge the AG into action). I think the time period is a balance between giving the AG enough time to act (or be pressured into action), versus not making it too long so that illegal businesses can simply lobby to neuter the whole law before it actually goes into effect.