Of course there is an alternative
Do not collect the personal information in the first place - if no information is collected then there is no need for opt outs or messy information deletion.
Today is the first day that California will start enforcing its new data privacy law, so if your website doesn’t have a “Do not sell my personal information” link in, say, the footer, you may soon regret it. The California Consumer Privacy Act (CCPA) was passed two years ago and came into force on January 1, though from today …
Some companies must collect data to operate and, by regulations, have immutable record keeping. An extreme example is companies that move money - the Government requires record keeping and reporting to prevent money laundering and tax evasion. Nobody can pull $10000 then ask to be deleted.
Some types of data need to be collected by some types of business, either to fulfil a key element (such as delivery), or to comply with legal requirements (money-related activity, for example). This Californian legislation is a good start, but there are two fairly obvious compromises*: a) the use of the word "sell" is very specific, and doesn't describe what the worst offenders (Google, Facebook, etc) actually do with personal data; and, b) this puts the onus on the data subject to protect themselves, rather than protection being the default with a tick-box to opt out of protection.
It will be interesting to see how enforcement goes, and compare and contrast with the EU "enforcement scheme".
* I'll use that word to indicate where brown envelopes were most obviously directed during conversations with legislators.
It depends, if you sell something, you have to record the name of the buyer, for online sales, and that information has to be kept for tax purposes.
There is a big difference between data that has to be collected to run a business and data collected to profile visitors and to sell that data to a third party.
Even if you request deletion of data, there are certain categories where financial, tax,public record or other laws take precedent and that information will not be deleted on request or has to be kept for a certain period, has stricter rules regarding its removal etc. At least under GDPR.
"It depends, if you sell something, you have to record the name of the buyer, for online sales, and that information has to be kept for tax purposes."
How many shops do you walk into and have to give your name because the shop has to keep that information for tax purposes? Or insist that you set up an account?
Clearly somebody selling physical goods online has to collect delivery information but doesn't need to retain that information once delivery is complete
Billing information might need to be retained to deal with a complaint or need for a refund but doesn't need to be consulted unless that happens. However, a physical shop doesn't need to do that - what they need is to provide a proof of purchase. Maybe there's scope here for a new product - a system for providing an electronic tamper-resistant proof of purchase.
In the long term it's not deletion systems that need to be developed, it's data acquisition and handling systems that are based on the proposition that the data acquired might become toxic waste.
This statement:
"Clearly somebody selling physical goods online has to collect delivery information but doesn't need to retain that information once delivery is complete"
Pretty much says you haven't ever been actually involved in selling things online.
If you sell things on line you ABSOLUTELY have to keep the information on who ordered it, where the order came from, where it went to, proof that it was delivered and all that stuff.
Try selling stuff online and not keeping super detailed records of the deliveries and orders for at least 6 months to a year and let me know how it works out for you once it becomes well known you don't keep that information in and the customer initiated fraud starts piling up and you find your bank account being drained by the payment processors....
Funny, given that it's his country's (frequently his state's) megacorps that are the problem, that hide behind bullshit privacy shields and of course the "we're in a different country they doesn't follow your laws (you follow ours)" issue.
And what's this with being "sold"? There's a vast gaping chasm between collecting and processing personal data, and selling it. Probably a chasm large enough to create plenty of loopholes to keep lawyers busy, and we're not all Max Schrems. Most of us, faced with that, won't bother.
"And when the EU does take action under GDPR, it is targeting US megacorps..."
Really? Because GDPR enforcement is down to national governments. So you are talking nonsense.
The UK has only levelled three GDPR fines: a local pharmacy, British Airways, and Marriott over that massive breach.
"Funny, given that it's his country's (frequently his state's) megacorps that are the problem"
You might be looking at cause and effect here. Plenty of his voters work for those megacorps and aren't happy with the thought that they're some of the subjects whose data their employers are abusing.
What about Google and Facebook, who collect information and don't fit the legal definition of "selling it", but instead sell ME to companies who want to advertise to people fitting my profile.
Talk about fixing 10% of the problem and leaving the worst abusers scot free!
Part of the EULA you agree to when you sign up gives the company a perpetual, transferable, regenerative, license to use your content in any way they wish. Effectively, you assign them copyright to anything you write. Not quite, because technically you still have the same rights you had, and can theoretically compete with them on monetizing your creation; but, really, who's gonna be more effective, you, or facebook? They have all the power.
Whether this is ethical or legal is another question. There is significant question as to the validity and enforcability of EULAS as they currently exist. But, on its face, and for all practical considerations[1], you gave away that right long ago. Just as I have in making this comment.
This is one of the reasons that copyright law, and the concept of "intellectual property" generally, desparately needs a major overhaul. And I say this as someone who basically makes his living as a creator of "intellectual property", so I'm goring my own ox.
[1] I don't have pockets deep enough to sue and win on this, do you?
Quote: “We believe the entirety of the enforcement of this law ought to be delayed given the Covid-19 crisis...
I don't buy that, the changes should have been made to web sites in time for when the new law came into force (1st Jan), or even before then, not when it was due to start being enforced.
The law was passed back in June 2018, so people knew what was needed, and when it was needed, two years ago. Since then, they've had a full year and a half to plan, design and implement the changes in time for the 1st of January 'go-live' date, and were then given an extra 6 months grace period on top of that before enforcement started, so two full years of available time, where only the last 6 months would have had any Covid-19 impact, and they still blew it!
California laws do not apply to anywhere other than inside the borders of that state. It's not my job, nor am I required by the laws I reside under, to comply with their edicts. If they wish to ensure that out-of-state/country websites are unable to serve pages up to people inside their border, then they are the ones who have to develop mechanisms/procedures to block outside traffic. Let them deal with their residents/businesses who suddenly find their e-commerce cut off. After all, the idjuts in California government have already demosntrated that they are incompetent. Not to mention criminals in almost constant violation of the US Constitution and many treaties.