back to article Happy privacy action day in California: If you don't have 'Do not sell my information' in your website footer, you need to read this story right now

Today is the first day that California will start enforcing its new data privacy law, so if your website doesn’t have a “Do not sell my personal information” link in, say, the footer, you may soon regret it. The California Consumer Privacy Act (CCPA) was passed two years ago and came into force on January 1, though from today …

  1. Duncan Macdonald Silver badge

    Of course there is an alternative

    Do not collect the personal information in the first place - if no information is collected then there is no need for opt outs or messy information deletion.

    1. Kevin McMurtrie Silver badge

      Re: Of course there is an alternative

      Some companies must collect data to operate and, by regulations, have immutable record keeping. An extreme example is companies that move money - the Government requires record keeping and reporting to prevent money laundering and tax evasion. Nobody can pull $10000 then ask to be deleted.

    2. Intractable Potsherd Silver badge

      Re: Of course there is an alternative

      Some types of data need to be collected by some types of business, either to fulfil a key element (such as delivery), or to comply with legal requirements (money-related activity, for example). This Californian legislation is a good start, but there are two fairly obvious compromises*: a) the use of the word "sell" is very specific, and doesn't describe what the worst offenders (Google, Facebook, etc) actually do with personal data; and, b) this puts the onus on the data subject to protect themselves, rather than protection being the default with a tick-box to opt out of protection.

      It will be interesting to see how enforcement goes, and compare and contrast with the EU "enforcement scheme".

      * I'll use that word to indicate where brown envelopes were most obviously directed during conversations with legislators.

    3. big_D Silver badge

      Re: Of course there is an alternative

      It depends, if you sell something, you have to record the name of the buyer, for online sales, and that information has to be kept for tax purposes.

      There is a big difference between data that has to be collected to run a business and data collected to profile visitors and to sell that data to a third party.

      Even if you request deletion of data, there are certain categories where financial, tax,public record or other laws take precedent and that information will not be deleted on request or has to be kept for a certain period, has stricter rules regarding its removal etc. At least under GDPR.

      1. Doctor Syntax Silver badge

        Re: Of course there is an alternative

        "It depends, if you sell something, you have to record the name of the buyer, for online sales, and that information has to be kept for tax purposes."

        How many shops do you walk into and have to give your name because the shop has to keep that information for tax purposes? Or insist that you set up an account?

        Clearly somebody selling physical goods online has to collect delivery information but doesn't need to retain that information once delivery is complete

        Billing information might need to be retained to deal with a complaint or need for a refund but doesn't need to be consulted unless that happens. However, a physical shop doesn't need to do that - what they need is to provide a proof of purchase. Maybe there's scope here for a new product - a system for providing an electronic tamper-resistant proof of purchase.

        In the long term it's not deletion systems that need to be developed, it's data acquisition and handling systems that are based on the proposition that the data acquired might become toxic waste.

        1. Jim-234

          Re: Of course there is an alternative

          This statement:

          "Clearly somebody selling physical goods online has to collect delivery information but doesn't need to retain that information once delivery is complete"

          Pretty much says you haven't ever been actually involved in selling things online.

          If you sell things on line you ABSOLUTELY have to keep the information on who ordered it, where the order came from, where it went to, proof that it was delivered and all that stuff.

          Try selling stuff online and not keeping super detailed records of the deliveries and orders for at least 6 months to a year and let me know how it works out for you once it becomes well known you don't keep that information in and the customer initiated fraud starts piling up and you find your bank account being drained by the payment processors....

    4. bombastic bob Silver badge
      Devil

      Re: Of course there is an alternative

      after reading the article, I went ahead and put a footer on the main page for my company web site that basically says I don/'t collect, store, nor sell personal data. Hopefully good enough.

  2. heyrick Silver badge

    he criticized the slow enforcement of Europe’s GDPR

    Funny, given that it's his country's (frequently his state's) megacorps that are the problem, that hide behind bullshit privacy shields and of course the "we're in a different country they doesn't follow your laws (you follow ours)" issue.

    And what's this with being "sold"? There's a vast gaping chasm between collecting and processing personal data, and selling it. Probably a chasm large enough to create plenty of loopholes to keep lawyers busy, and we're not all Max Schrems. Most of us, faced with that, won't bother.

    1. big_D Silver badge
      Facepalm

      Re: he criticized the slow enforcement of Europe’s GDPR

      And when the EU does take action under GDPR, it is targeting US megacorps...

      1. DavCrav Silver badge

        Re: he criticized the slow enforcement of Europe’s GDPR

        "And when the EU does take action under GDPR, it is targeting US megacorps..."

        Really? Because GDPR enforcement is down to national governments. So you are talking nonsense.

        The UK has only levelled three GDPR fines: a local pharmacy, British Airways, and Marriott over that massive breach.

        Educate yourself.

    2. Doctor Syntax Silver badge

      Re: he criticized the slow enforcement of Europe’s GDPR

      "Funny, given that it's his country's (frequently his state's) megacorps that are the problem"

      You might be looking at cause and effect here. Plenty of his voters work for those megacorps and aren't happy with the thought that they're some of the subjects whose data their employers are abusing.

  3. DS999
    FAIL

    It only stops them from SELLING my information?

    What about Google and Facebook, who collect information and don't fit the legal definition of "selling it", but instead sell ME to companies who want to advertise to people fitting my profile.

    Talk about fixing 10% of the problem and leaving the worst abusers scot free!

    1. Doctor Syntax Silver badge

      Re: It only stops them from SELLING my information?

      These are the companies whose lobbying got the current legislation watered down. The CPRA is their comeuppance for that.

  4. Anonymous Coward
    Anonymous Coward

    What ever happened to

    a presumption of a person's copyright on personal content and data, by default?

    1. hnwombat
      Pirate

      Re: What ever happened to

      Part of the EULA you agree to when you sign up gives the company a perpetual, transferable, regenerative, license to use your content in any way they wish. Effectively, you assign them copyright to anything you write. Not quite, because technically you still have the same rights you had, and can theoretically compete with them on monetizing your creation; but, really, who's gonna be more effective, you, or facebook? They have all the power.

      Whether this is ethical or legal is another question. There is significant question as to the validity and enforcability of EULAS as they currently exist. But, on its face, and for all practical considerations[1], you gave away that right long ago. Just as I have in making this comment.

      This is one of the reasons that copyright law, and the concept of "intellectual property" generally, desparately needs a major overhaul. And I say this as someone who basically makes his living as a creator of "intellectual property", so I'm goring my own ox.

      [1] I don't have pockets deep enough to sue and win on this, do you?

  5. Boothy Silver badge

    ...ought to be delayed given the Covid-19 crisis...

    Quote: “We believe the entirety of the enforcement of this law ought to be delayed given the Covid-19 crisis...

    I don't buy that, the changes should have been made to web sites in time for when the new law came into force (1st Jan), or even before then, not when it was due to start being enforced.

    The law was passed back in June 2018, so people knew what was needed, and when it was needed, two years ago. Since then, they've had a full year and a half to plan, design and implement the changes in time for the 1st of January 'go-live' date, and were then given an extra 6 months grace period on top of that before enforcement started, so two full years of available time, where only the last 6 months would have had any Covid-19 impact, and they still blew it!

    1. Doctor Syntax Silver badge

      Re: ...ought to be delayed given the Covid-19 crisis...

      "they've had a full year and a half to plan, design and implement the change"

      But it's so hard to do all that when your head's buried in the sand.

  6. Mage Silver badge
    Devil

    someone can opt-out of having their personal data repackaged and sold

    Moronic.

    As is CAN-SPAM.

    The only ethical way is that you have to OPT IN.

  7. Def Silver badge
    Unhappy

    ...you are a company that makes more than $25m a year from Californian customers

    I should be so lucky.

  8. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921 Bronze badge

    Someone should put a stop to Microsoft's OS data slurpage

    Never 10

  9. shovelDriver

    California laws do not apply to anywhere other than inside the borders of that state. It's not my job, nor am I required by the laws I reside under, to comply with their edicts. If they wish to ensure that out-of-state/country websites are unable to serve pages up to people inside their border, then they are the ones who have to develop mechanisms/procedures to block outside traffic. Let them deal with their residents/businesses who suddenly find their e-commerce cut off. After all, the idjuts in California government have already demosntrated that they are incompetent. Not to mention criminals in almost constant violation of the US Constitution and many treaties.

    1. Throatwarbler Mangrove Silver badge
      Paris Hilton

      Donald? Is that you?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020