"My office is watching, and we will hold you accountable."
Well done, AG Bonta!
Sephora has agreed to cough up $1.2 million to settle claims it broke California's privacy law. This is the first pay out the US state has secured using the relatively new legislation – and will be a shot across the bows of corporations selling information about people without their full consent. The settlement follows Cali …
If a company does not SELL client information but only gives it away, that is still illegal too, no?
The answer should be yes, but that would put every company which allows WhatsApp potentially at risk. I suspect Zuck could get quite upset about that (in his very private I-bought-out-all-my-neigbours mansion).
For your Europeans out there, that IS already illegal in Europe if the address book on the phone in use contains but one personal contact detail of someone who has not goven explicit permission for this to happen..
The article says:
It's worth noting, however, that the California Privacy Rights Act (CPRA), which expands the CCPA and goes into effect in January 2023, also mandates companies not "share" folks' personal information with third parties.
so it is probably not yet illegal to share data without selling it in California but will be start of next year.
The regulatory capture in California (and the rest of the US) must be going pretty strong if it is really significant that the AG is going after a company in a case he seems willing to settle instead of actually creating a legal precedent.
Depends what the wording is.
In this context a better word is "trade", because if they are trading information about customers with 3rd parties, without consent, for financial gain -
Well that is technically a commercial relationship.
It sounds like a good development. Marketing droids remain the worst offenders on stuff like this. A desire to "gain audience insights" and a typical lack of IT knowledge, combined with a complete disinterest in customer privacy is never a good mix. It is literally not in their career interests to have customers requesting privacy.
"If a company does not SELL client information but only gives it away, that is still illegal too, no?"
The don't "sell" the information now. They "share" it with their "partners". Their partners share their revenue with them or reciprocate "in-kind". All weasel wording that can be reduced down to a an exchange of one thing for another or, more simply, a sale.
"Also, what constitutes a Third Party or Partner organization?"
A "partner" is a customer. The information offered for sale is that of a "user". A stockholder is defined as corporate management with stock and stock options when a statement talks about a company doing something for the benefit of stockholders.
It's not the governments that want society to be cashless, it's the large companies. If you are forced to pay via a method that it tied to you, they love it. Cash is far too autonomous when marketing data needs to be much more precise than just numbers of units sold.
"For your Europeans out there, that IS already illegal in Europe if the address book on the phone in use contains but one personal contact detail of someone who has not goven explicit permission for this to happen.."
I believe that the likes of Facebook will point out that the "entity" doing the sharing is the phone's owner, not Facebook and that you should take it up with the phone owner (i.e. your family/friends/acquaintances). Indeed I assume there is some Facebook legalise that states that they expect/assume the phone owner has obtained permission from individuals to share their personal data - which then theorectically gets Facebook off the hook. The GDPR has an exemption for "domestic activities" and so no action will ever be taken against the individuals (phone owners) doing the sharing.
It would however be a different matter if it's a company phone as the domestic GDRP exemption obviously does not apply in that situation.
I would have thought that the fact that Facebook intended this sharing to occur as part of their apps design, and that they are relying on the majority of people to not read any legalise that might appear, would put them "in the frame" for causing such sharing to occur but I've seen no sign of any of the European Data Protection regulators considering this.
"I think the GDRP requires more than just an assumption on Facebook's part that the sources of personal data they are collecting and storing have permission to share what is other's personal data."
Facebook's way was to put some legalise in their T&Cs/Privacy Notice for the app that the person with the phone (who is doing the address book sharing) by doing that sharing is agreeing that *they* have obtained permission from the individuals for the sharing. It's Facebook's way to shift the "blame" onto someone else.
However this doesn't change the fact that, even if the phone owner did obtain permission, that Facebook would be acting as either a Data Processor (for the phone owner) or else a Data Controller in their own right for the shared personal data and its not clear (i.e. not transparent - where's the Privacy Notice explaining this?) as to the nature of Facebook's role in that scenario as either a Data Processor or Data Controller.
"Sale" gets tricky, as if you take a narrow view then the company will "trade" or "gift" the data to whatever third party they want, then coincidentally that company will pay generously for some other valueless "service" to white wash the books.
If you don't believe me look into how the US radio stations laundered literal pay-for-play money by buying stations radio playlists, a practice that continued well into the internet streaming era.
Also, being an idiot who fell of the turnip truck and just giving data to a 3rd party with no return of value should still be actionable if that party uses or discloses that information against the consent or without the knowledge of the object of that data. Because you know, ...they are people. And as we are seeing across the American south, leaking someone's purchase of prenatal vitamins could result in stalkers, vigilante lawsuits, or murder charges.
This is some of many reasons that data transfers need to be regulated and restricted, opt-in only, and revocable. They also need sharp enough teeth that companies won't risk or just decide to pay the fines. Yes the companies will whine, no the world won't end, and few people will miss the scumbag outfits this will kill off.
Regardless of what side you are on, take a look at how the 2000 mules video acquired the data to support their clams. With enough money, you can track anyone. The info is for sale.
Think you can block it?
I did a test on an Android phone. Installed a VPN in tunnel all mode to a firewall that blocked everything except DNS and one website. Sniffing the WiFi signal it showed google bypassing the tunnel to phone home and upload data.
As opposed to saying it only counts if it appears in shrink-wrap on a department store shelf? The Forrester Research analyst is shocked that the attorney general didn't just buy the Sephora weasel-words that it is just an experience and not theft at all?
I keep saying that any company that collects and stores information on people, customer or not, be at risk for company ending fines and jail time for the executives should the information be improperly handled in a negligent way. This makes it risky for companies to casually store, buy and sell information. Those companies that do will see that they need to be very diligent about security. A relatively small fine and no downside for the executives makes poor security a financial decision. Do they spend more on keeping software up to date and having a top notch IT staff or will the occasional fine be less costly than doing all that?
There is a condition with Copyright that turns a potentially minimum fine into a much larger one. That's whether the infringement was "willful". The same sort of thing could apply to PII storage, purchase and sales. If a company was shown to be negligent and opted for accepting the occasional fine as just a cost of doing business, the fine could be escalated way off the charts with lots of room in between so it's just the C-Level being fitted for stripy jumpers and the stockholders not losing their investments if they just have passive money invested.