×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

California Law Would Require Companies To Disclose All Consumer Data Collected

Unknown Lamer posted 1 year,16 days | from the watching-you-sleep dept.

Privacy 119

Trailrunner7 writes "California, which set the standard for data breach notifications nationwide, is again seeking to set a precedent by becoming the first state in the nation to require companies upon request disclose to California consumers the data they've collected and to whom it was shared during the past year. ... The 'Right to Know Act of 2013,' AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. ... It applies to companies that are both on- and off- line Privacy advocacy groups such as the EFF wrote Tuesday that the bill could set a precedent for other states, much as California's 2002 Breach Notification Act requiring California data breach victims be notified was later replicated by almost all U.S. states." That's not all: you'd be able to request a copy of all the data they've stored about you too.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

119 comments

Great first step (4, Interesting)

mrdogi (82975) | 1 year,16 days | (#43348325)

The next step would naturally be to force the companies to correct the data that they have wrong. For example, one link mentioned a woman who lost a job because she was misidentified as having a criminal record.

Here's to hoping.

Re:Great first step (1, Interesting)

Hatta (162192) | 1 year,16 days | (#43348353)

Why force them? More accuracy increases the value of the database. I'm certainly not participating in the invasion of my own privacy.

Re:Great first step (3, Insightful)

ShanghaiBill (739463) | 1 year,16 days | (#43348573)

Why force them? More accuracy increases the value of the database.

Because in many cases the user of the data is not the owner of the data, and by the time you have received their junk mail piece, it is a sunk cost, and they couldn't care less about the accuracy of the DB. There is an entire industry based on renting customer data for one-time use.

Re:Great first step (4, Interesting)

Hatta (162192) | 1 year,16 days | (#43348617)

I'm happy to let them spend all the money they want on junk advertising. It's a compete waste of time, effort, and resources on their part, and it costs me nothing but a slightly heavier recycling bin. And it performs a valuable service in informing me who *not* to do business with in the future.

Re:Great first step (2)

idontgno (624372) | 1 year,16 days | (#43349005)

As far as advertising is concerned, I see your point, and largely agree. They can tailor their advertising as much as the please, since they can't make me see it (unopened junk mail, AdBlockPlus).

But some of this data can affect other real-life interactions, like credit and employment opportunities.

This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.

Re:Great first step (5, Insightful)

Hatta (162192) | 1 year,16 days | (#43349107)

This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.

This puts the burden on the wrong party, just like we have now with credit bureau information. The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.

Re:Great first step (2)

Bobfrankly1 (1043848) | 1 year,16 days | (#43349391)

This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.

This puts the burden on the wrong party, just like we have now with credit bureau information. The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.

It would seem that in most states (California included), the data broker could be brought up on libel/defamatory charges. Wikipedia's article on this [wikipedia.org] points out that some statements are "defamatory per se", noteably:

Allegations or imputations "injurious to another in their trade, business, or profession"

It goes on to add that if a statement is "defamatory per se", "damages for such false statements are presumed and do not have to be proven."

Also, IMNAL.

Re:Great first step (1)

s.petry (762400) | 1 year,16 days | (#43349557)

Just for posterity, the proper acronym is "IANAL" for "I Am Not A Lawyer". The alternative is "IAAL" (I Am A Lawyer) or perhaps "IANYL" (I Am Not Your Lawyer). Perhaps you did not know of the acronym, or perhaps you find it offensive or uncomfortable. Either way, please don't write new acronyms for things that have been well established. If you search a site like Groklaw [groklaw.net], you will see the acronym used heavily.

There is a whole Wiki [wikipedia.org] page devoted to this acronym and it's relatives.

Re:Great first step (1)

Bobfrankly1 (1043848) | 1 year,16 days | (#43349699)

Sadly, my awareness of the proper acronym did not kick into my self-editor. I *knew* something was wrong with the post, but couldn't narrow it down and just posted as is. Thanks for scratching the itch though =D

Re:Great first step (1)

Anonymous Coward | 1 year,16 days | (#43351047)

No, he got it correct - IMNAL is someone who has passed the bar, I'm Maybe Not A Lawyer.
This is just the usual attorney double-speak, but you're right a slightly more experienced lawyer would write IAAL;
one in the business would write IANYL, but could be for the right price (prostitution). JIMHO.

Re:Great first step (1)

idontgno (624372) | 1 year,16 days | (#43350063)

The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.

Oh, I agree with you on principle. However, that proposal moves the solution space into the realm of converting our entire industrial energy base to consuming unicorn farts as a counter to anthropogenic global warming. I generally don't get excited about flatly impossible solutions, and anything that shifts liability to a business and away from a consumer is pretty much the legal definition of "impossible" in the current U.S. legislative and judicial environment.

Re:Great first step (2)

HairyNevus (992803) | 1 year,16 days | (#43350517)

The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.

Yeah I wouldn't mind that one bit. Maybe this would be a different matter, but a couple years ago I almost wasn't given a job because the background check company flagged me as having a criminal record. The person had the same first and last name (but not middle), and birthday (but different year) as me but I was held up for a month and the owner almost moved on to different candidates because of this. It took very little to flag me as a crook, but the burden of proof then fell on my shoulder to exonerate myself with LexisNexus, for some guy's crime over a thousand miles from where I live.

Re:Great first step (2)

Kaenneth (82978) | 1 year,16 days | (#43349975)

I recently realized, advertizing is targeted at people that advertizing works on. Us techie types are more methodical and logical that average, we want specs, facts, and figures; we would never buy something just because Justin Beiber endoses it; but there exists people who would; and this is utterly incomprenible to us as our unfashionable clothes are to them.

Re:Great first step (2)

Bradmont (513167) | 1 year,16 days | (#43348381)

I would say the better second step would be to, upon request, force companies to delete all the data they have on you, and stop tracking you in perpetuity.

Re:Great first step (2)

PPH (736903) | 1 year,16 days | (#43348425)

That would be the "I wish never to do business with you" button on their web site.

Re:Great first step (2)

ShanghaiBill (739463) | 1 year,16 days | (#43348505)

I would say the better second step would be to, upon request, force companies to delete all the data they have on you, and stop tracking you in perpetuity.

So if I default on my debts, I can demand that credit reporting companies delete the data? If I am a corrupt politician, I can demand that journalists delete any data they have on me, including any ongoing investigations? Passing a law requiring facts to just "go away" is the dumbest idea I have heard so far today.

Re:Great first step (1)

misanthropic.mofo (1891554) | 1 year,16 days | (#43348715)

Having it just go away wouldn't work, but I for one don't believe that the credit bureaus should be able to catalog everything they can about my credit history and work history, then sell it off to marketers. Just yesterday I was screaming at some idiot on the phone telling them to take me off their mailing list. Since my credit history shows that I have debt, I get letters from places that "want to help me manage it." The fucker just wouldn't take no for an answer. And frankly I don't know why anyone would trust unsolicited mail about reducing their debt, how could anyone not realize it's coming from a company that's in business to make money and not to "help" you.

Re:Great first step (0)

Anonymous Coward | 1 year,16 days | (#43349059)

IMHO the problem is that it's practically free to spam you, so debt consolidation services have an incentive to err on the side of more comprehensive spam lists.

This might help with the phone at least, since it makes calling you more expensive: https://www.donotcall.gov/

Re:Great first step (3)

IndustrialComplex (975015) | 1 year,16 days | (#43348827)

Honestly, I don't think that would be a problem.

Man defaults on loans.

Man: "Delete all of the data you have on me."
Equiexperitransunion: "OK. You have been purged from our records."
Man: "Hehehe! Now for phase 2"

*The next day*

Man: "Hello, I would like a signature loan please"
CreditCo: "No."
Man: "But... I have a completely clean record"
CreditCo: "You have no credit record. Therefore you are high risk, and we only make signature loans to people with known good credit histories"
CreditCo: "You may however, apply for the entry level loans we offer to build a credit history. It's at a low rate too!"
Man: "Fine, what's the limit?"
CreditCo: "$250"

Re:Great first step (0)

Anonymous Coward | 1 year,16 days | (#43349083)

So if I default on my debts, I can demand that credit reporting companies delete the data?

Sure, why not?

Now, how does that delete the Court Case and its result VS you and the default?

If I am a corrupt politician, I can demand that journalists delete any data they have on me, including any ongoing investigations?

I understand that Corporations are also people, but are you claiming that the IRS dodgers of 'you are considered a Corporation' are correct and that people, like Journalists, are also secret Corporations?

Because this law seems to cover Corporations and what they hold and not people.

Passing a law requiring facts to just "go away" is the dumbest idea I have heard so far today.

The dumber thing is erecting strawmen because the 1st person with an open flame can torch 'em.

Re:Great first step (3, Informative)

nospam007 (722110) | 1 year,16 days | (#43350637)

"So if I default on my debts, I can demand that credit reporting companies delete the data?"

No.

"If I am a corrupt politician, I can demand that journalists delete any data they have on me, including any ongoing investigations?"

No.

"Passing a law requiring facts to just "go away" is the dumbest idea I have heard so far today."

It has been like that in Europe for years. You can ask the data they have about you and they have to delete wrong data and correct the data that is erroneous. Piece of cake.

Re:Great first step (0)

Anonymous Coward | 1 year,16 days | (#43348401)

she was misidentified

Yes we definitely don't want a Brazil [wikipedia.org] incidents to be occuring.

My 2c
Archibald T^DButtle

Re:Great first step (0)

ShanghaiBill (739463) | 1 year,16 days | (#43348905)

The next step would naturally be to force the companies to correct the data that they have wrong

A more likely next step is for these companies to pack up and leave California, as so many others have already done. California has the highest unemployment rate in the country, and is rated as the most anti-business in terms of taxation and regulation. This probably is not the best time to be piling on more regulation. The two million unemployed Californians would probably prefer that the politicians focus on incentives for businesses to move into the state rather than out.

 

Re:Great first step (2)

yl-roller (2788779) | 1 year,16 days | (#43349367)

The law refers to companies doing business with California consumers. I seriously doubt that companies will cease doing business in the most populous state because of this law.

Re:Great first step (1)

ShanghaiBill (739463) | 1 year,16 days | (#43351471)

The law refers to companies doing business with California consumers.

No it doesn't. It only applies to companies located in California. Companies can avoid the regulation just by having no presence (and no employees) in California. States have no authority to regulate interstate commerce.

I seriously doubt that companies will cease doing business in the most populous state because of this law.

Just because of this law? Probably not. But because of the very long list of petty regulations that this is being tacked onto? Absolutely. We don't have the highest unemployment rate in the nation for nothing.

Re:Great first step (1)

emho24 (2531820) | 1 year,16 days | (#43349395)

Bingo.

There are already companies that wont ship to or do business with California / NY /etc residents etc because of onerous regulations.

Imagine if you tried to create a new Facebook (or whatever) account and you were not able to because California was your home state, and the company decided it would be too much trouble to comply with all that states demands.

Re:Great first step (2)

Wookact (2804191) | 1 year,16 days | (#43349567)

Imagine if you tried to create a new Facebook (or whatever) account and you were not able to because California was your home state, and the company decided it would be too much trouble to comply with all that states demands.

No new data harvesters? Nothing of value was lost.

Re:Great first step (3, Interesting)

Roman Coder (413112) | 1 year,16 days | (#43350027)

Good riddance to them. As a native Californian, who has lived in other states (Texas, Arizona, etc.), I love that my state laws protect me from corporations bad practices.

Also, if you were right, we would not be in such a hurry to do business in China. Business goes where the customers are at. There's a VERY high threshold of anti-business practices before a corporation will forgo profits and move on.

Its ok to make it harder for corporations to make money, as long as its fair/reasonable. They'll make better products, that serves people better.

People > Corporations.

Re:Great first step (0)

Anonymous Coward | 1 year,16 days | (#43350307)

"I love that my state laws protect me from ..."

You are an idiot if you trust the state to do anything in your best interests. They only care about power, keeping it and getting more. If you believe otherwise you are in for a rude awakening one day. Learn to read books why don't you?

"Its ok to make it harder for corporations to make money, as long as its fair/reasonable. They'll make better products, that serves people better."

Reasonable according to who? The King? You think price controls will force "evil" companies to make better quality products? Your logic is faulty, you can support none of this, history proves again and again that you are wrong. Do try and use your brain for a change.

http://www.youtube.com/watch?v=R5Gppi-O3a8

Do yourself a favor and try and understand the above, it's only a few minutes.

"People > Corporations"

Good grief. Corporation is just a word that means group of people. What the hell are you even talking about?

Re:Great first step (1)

jellomizer (103300) | 1 year,16 days | (#43349173)

No, this is a stupid law!

1. We are now centralizing all the data to a single point, so hackers have one really good target to get such data.
2. What is to stop the government from further spying on people? Sure my data is spread out across a bunch of companies. But it is all a partial picture of me, so now there will be a spot that has the full picture of me. They can use to figure out where they should redraw the election maps, put me in a place where either I will be placed with the majority to keep them in power. Or place me so I am the minority where my vote would be drowned out.
3. California has a tendency to pass fad of the day laws. So overnight I become a law abiding citizen to a criminal, where the police will watch me break a law I didn't know I broke, because they see that I have a tendency to do something against the popular fad.
4. How are we going to pay for this. California has a lot of big data companies, that means California will need bigger data just to handle this all.

I am not a right wing nut, But good intentions aside, this could open the flood gate for massive abuse. Companies are easy to figure out, they want to make money. Governments and Not For Profits, have a lot of agenda all with different purposes.

Re:Great first step (3, Interesting)

Cederic (9623) | 1 year,16 days | (#43349381)

1. We are now centralizing all the data to a single point, so hackers have one really good target to get such data.

Really? Where?

now there will be a spot that has the full picture of me

Again, where? Are you planning to contact every company and collate the data they all hold on you, in a single MySQL database attached to the web?

I ask only because nobody else is*

So overnight I become a law abiding citizen to a criminal, where the police will watch me break a law I didn't know I broke, because they see that I have a tendency to do something against the popular fad

How would the police see this? Why would you continue to do it if it was against the law? Are you actually complaining that you can't break the law?

4. How are we going to pay for this. California has a lot of big data companies, that means California will need bigger data just to handle this all.

In the UK it's a cost of doing business. I write to a company with a Subject Access Request, demand all data they hold on me - including HR records, customer records, marketing records, transactional records, paper records and surveillance footage - and they write back saying, "We can only do that if you pay a fee." So I hand over the maximum allowable fee of £10 and they send me.. well, could be a palette of printouts, could be a DVD, could be a polite letter saying, "I'm sorry, we've never heard of you. Why did you write to us?"

* other than Facebook and Google of course

Re:Great first step (0)

Anonymous Coward | 1 year,16 days | (#43350799)

Why would you continue to do it if it was against the law? Are you actually complaining that you can't break the law?

You're so incredibly naive. The sheer number of laws on the books is overwhelming, and to say that only lawbreakers have something to fear completely ignores the fact that governments and government workers are not immune to corruption or making mistakes.

Re:Great first step (1)

khallow (566160) | 1 year,16 days | (#43349683)

Nah, the next step will be to punish the companies when California government agencies accidentally leak that customer information.

Re:Great first step (2)

houghi (78078) | 1 year,16 days | (#43349811)

The next step would naturally be to force the companies to correct the data that they have wrong.

Just for your information: this is already law in Europe.
Many people think that this means they can remove their details, but that is not possible because of other laws. e.g. for billing reasons you can not remove the customers data, but you are allowed to update it.
This can also mean that in various cases, they will need proof. e.g. we asked a signed form if you want to change your address.

This does not mean that you need to hand over every detail you have on the customer. e.g. notes made do not need to be handed over (unless there is some sort of order by a judge, but then everything goes.)

Re:Great first step (0)

Anonymous Coward | 1 year,16 days | (#43350369)

For example, one link mentioned a woman who lost a job because she was misidentified as having a criminal record.

In which case, she has legal grounds for pursuing a civil case against the company who reported the bad information, as well as the company who fired her.

Re:Great first step (1)

sjames (1099) | 1 year,16 days | (#43351075)

A lot of people would be greatly helped if such false information was treated as libel. They showed a callous disregard for the truth of their statements and so should fully compensate her for her losses AND punitive damages.

Most problems of 'identity theft' would also go away if that was done.

Re:Great first step (1)

Shotgun (30919) | 1 year,16 days | (#43351333)

No. The next step is to force them to tell you what they are telling the other person, every time they tell the other person. Otherwise it is just gossip.

The step after that is to allow for suing them for libel if they refuse to correct mistakes.

Of course, the the company becomes less than profitable because it requires work to do all that. You can't just take a "business's" claim that they are owed $X amount, and let the company wait patiently until you want to buy a house or car.

Which brings us to the proper step. Credit management should be handled by the government. If I do not pay a debt, it isn't entered onto my credit history until a court concurs. Innocent until proven guilty.

Excellent start (1)

thetoadwarrior (1268702) | 1 year,16 days | (#43348383)

Companies are really careful about protecting their data but offer us no option to protect ours. At least giving people am idea what they're doing will help inform people and maybe they'll realise what's going on and maybe freebies aren't the best deal.

Re:Excellent start (0)

Anonymous Coward | 1 year,16 days | (#43349415)

Companies are really careful about protecting their data but offer us no option to protect ours. At least giving people am idea what they're doing will help inform people and maybe they'll realise what's going on and maybe freebies aren't the best deal.

You have an option - don't share your data with them. If it's already public then it's not yours anymore. If enough other people want privacy like you do, then competitors will swoop in.

It really comes down to how you think we should determine which products are better - consumers buying what they want, or voters agreeing about what they want.

Welcome to the 1980's (5, Informative)

ledow (319597) | 1 year,16 days | (#43348407)

Welcome to the 1980's, guys.

Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.

You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).

How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.

Re:Welcome to the 1980's (2)

tlhIngan (30335) | 1 year,16 days | (#43349053)

Welcome to the 1980's, guys.

Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.

You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).

How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.

I believe the California law goes one further in not just saying what the business knows about you, but who they sold the information to as well. And it's ongoing - as long as your information is passed to a third party, the company has an obligation to notify you of what they passed on.

Re:Welcome to the 1980's (3, Informative)

fatquack (538774) | 1 year,16 days | (#43351451)

In EU privacy law (on which the UK Data Protection Act is based) selling personal information is in principle not allowed. Even giving it away for free is only allowed in a few cases.

Re:Welcome to the 1980's (3, Informative)

galadran (1099427) | 1 year,16 days | (#43351477)

Welcome to the 1980's, guys.

Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.

You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).

How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.

I believe the California law goes one further in not just saying what the business knows about you, but who they sold the information to as well. And it's ongoing - as long as your information is passed to a third party, the company has an obligation to notify you of what they passed on.

The DPA prevents companies from selling the data without your permission. Companies can only process data for the purpose it was collected for, e.g no reusing data without permission. Additionally they may not sell or transfer it to a jurisdiction where the privacy controls are weaker to get around this restriction.

Dear Facebook, (0)

Anonymous Coward | 1 year,16 days | (#43348435)

Please completely devestate your business model.

Bonnie Lowenthal
Temporary Assistant Deputy Backup Politician from Long Beach

I want to know who gets it (1)

GodfatherofSoul (174979) | 1 year,16 days | (#43348475)

I'd rather have a law informing me of who is receiving my information. I'm getting nagged by Google all the time to turn my pseudo-anonymous accounts into explicit links to the real me via phone numbers and nagging for my real name. I want to know where all that information is going.

I just got an iPhone with the "Find My Phone" app. It seems to work by posting my phone's location to iCloud. Who has access to that info?

PIPEDA (0)

Anonymous Coward | 1 year,16 days | (#43348483)

We've had that for years up here in Canada. The Personal Information Protection and Electronic Documents Act. When it first came out, I was the DBA at a small company. First thing I had to do was scrub everything from our database that could possibly be construed as disparaging towards a customer, just in case they asked for their records.

I'd be surprised if one in a hundred Canadians are even aware that the act exists, let alone their rights because of it.

Re:PIPEDA (2)

Lorens (597774) | 1 year,16 days | (#43348691)

The equivalent exists in France since 1978. There are quite heavy fines and even prison terms for inappropriate collection and use of personal data. There's even been at least one spammer convicted [quinot.org] on the grounds that his use of a list of e-mails constituted illicit use of infringing data.

Next step: identify the companies (3, Interesting)

gclef (96311) | 1 year,16 days | (#43348549)

Interesting side problem: how do you know which corporations have data about you? The big companies like Google are known, but there's alot of other data brokers around...how can I demand data from a company I don't know about?

Re:Next step: identify the companies (0)

Anonymous Coward | 1 year,16 days | (#43348685)

Sounds like an opportunity for a new service to do a blanket request to ALL know corporations for YOUR data, of course as a new startup we get to keep a copy of all requested data for our own nefarious uses.

Re:Next step: identify the companies (1)

gl4ss (559668) | 1 year,16 days | (#43349323)

Sounds like an opportunity for a new service to do a blanket request to ALL know corporations for YOUR data, of course as a new startup we get to keep a copy of all requested data for our own nefarious uses.

yeah then all companies would have a record of you existing and where you asked them to send that data.

Re:Next step: identify the companies (0)

Anonymous Coward | 1 year,16 days | (#43350453)

Sounds like an opportunity for a new service to do a blanket request to ALL know corporations for YOUR data

That would be so fucking expensive and time-consuming nobody in their right mind would ever pay to do it.

Re:Next step: identify the companies (-1)

Anonymous Coward | 1 year,16 days | (#43348711)

Whoa there cowboy, don't start using reason and logic here, we are talking about government regulations designed to deceive citizens that the state is working on their behalf but in fact do exactly the opposite.

The internet is like a public street, if you go out into public someone else is free to take your picture. Do you have any rights to know who that person is, what pictures they are taking and why? Of course you do not.

If you do not want your picture taken in public then you may choose to not go there.

For the most part any legislation that is given a populist identifying name will create laws that do exactly the opposite of that name.

PPACA for example pushes a lot of money to the IRS but hires not a single doctor.

If you are counting on the state to look out for your own interests you are quite frankly a fucking idiot.

Of course we all know that a frighteningly large number of you citizens are fucking idiots, all we need to know this is to observe that Obama was re-elected.

Re:Next step: identify the companies (0)

Anonymous Coward | 1 year,16 days | (#43349217)

I think the biggest difference with the public street argument is that these companies are actively trying to get your information. They would be equivalent to paparazzi.

Re:Next step: identify the companies (0)

Anonymous Coward | 1 year,16 days | (#43349291)

Of course we all know that a frighteningly large number of you citizens are fucking idiots, all we need to know this is to observe that Obama was re-elected.

Obama was actually the smart choice . . . considering the alternatives.

Re:Next step: identify the companies (0)

Anonymous Coward | 1 year,16 days | (#43349867)

You have been trained well grasshopper.

Re:Next step: identify the companies (1)

bagofbeans (567926) | 1 year,16 days | (#43348761)

Re:Next step: identify the companies (1)

gclef (96311) | 1 year,16 days | (#43349051)

That list is just companies that trade in financial information (credit scores, loan companies, etc). Notice that google doesn't show up in that list at all, but google *definitely* has information about me (whether I like it or not). So, your list is woefully incomplete. I suspect the full list of companies that collect personal information doesn't exist. That's kinda my point. Is the tacit expectation of this law that people will have to find out (somehow...) which companies *might* have information on them, and then blanket-mail all of them demanding to see their info? That isn't as big a step forward as one might think.

Re:Next step: identify the companies (1)

bagofbeans (567926) | 1 year,16 days | (#43349343)

I just requested a copy of my report from The Work Company (free, once a year - they do salary checks) and guess what... they have full details of every 2 week paycheck from my current job. Last two jobs: nothing. So even my own employer (or their payroll sub) is selling my info.

Good start, but... (2)

webdog314 (960286) | 1 year,16 days | (#43348613)

They need to add wording so that my data can't be shared without my permission with anyone who doesn't have the same company name. Way too much is being hidden behind "associates" and "partners". Anyone who touches my data should have to accept the same security and legal restrictions/responsibilities as the parent company that collected it. I'm tired to getting those Privacy Notices from everyone I have an account with, written in legaleze so generic as to make them useless. If you can take the time to send me a revised privacy statement every six months, then you can take the time to list who your "associate companies" actually are.

Re:Good start, but... (1)

misanthropic.mofo (1891554) | 1 year,16 days | (#43348799)

They need to add wording so that my data can't be shared without my permission...

That's all you really needed to say. All this data hoarding and selling by so many companies is ridiculous, even your bank does it and then they send a letter in the mail to the effect:

"If you'd like to opt-out of our wonderful system of making money off your personal information, jump through these flaming hoops and let us know. Otherwise we're going to try to make as much money as possible off your ass.

All of these types of things should be opt-in, they should never be opt-out. I could care fucking less if some marketing company goes out of business. At the very least, any company that makes money off selling your data with or with out your consent, should have to send dividends to every person, whose data they've trafficked.

Re:Good start, but... (0)

Anonymous Coward | 1 year,16 days | (#43349529)

You opted in when you opened an account with the bank. If you don't like it, switch to a different bank. If NONE of the banks are private enough for you, use bitcoin.

Re:Good start, but... (0)

Anonymous Coward | 1 year,16 days | (#43350839)

>bitcoin
>bank
Yes, the two are the same thing and serve the same purpose.

Idiot.

Re:Good start, but... (0)

Anonymous Coward | 1 year,16 days | (#43351447)

Well the GP didn't say they were the same thing, but they do both serve the same purpose of storing and transferring money.

[prepares for someone to say ***whoosh***]

Re:Good start, but... (0)

Anonymous Coward | 1 year,16 days | (#43349747)

They need to add wording so that my data can't be shared without my permission with anyone who doesn't have the same company name.

I too have committed this privacy breach, on three occasions. Let's pick apart the varying degrees of privacy violation here. Some are worse than others, but I think we can agree I was in the wrong, in all three cases:

There was a brewpub which made pretty good beer. Most of it was very good, but some of it wasn't. I realize that my experiences tasting their beer, is actually information about the brewer and ought to be treated as the brewer's property. But nevertheless, I told another beer-lover, without first asking the brewer's permission to share his information. Worse, I have to admit I have been data hoarding information about many brewers' skills, some good and some bad. I am sitting on a goldmine of valuable information about other people, and I've been pretty loose with it sometimes, without regard to consequences to the brewers' privacy.

During a painful phase of a breakup, I talked some shit to my friends, about my slutty ex-girlfriend. Not only was that a totally immature and dickish thing to do, but it should have been illegal to disclose details to any other person, about how she behaved at a certain party where she was supposedly "with" me. What's more personal than telling people that a specific person was making out with other dudes at a party we had gone to together? That information belongs to her, not me. All I should be legally able to say is that I felt hurt by something, but can't go into details.

There was even a professional for-profit situation where I broke a law-which-ought-to-exist. I was making money off my employer in the form of paychecks. One day, someone asked for my employer's mailing address. I told them. That's location information about someone else who had been paying me, essentially a customer of mine!

Re:Good start, but... (1)

webdog314 (960286) | 1 year,16 days | (#43351185)

Ah yes, but the point isn't that the bastards shared my data... That's necessary to conduct business with me, etc. The point is that there's a difference between a "subsidiary" and an "associate". A subsidiary company is a part of the parent, and to some extent shares legal responsibility for your data. An associate company can be anyone that the parent has an association with. It could be a legit and respected service, or it could be a shady marketing firm who couldn't give a rat's ass about you or your personal information. When I click on a consent box, or sign my name on an account card, I'm giving permission to the parent company and their subsidiaries to use (and be responsible for) my data. But I don't know who the hell their "associates" are, vaguely mentioned in some privacy notice that comes as a bait and switch by mail a month later.

This kind of corporate activity is boilerplate now.

Re:Good start, but... (0)

Anonymous Coward | 1 year,16 days | (#43350047)

They need to add wording so that my data can't be shared without my permission with anyone who doesn't have the same company name.

No problem, the site will have an annoying checkbox indicating your consent to all your personal data being shared at whim of the company. Don't check it, and Google won't search for you. Same deal with places that have logins, approval of the company to do whatever they want with your data is somewhere in the 'terms and services' and you checked a box stating that you have read and agree to the terms and services on the provided link.

As for the legaleze, yes, I have long been in favor of making use of legaleze punishable by death. (possession or generation of legaleze would only carry a prison sentence of no less than 5 years and no more than 20 years per offense, unless it is historic legaleze maintained as part of a collection)

Re:Good start, but... (1)

Beorytis (1014777) | 1 year,16 days | (#43350593)

The thing that really bugs me about those privacy policy mailings is when they come from banks, who charge extra fees for any transaction other than online or by ATM, and yet my request not to share information must be sent back by postal mail with all the account numbers written in.

Silicon Valley (1)

Saethan (2725367) | 1 year,16 days | (#43348621)

Google and Facebook will fight this tooth and nail, I'm sure, and if it goes through - well, California might see even -more- business leave their state. Not that I think it's a good thing it'll happen. This is just how it is.

Re:Silicon Valley (1)

hawaiian717 (559933) | 1 year,16 days | (#43350819)

Fight this, no doubt. But if it happens, I'm not sure that companies like Google and Facebook moving out of state would be enough. Since the proposal appears to (based on the summary) apply to California customers, they'd actually have to stop doing business with residents of the state. Seeing as California tends to be the leader on these things, it's probably in their long term interest just to set up the systems necessary to comply.

Re:Silicon Valley (1)

Saethan (2725367) | 1 year,16 days | (#43351029)

I'm not sure about this, what says that if California has a state law about something, a company located in another state has to comply with it? Seems the burden would be on California to block access, not the other way around.

Impossible to enforce (1)

fustakrakich (1673220) | 1 year,16 days | (#43348665)

The only way you can ever know who has what is by accident or by stealing the hard drives. This stuff is too easy to hide.

Re:Impossible to enforce (0)

Anonymous Coward | 1 year,16 days | (#43348959)

The only way you can ever know who has what is by accident or by stealing the hard drives. This stuff is too easy to hide.

Customer data disclosure could be handled like business software piracy; pay employees to snitch. Computers are not the weak point.

Implimentation (2)

ZombieBraintrust (1685608) | 1 year,16 days | (#43348671)

That's not all: you'd be able to request a copy of all the data they've stored about you too.

Sounds like a identity thiefs dream come true.

Identity Theft (1)

ZombieBraintrust (1685608) | 1 year,16 days | (#43348701)

Steal enough info to fool google into thinking your someone else. Then request from google everything it knows about that person. They better require such request to occur in person with documenation.

Re:Identity Theft (2)

gewalker (57809) | 1 year,16 days | (#43349577)

Well, the bill specifies notification via writing or email. Clearly, no risk of identity theft whatsoever. Also, they specific the info must be provided to the consumer at no charge, so no disincentive to phishers of men that way either.

Re:Identity Theft (0)

Anonymous Coward | 1 year,16 days | (#43351191)

Sarcasm noted.

I do wonder how this law will handle identity verification because they're essentially being compelled to share specific data about a person upon request. Seems rife for abuse.

Europe operates it (0)

Anonymous Coward | 1 year,16 days | (#43350173)

And it doesn't seem to be a problem, so the FUD gaming here needs to be ignored.

I, for one, welcome our old government overlords. (1)

Impy the Impiuos Imp (442658) | 1 year,16 days | (#43348687)

That's right, keep The Peole's attention focused on "spying evil corporations" rather than the real danger from those who spy on you. Government good. Corporations that jam shelves with products evil.

So sayeth your meme overlords. So let it be!

Re:I, for one, welcome our old government overlord (1)

Gallomimia (1415613) | 1 year,16 days | (#43349177)

Man this is a great idea! If you can convince everyone to spend every waking moment scrutinizing the data collected on them every year they won't need silly things like TV or Elections to keep them distracted from what's happening in the world.

Re:I, for one, welcome our old government overlord (1)

Todd Knarr (15451) | 1 year,16 days | (#43351241)

Thing is, increasingly the government outsources it's spying to... those same corporations. Why do it in-house where you have to comply (or at least appear to comply) with a bunch of regulations when you can farm it out to a private company (who's dropping some nice campaign donations on you) that, not being a government agency, doesn't have to comply with any of those regulations?

This just in... Facebook buys California (0)

Anonymous Coward | 1 year,16 days | (#43348809)

Plan A:
In an effort to improve its privacy concerns and relations, Facebook has announced it's plan to buy all properties and businesses within California.
In related news Facebook has changed it's "Friend" functionality to the much more appropriate "Vassal" system.
This re-imagination of the tried and true Monarchy system converted into a Corporate Oligarchy will pave the way for a brighter future that Facebook hopes other businesses will replicate.
Plan B:
Stipulate facebook is free to use and as such you gain no such Consumer Privacy Protection rights.

facebook already has a system for this (1)

gl4ss (559668) | 1 year,16 days | (#43349341)

they have to comply to this in europe. thus they have a push button solution for complying with this. a bunch of other californian companies don't.

Re:This just in... Facebook buys California (0)

Anonymous Coward | 1 year,16 days | (#43350353)

Plan A: In an effort to improve its privacy concerns and relations, Facebook has announced it's plan to buy all properties and businesses within California. In related news Facebook has changed it's "Friend" functionality to the much more appropriate "Vassal" system. This re-imagination of the tried and true Monarchy system converted into a Corporate Oligarchy will pave the way for a brighter future that Facebook hopes other businesses will replicate.

In related news: California arrests Facebook's board of directors and all senior corporate officers, sentences them to life imprisonment and seizes all their property.

Plan B: Stipulate facebook is free to use and as such you gain no such Consumer Privacy Protection rights.

This just in: California implements law to disallow signing away your any and all essential rights(as defined by the State of California) to corporations. Whoever has the power to enact law can trump anything you come up with short of war and/or assassination.

Well-intentioned, but complications arise (0)

Anonymous Coward | 1 year,16 days | (#43348839)

This seems like generally a good direction to be going, but there are issues to think about. For example, what if a company's data about me relates to other users' interactions with me? Giving me that data could well become a privacy issue for the other users.

Do it! Do it Now! (0)

Anonymous Coward | 1 year,16 days | (#43348901)

And follow up with Right To Be Forgotten.
This could be our first great step to cripple the surveillance state that Google and other surveillance (marketing) companies have produced.

I should be able to call Google and say: Forget me.
And they should have to provide proof to the government under threat of massive fines (and executive prison time) that they have no data matching a particular set.

Cut these bastards off at the knees.

Have they thought this through? (2, Insightful)

Anonymous Coward | 1 year,16 days | (#43348911)

I thought one of the growing concerns people had, and at first glance it appears to fall within this bill, is all the pseudonymous "tracking" which various companies do (particularly in advertising), where lots of details can be inferred about a person, and possibly even be cleverly determined to be about a specific person. For example, my computer figures out that you, John Smith on 1234 Fake St in zip code 66666, are into midget porn.

It's a real risk and can happen, and yet also, probably doesn't reliably happen. That is, I can figure out that this midget-porn-lover is very likely to be a guy in zipcode 66666, and if I were to combine some of the things I know with another database, which I may or may not have, I might determine it's very likely John Smith. But I don't know, and I can't turn the inferences around and really say what John Smith's porn preferences are. If I try really hard (to a degree that I would never be commercially motivated to, and therefore wouldn't do unless someone pointed a gun at me and demanded it), then I really will sometimes make mistakes, and mistakenly attribute Joe Schmoe's porn preferences as being John Smith's.

If you make a law that I need to be able to tell John Smith what I think about him (an opinion which I don't really have) and make me liable for mistakes (make my opinion become critically important) then I need to DE-ANONYMIZE my data, and make the extra effort to join other databases so that I can resolve things more reliably.

I need to make the "privacy nightmare" that everyone is worrying about worse. Thanks, State of California. Just as your left hand sasys the corporations are the real Big Brother, right hand is there to assure us that no, government will always remain the primary threat. By force and good intentions, if necessary.

Problems? (1)

PktLoss (647983) | 1 year,16 days | (#43349329)

So, this presents some challenges to me.

I'm one of the co-founders of WonderProxy (https://wonderproxy.com), running a global proxy network you might imagine that we have a fair large log set. Our billing process involves pulling those logs into a central location, parsing out the information billing cares about (customer & amount transferred) and recording that in aggregate. We store the raw log files in the raw form for some period of time to comply with any sort of warrant from law enforcement (our goal isn't to be an anonymous proxy), then delete them.

We've deliberately avoided storing the details we have about traffic in any sort of a searchable form. We don't care unless something comes up, and as a general rule we don't think it's any of our business. So this is information about a customer we do possess, but also information that we've deliberately avoided making easy to access. To grab it we'd eschew all our UI tools, drop to a command line, and start uncompromising raw logs, then dropping in with grep or something to filter the user. Then another manual pass to make sure we haven't accidentally included a line from a different customer. For a customer who has only paid us $15 we're going to lose money once we comply.

Then there's our webserver logs. If someone logged in, we can technically deduce what requests are associated with that user, but the apache logs don't store that in a nice easy to read format. We'd probably need to correlate a bunch of different systems in ways we've never done before (because we don't care who loaded main.css on Tuesday the 4th at 16:22:32) to ensure we've handed everything over.

This is of course assuming that we're required to comply. We're a Canadian corporation, federally registered, all that fun stuff. But we do have servers in the US, even ones in California. Of course, getting an answer from our lawyer on whether or not we're required to comply would also cost well more than $15, and that's before we've started trying.

Then there's more privileged information. Internally calculated fraud scores, internal customer notes ("these people never pay on time", "serious PITA, don't give a discount", "Super nice") which is also information we have on a customer, but generally something we'd rather not share.

As a user of the web, I like this idea. As a provider of services the cost of compliance scares me.

Re:Problems? (2)

Kumiorava (95318) | 1 year,16 days | (#43349785)

If you read the bill text you quickly see (without lawyers) that your logs that are held to comply with laws and then deleted afterwards are not considered information your company retains. However you might retain other information and that information needs to be shared with the customer.

Bonnie Lowenthal for President (0)

Anonymous Coward | 1 year,16 days | (#43349361)

'nuff said.

Bout Damn time. (0)

Anonymous Coward | 1 year,16 days | (#43349549)

What the hell were they waiting on?

Until it applies, I say anything goes from the consumer side of things as well. If you obtain information on a company or agency, you should be able to sell it or trade it or provide it for free to anybody you like. And if those entities don't like it, then they shouldn't be doing it to us.

How about political parties and organizations? (0)

Anonymous Coward | 1 year,16 days | (#43349817)

That data is rife for abuse.

Google moves all operations outside of California (2)

mcrbids (148650) | 1 year,16 days | (#43349829)

Moving in 3, 2, 1....

Re:Google moves all operations outside of Californ (0)

Anonymous Coward | 1 year,16 days | (#43350309)

Why would they bother?

They're already subject to something like this in the UK (DPA, as outlined above), yet they've not withdrawn their UK operations over it. Any information Google is storing on you is probably 'live' so they can actually use it (at least, if you believe the conspiracy types), and they probably have to retrieve this information in response to court orders and warrants anyway, so a lookup should be a pretty simple affair for them.

It's just a question of what format the information has to be presented in. If they're allowed to provide it as is by email, they'll barely notice. If they have to format the binary bits to make them human readable, then they'll need a few more machines to run the conversion scripts. It'll only hurt if they have to provide printouts without recompense - toner ain't cheap.

The only problem is proving that the person requesting the data is the person the data actually relates to.

Plausible deniability web would result (0)

Anonymous Coward | 1 year,16 days | (#43351249)

Just wait until the web of plausible deniability that will result. Big Corporation X will outsource its data collection to provider Y who will have "affiliates" and "partners" and whatever else they can think of, and outsource data storage to provider Z, who will treat an app as its product. The result will be that no one will know who has what data about anyone. Corporations know how to do this stuff. If the State of California points a legal finger at Big Corporation X, then BCX will point to Y and Z, who will point to their affiliates and partners, who will find someone to throw under the bus.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...