Some things to note, unless the bill was modified from the version I read before being signed into law:
This doesnt apply to any information which is public record as a matter-of-fact.
So if you voted, your address and name is public record and can be used and displayed by these sites. If you got a DUI, your mugshot and arrest record may be public record and can be displayed. If you got into a custody battle and your court case was public, that can be displayed. And I guess that all makes sense in the end. If you got into a DUI, how does the government get to tell random website X that they are not allowed to say that you got into a DUI, especially when the information was public record.
So to be clear, if the peoplefinder style websites want to keep whitepages.com/user/john-smith online with an address, phone number and mugshot- They can tell you to pound sand and do so. This bill cant stop that.
Honestly, Theres alot of hype about this bill in general which is going to be... interesting... when people fail to understand what it can and cant be used for.
Additionally, this bill comes with a caveat that the sites can request proof you are living in california currently, via a license scan or some other method you get to now hand over to the data broker.
That said, in our research for https://redact.dev supporting these features from a pure API only interaction, is that most of the sites just delete you if you use their form. They dont want the headache of insane users threatening them and doing crazy shit because they dont delete their profile. And honestly the people who go through these removal processes are less than 1% of the stored data, so its mostly just a cost of doing business.
> If you got a DUI, your mugshot and arrest record may be public record and can be displayed. If you got into a custody battle and your court case was public, that can be displayed.
The problem is you’re changing the social contract. 25 years ago a DUI wasn’t a life sentence; it wasn’t something someone could find a record for something you did when you were 19 on a website 40 years later.
Now, it’s a life sentence. It will impact your ability to get gainful employment for a lifetime. I’m sure people who have a hard-on for criminal justice love this, but I think it’s unfair and detrimental to a healthy society.
DUI can also be a life sentence because you kill someone or die. I know a dude who will never walk again. He has employment problems whether or not his employer knows why he is crippled [0]. We're grateful that he hurt himself and not some bystander. This is a major infraction.
I have some sympathy for anyone discriminated against for something they did long ago but the solution here is to educate HR departments to only use relevant criteria when assessing candidates. Or, in other words, reset the social contract a little.
[0] Bonus rant: this fact is why I've always been consistently vocal that the people trying to put so much liability on self-driving vehicle operators that it'll slow down deployment need to take a long hard look at themselves. We need to get humans away from the wheel ASAP and if a couple of people die on the way there those are lives better spent than what we do now.
A friend of mine lost his daughter to a DUI driver. DUI needs to have dire consequences, especially if involved in killing/disabling others.
However, we should use the justice system to deliver the right punishment instead of condemning people to an extrajudicial, de facto life sentence in all cases. The US is too liberal with making information public, while in most countries it's almost impossible to know who had a DUI in the past.
There is also a huge distinction to be made between being arrested for something and being convicted of it.
Any cop can arrest you for DUI, with or without evidence. You get a mugshot, a public record, and a booking charge of "DUI".
Whether you get immediately released with charges dropped, or have to fight it in court and are later declared innocent or have the charges dropped, that initial public record and mugshot next to the words "DUI" now lives forever in various public archives.
IN ADDITION to removal attempts, we SHOULD ALSO influence (regulation, societal pressure, etc) how HR/etc departments use data they find online about a person.
In general, there's a lot of information that has been considered public as a matter of law (often for good reasons) for a long time. Making this information available on the web rather than in some dusty county clerk's office arguably changed things. But we've mostly shrugged and let the information remain public even if it's just a click away (or at least a nominal background check payment away).
A few years ago, I unregistered to vote, because some websites make your name, address, and age public if you're registered to vote. So I no longer vote. My privacy is more important than my ability to vote.
As an employer, I’ve had many hundreds of people work in my group over the years, meaning I’ve had scores of people with DUIs.
I run a software shop, not a trucking company or airline. Whether you had a settled DUI in your past doesn’t change your ability to write code now, which is what I’m hiring you for.
Thing is, you as a small shop don't care... but large corporations, they get so many applications that they use background screening to filter down the load to something that their HR can handle, and in some cases (especially in government, aeronautics and medical) client contracts require regular checks of employees.
If they’re already filtering on things unrelated to the job, they could just as well throw out whatever percentage of applications was needed to get down to a load their HR could handle.
the things unrelated to the job are things they can then say are related to moral character and make you a better hire overall.
Also any prior arrest record - DUI for example - can affect your permissions to work on projects with high security clearances and thus a factor that might not be relevant to small shop would at any rate be potentially relevant to large corporations who are the ones getting government contracts that require high security clearances.
It fine to think that way. The problem is restricting other peoples right to free association if they do not want to hire them
. Having a DUI is not a protected class.
The problem is that an arrest and a mugshot is not a conviction.
The record of the former is still public even if the charges get dropped or the arrest was unlawful. And will appear on web searches or be surfaced by all of the background checkers that HR uses.
You raise a great point. But honestly: if you got a DUI in your youth you deserve to answer for it. It might or might not keep you from getting a job 10 years later, but you put people's lives in danger. If it does affect you: too bad. Drunk driving has always been a life sentence for its victims.
I would find your argument more compelling with a different example like shoplifting or vandalism: still deeply anti social, but not killing innocent people who are just going about their business.
Once you meet enough people you realize DUI has nothing to do with driving ability.
One of the most to-the-book buddies I know is also the worst driver I know. He once had a gnarly accident where he flipped his car a few times because he had to look at his GPS briefly. I hate sitting in his car. He insists on always being the driver too because you can tell he finds driving overwhelming but thinks he’s actually good at it. Lol.
I have another buddy who does have a past DUI. He’s extremely coordinated and I have never felt unsafe in his car.
At the end of the day, if I had to choose someone to suspend their license forever, it would be my first buddy. I don’t care if he has a clean record. He simply was not gifted hand-eye coordination and is already a menace while sober.
To be pedantic, DUI by itself is not killing anyone, it's the crashing that tends to do the killing. You don't know the circumstances behind someone's DUI conviction, which could range from being drunk plowing into a bus load of school kids to being drunk in your parked, non-running car without the keys. There are many ways a determined and creative cop + justice system can successfully convict one for DUI that don't involve harm to anyone.
I know people who lost their liscense for riding their bikes while drunk. Rightfully so, luckily in my younger years I was never cought the few times I did so myself.
In the UK, drunk cycling is an offence with a maximum (but not usual) penalty of £2500, but you can’t be forced to take a blood alcohol level breath or urine test as a cyclist… so you’ll just get a charge of reckless cycling instead. Neither drunk or reckless cycling has any effect on your driving license.
So basically, as long as you’re not so impaired you’re an obvious danger to others you’ll probably get away with it, which might explain why it’s such a popular alternative to getting home from the pub.
problem is that stance is like a vicious cycle. Can't get worthwhile employment screws everything from your family to your social life, worse if you can't drive anymore too, and all that is right back into why those people would be alcoholics or using other drugs and stuff in the first place.
my thing is I'm all for justice but not justice that creates more of the same problem in others or the same people giving them even more reason to give up with, well, it's like branding people on the forehead. Why be surprised when the outcast keeps doing outcast stuff when they're never allowed to be anything but an outcast? it's like if society shot itself in the foot then is outraged demanding to know who shot it in the foot.
tryin to say it feels good but just feelin good don't fix nothin
What the other person seems to want is revenge or some arbitrary punitive action against someone, perhaps decades, after they've already been through the legal system and answered for their actions.
The fine or minor jail time and your license being taken for period of time is answering for that driving under influence.
No reason to continue punishing people forever, that is destructive for society. This ideology of as large punishment as possible is something I find off-putting.
If it was easy to live in a society without drunk driving, then it would be done. Saying that some people don't get a DUI conviction is tantamount tolerating the conditions our society is in.
There are many society wide problems, all with various trade offs and costs to ‘fix’. (I added quotes, because in most cases I suspect a real actual fix is impossible - merely moving things around into another category or changing how the underlying situation presents itself).
There are also many different individual choices one can make, with relative tradeoffs.
How would you rate illegal drug use/overdose deaths relative to DUIs for instance? What solutions (and related costs) do you think would be necessary to ‘solve’ the DUI problem? How about obesity? How about heart disease?
> Otherwise some troll will demand data be deleted for another person.
Would that be a bad thing, though? I don’t personally value what these sites do and can’t imagine a healthy person who does. It could be better for everyone to do away with them
Like whitepages.com? We’re talking about websites where you don’t have an account and they just republish info from public records and/or data brokers, not Facebook
In other states, usually you can do something if you show you are a victim of 'fraud' or abuse. Fraud might be easy to prove, if someone ever stole your password or something
> So if you voted, your address and name is public record
As someone not from the USA: what the actual F?!
edit labster's sibling comment points out that there are actually laws on how public voter data is. So it is not nearly as dire as the quoted sentence made it seem.
There are laws--which vary by state--on how and by whom and for what purpose voter registration data can be requested. But, as a general statement, it's not wrong to say that the name and address of registered voters are often a matter of public record though not their vote of course. It's certainly not correct to say that, in general, no one besides the government can access them.
It seems voting in the US is a lot less secret and anonymous then elsewhere. All people do in Germany is scratching your name off of the voter list at your polling station to avoid someone else voting again in your name.
The list of names so is not public or anything special, it is just a list names and adresses pulled from the respective resident list maintained by your cities / towns / communities authorities anyway.
I think it's fairly common to make the electoral roll available in some form or other. In Australia, for example, you can walk into the National Library of Australia and read federal electoral rolls dating back to 1903.
The USA goes unusually far with this, but it's a matter of degree and it doesn't surprise me.
California seems to be stricter than many states but it's not just political purposes (which I'm not sure how that is "better" anyway):
In California:
Candidates, parties, ballot measure committees, and to any person for election, scholarly, journalistic, or political purposes, or for governmental purposes, as determined by the Secretary of State. All voter information is confidential except for those listed above that may request lists.
> If you got into a DUI, how does the government get to tell random website X that they are not allowed to say that you got into a DUI, especially when the information was public record.
Like every other countries in the world have?
> how does the government get to tell random website X that they are not allowed to say that you got into a DUI
By saying you can't publish the information and suing if people do? It's not perfect but its very easy for governments to not make it show up in google so employers won't know, like it's a right in almost every developed country.
Americans seem unable to imagine anything else than what is.
We have a very strong freedom of speech in this country, to the point its kinda insane. (See the citizens united ruling for instance)
So, yes. We cant imagine it because basically the government has extremely, extremely limited ability to control the speech of corporations or people- Essentially limited to yelling 'fire' in a crowded theatre. Aside from that, People and corporations are able to say whatever they want. They can still be held liable for defamation, breaking contracts, etc.. but you cant legislate the right away for people to say things.
> SB 362 received a cumulative vote of 153 for it and 38 against it the various times it was voted on the floor of the two houses and in multiple committees. That’s over 80%-win rate. It received a Republican vote on the Assembly floor, making it bipartisan.
Wait...the final Senate vote was:
D R
Yes 31 0
No 1 8
and the final Assembly vote was:
D R
Yes 52 1
No 14 14
and it is considered bipartisan because a single R voted yes?!
The point of my comment was to highlight that, and show the totals to make clear just how lopsided the vote was, and to ask if that usage was correct. Hence the "?!" at the end.
By nearly every definition I've seen of "bipartisan" that would not be be bipartisan. There's no precise definition, but generally the usage I've seen is for these kinds of situations:
1. A majority of each party support it.
2. The majority party does not have enough votes within the party to pass it, so have to get cooperation from members of the minority party. This generally requires the majority party to make concessions to get those votes, which generally requires making some concessions that help advance the minority party's agenda.
Politicians sometimes do call bills bipartisan with few (or even zero!) votes from the other party, but they get called out on that by fact checkers [1].
California's consumer protection feels like EU levels right now. With such a big economy and influence on other states, it feels like they're becoming a singular driving force for policy for (at least) blue states.
e.g. I suspect Skittles won't have a "California recipe" to avoid Red No 3 which will effectively make it national law.
Has the rate with which they're driving consumer protection gone up as a legitimate broader strategy or is it just part of the Newsome might run activity?
Another one who bought into the latest pro-Nuclear narrative, without bothering about details, context or the bigger picture. But guess who is on-board with you on looser emissions retrictions? Oil companies, and to a somewhat lesser degree car makers.
I'd say that CA regulations are not quite on the EU's level though. For instance, the GDPR requires that you render all the data you have on a user in response to DSARs while the CCPA, as I understand, only requires you to say what the data is that you have but not actually show the values.
I've done several CCPA data requests. You get very detailed data (the actual data).
Some companies do not comply with the law, however-- the penalties are a slap on the wrist. Enforcement is only from the California Attorney General's office and the California Privacy Protection Agency (no individual action is possible unless your data was released in a breach where you can demonstrate negligence). Enforcement and penalties is the main place where the CCPA / CPRA is _much_ weaker than the GDPR.
Agreed - why don't they focus on enforcement or open up small claims?
It seems so obviously the best way to use government funds in a way only government can. What is preventing them from passing changes that make more aggressive enforcement possible?
To have a material impact on the violators, we need the ambulance chaser lawyer equivalents for class action lawsuits to see $$$. The individual victim will receive less than a successful small claims suit, but a few $K paid out to sufficiently motivated individuals in small claims is effectively $0 to these companies. A few class action awards of millions to 10s of millions each, will at least show up on their balance sheets. I suspect it will still not be enough (we will soon know since other states' recently passed privacy laws which provide for private action).
What we really need to do is outlaw data collection and "sharing". If the service being provided does not require the company to know e.g., your location data (and has not received an explicit opt-in [for that single specific data type to be collected] that auto expires in n months), there should be massive GDPR style fines if the company is found to have collected location data. Unlikely to happen (in the US) as authoritarians in law enforcement and their supporters love to use private companies to do an end-run around 4th amendment protections that would make the data they are buying illegal, if they had collected it themselves.
I'd love to hear someone with expertise in the law opine on whether a pro-privacy DA could use existing laws like anti-stalking laws to prosecute these companies and their execs-- I'm thinking of the way RICO laws have been used so creatively over the last few decades.
My understanding is that a lot of companies choose to make the response GDPR-compliant rather than bothering with a separate process for the CCPA (there are other similar laws in other jurisdictions too so just having one process compliant with the most onerous set of rules can be appealing), but they don't actually have to if they don't want.
It is worse than providing a slightly non-compliant response in an (illegal) attempt to streamline their efforts. E.g., my first CCPA request to LexisNexis resulted in nothing. I had to contact their legal department to get them to comply. Their process works now.
A lot of companies that do comply, do so obviously begrudgingly. E.g., they will make you repeatedly fill out a long web form for each right you wish to exercise under the CCPA, instead of allowing you to just enter e.g., your identifying information once, and just check off each right you wish to exercise. It is malicious compliance.
Serius XM's CCPA web form, in addition to malicious design, was broken-- it simply did not work, and the number they listed to call _for CCPA requests_ turned out to be a general support number where none of the Indian call center folks even knew what a CCPA request was*.
*SeriusXM account was created by the dealer when purchasing a new car against my explicit request for them to not register me for any of the introductory "free" accounts listed as perks for the vehicle. SeriusXM (among other things) collects and sells your GPS location data-- a streaming service has no legitimate reason to collect your GPS location. I suspect they also pay dealerships a commission for signups, as the dealer had to go to extra effort to ignore my request.
1. With an effective uniparty government in California, the real balance of power is between the State Legislature and the Governor.
2. Newsom's stealth-campaign for President in 2024 needs him to stay in the national news cycle without directly competing with team Biden's messaging.
So I tend to believe that Newsom is picking and choosing bills to sign/veto with a focus on running for President in 2024.
I requested data be deleted from a data broker and live in Arizona:
> We are in receipt of your request dated September 12, 2023. You are submitting a request from a jurisdiction that does not currently provide data rights.
It's also possibly the lowest acceptable ethical bar. If all you can say to justify your actions is "At least it's technically not illegal" then you're really not running a great business.
> You've agreed to their terms that don't violate the law
I don't think there's much agreement going on with data brokers beyond very broad "we reserve the right to share your data with third parties to improve services" or some such. In most cases people are not interfacing directly with a data broker.
> why would they forfeit their hard earned cash, even if it's the right thing to do?
Lol that's ridiculous. They acknowledged you but are you telling you you have no rights. Wow.
This is why we should pay for services. If someone wants something deleted from my app... I'll delete it. No problem. They pay me a subscription, I don't even want their data. It's a liability if anything.
You know what business scoundrels like more than profiting off your data and attention? Getting direct revenue from you, especially recurring one via subscription, and profiting off your data and attention on top of that. More than that, your choice to pay for a good or service demonstrates you have disposable income and are willing to spend it - i.e. a high-value target for advertisers.
> They pay me a subscription, I don't even want their data. It's a liability if anything.
This is (a big part of) the solution - but personal data isn't enough of a liability yet to deter the scoundrels.
A charitable interpretation - what "deletion" means can vary across businesses and jurisdictions. For example, some jurisdictions may/may not allow the data to remain anonymized, require it to be in cold storage for law enforcement, etc.
So likely their isn't like if (state = ___) { delete } { else fuck you } but more like "if state = X, do state X logic, if state = Y, do state Y logic, else nothing"
What about converting personal data into anonymous data? For example, say a company tracked how many miles some person was a passenger on a bus. Now there is a request to delete their data, so could they simply overwrite their ID and name with "0000", "noname"?
its definitely { else fuck you } because the point is to have data to sell, not learn about the storage requirements
its a total absence of requirements
think of it like requesting water at a bar or club. in the states without regulation, all the businesses say "you can only buy this $8 bottled water", the same hospitality organization has companies in another state that are like "oh yeah the tap water's right over there"
sure, they both have.... fire code requirements or whatever analogy you find more applicable, but they also will say { else fuck you } to all other aspects without any thought aside from what's most convenient
> Californians will be able to delete all personal online data in first-in-US law
Considering the government has in no way regulated phone solicitors or spam, how could anyone assume this law would have any effect? I mean, lawbreakers ignore laws, and spammers hoard personal data.
edit: the Los Angeles Times article's first sentence is less hyperbolic, more sober...
> Californians will be able to make a single request asking that data brokers delete their personal information, under a bill Gov. Gavin Newsom signed into law Tuesday.
"right now is being sold by hundreds of data brokers to anyone with a credit card."
Has anybody tried to actually buy data from a data broker? I haven't found it to be nearly as easy as this makes it seem. Looking for tips / suggestions on brokers who might sell me my own information for decently cheap :) for academic purposes of course...
When Enfamil Fedex’ed a case of baby formula as a “welcome baby” gift for the child that we lost to a miscarriage, I got pissed off and dug into it.
They told me where they got the lost and I bought it for my zip code for $50. So I found out which neighbors were pregnant, had diabetes, were buying a car, etc.
The medical information was sourced from “anonymized” insurance subrogation data and prescription data. They were able to correctly identify that my wife was pregnant and project the due date, but didn’t have the diagnosis or the reason for the hospital/OB admission.
The prescription data was presumably resold by pharmacies (which?) to data brokers. This was their workaround to sidestep HIPAA ("It's not medical information, it's prescription information").
This is also why pharmacies pester you for your phone number, and to participate in their loyalty programs (don't).
As far as I could tell, they could link the hospital admission, OB admission (the hospital runs a separate system for OB) and doctor to the scripts. The RhoGAM was filled by the hospital pharmacy, and other scripts were filled by CVS.
My understanding is that "anonymized" data leaks from subrogration and the PBM as well that can be un-anonymized later.
Many years ago, I worked for a place that had been buying demographic, contact and mortgage details of ~10,000 S. Californians, per week, who had recent mortgages. I wasn't involved, but was curious and asked about it. They were paying 10 cents per name, and you literally just had to have a credit card / way to get the broker the money. The data was sourced from Experian.
Can someone who knows more about policy sausage-making than I do, comment on how good/bad this is?
I don't know what to think about California seeming to set an upper limit on privacy policy for the country.
California's revenues seem partly tied to some of the worst invaders of privacy, and presumably Californian legislation gets industry input.
At one point, I naively wondered whether a wealthy and independent-minded state like Texas might lead this (a bit like they have with textbooks). I guess they're pretty tied now, too, and also have a lot of anti-regulation voters.
It's very good in that it's significant progress over other US-based laws. Then again if you compare it to the much stronger privacy protections in the EU, there's still a looooong way to go.
It's true that California's legislation gets a lot of industry input, and they're not going to pass something puts the big tech companies out of business. On the other hand, there's a very effective coalition of privacy organizers there -- who are quite familiar with tech's tactics, and can be very effective at cutting through tech's spin with legislators. Plus, the California Privacy Protection Agency (which got established by a referendum, not through the legislature) has a lot of clout -- there isn't anything comparable in any other US state.
Washington state has similar dynamics, although with the CPPA equivalent. Microsoft and Amazon are hugely influential here; but, grassroots organizers had repeatedly stopped them from getting the very weak Bad Washington Privacy Act through the legislature. And this year, we passed My Health My Data -- stronger in some ways than California's privacy law.
Texas ... has been a disappointment. The privacy law they passed this year is based on the Bad Washington Privacy Act but significantly weaker.
WA MHMD is a game changer because private right of action. Doesn't rely on the attorney general or a dedicated privacy agency to take action -- private lawyers can.
(Technically not the first privacy law with private right of action because the Video Privacy Protection Act has one, but that law was originally passed to cover videotape rentals and the courts are still working out how it applies to video content on the Internet)
Yeah, that's one of the big ways that it's stronger than California's law (where the private right of action is limited to data breaches). [Another way is that it's opt-in, with an additional authorization for sale of data; California's law is opt-out.]
Of course MHMD doesn't take effect until after the next legislative session, so I'm sure there will be attempts to weaken it. So I'm not counting any chickens quite yet!
The companies it's mainly good for are those who have personal data but are not required to register as a data broker. So if you have a brand with content, forums, retail, events, or whatever and can collect info on people, then by pure supply and demand the market value of your audience data goes up.
I wonder how strictly said tool will validate the user is actually a CA resident? Hopefully not much, I'd probably try to use it anyways as someone not living in CA.
I remember emailing a site that apparently scraped LinkedIn, asking them to remove my information. They told me to fill out a form attesting I lived in California. When I told them I did not live in California, they told me to just sign it anyways and they'd proceed - and they did. So how many other companies are really checking each individual for truthiness? Doing so would seem impossible at such a scale.
Having deleted a bunch of online accounts a year ago, a lot of companies used OneTrust and their privacy policy would typically specify for California residents but the process varied pretty widely.
Some of the data deletion requests would ask "Are you a California resident (yes/no)" while some would ask for a California address, and some wouldn't ask at all.
One of the companies had a support person respond back to my request when I had answered no to being a California resident strongly implying I should resubmit my request with it marked yes which I ended up doing and it resolved smoothly.
I imagine companies that mainly make their money from the data would be a lot more strict on it though.
I’m sure if you wanted to find a lawyer who could help you become a de jure California resident for a sufficient time, it could be arranged. (For instance, there is one right here in this thread with you…)
As with many initiatives in this domain, you have to be cautious. First I want to say clearly I am vehemently opposed to the current state of "personal data brokering" which is basically the same or even goes far beyond what we condem in other totalitarion regimes. I also believe that anyone should have the right to know about, respond to and append comments with equal weight to
personal information that is gathered and published on them.
But the devil as always is in the details and more often than not these 'sounds good' initiatives on this front have perverse effects, either intentional or unintended though judging from the past the former is far more likely than the latter.
A central registry for all personal profile data brokers makes it so very convenient for agencies that already can demand access to all the data on a peer basis, to now basically have a central shopping catalog in which you have to register by law.
Also, their seem to be very many exemptions to the right to have your data purged. Things that people imagine might happen after they submit such a request in many cases wont.
Admittedly I do not have the competence to the level of detail required to flesh out the exact consequences of each word in a bill , its interpretation or its implementation.
As someone who’s been doing a lot of database design lately, how does everyone plan to handle referential integrity if laws like this become more commonplace or widely applicable?
Is it silly to suggest that laws like these could make cascade on delete a whole lot more commonplace?
Isn't the common practice to just replace the personal data in the db with garbage and otherwise leave the records in place - i.e. to prevent accidental reuse of the ids which could have unforseen consequences?
If their user now brings up "deleted user 12345", you've done your job and deleted the data they cared about.
Don't ask the question about database systems. Ask the question about data.
Instead of asking "how can rows in my posts table reference a deleted row in the users table?" ask "how can I show posts by deleted users?"
And that's a business requirement. Either you delete the post, or you delete the post's author link, or you delete the post's author link and content. Find out which one, and design and implement it.
This plan sounds like a billion dollars will go to a consulting firm to try to build a system that does a magic 1-click opt out. But it will be extremely difficult to accommodate all the edge cases that come with integrating 500+ varying sources of varying levels of quality of personal data. The legal system alone has the power to change enforcement, any thoughts on why they aren't focusing there?
This is a good move, especially with the emergence of OpenAI/ChatGPT which makes the "data is more valuable than oil" statement increasingly accurate. Individuals should be in control of data they publish online, whether it is behind a password or not. You should be able to delete any data you post, instantly, from all backups, at any time and without any backlash.
I wish I could just get my data. There are laws that require this, but Google won't let me get my data from my account because I lost the phone number, even though I have the username, password, recovery email and all the email gets forwarded to my other account. They say they have no way to prove it is me. I have argued on the phone with them for hours about it.
"You've said you have access to your email address, password and recovery email but you lost your phone number in a fire.
Based on that, we currently don't have any other account recovery suggestions for you. We encourage you to try to recover your account at g.co/recover. There's no limit to the number of times you can attempt to recover your account. To increase your chances of successful recovery, you can:
Try different variations of your answers.
Try recovery from a device you previously used to sign in.
If you still can’t recover your account, we recommend you set up a new account."
I guess some law requires them to have phone support for data removal purposes. I found the phone number somewhere. Interestingly the guys on the phone have access to some sort of internal Google telephone directory so they'll give you the number to practically anything just to get the annoying British guy off the phone.
> the Delete Act would empower the CPPA to develop a system by 2026 that allows residents to make a single data deletion request across the nearly 500 registered data brokers operating in the state. The CPPA would also be charged with enforcing provisions of the Delete Act, such as requiring data broker registration and ensuring brokers delete an individual's personal information every 45 days upon receipt of a verified request.
Under GDPR, if you request that a company deletes the PII they have on you, the company has the obligation to request deletion to any third parties they transferred the data to.
One requirement that is less known is also that, if a company has PII about you and you never explicitly gave this data to them, you then have the right to be informed. What it means is that you can ask what data they hold on you and what is the source of the data.
So if you get a cold call from a random sales person, you can ask them where they got your number, they have the obligation to tell you the data broker they bought it from. You can then request the deletion of your data from the data broker.
I did it a few times.
Yeah but not "all brokers" without having to figure out who they even are. There's a huge forest of data brokers behind the big actors.
California has that.
But asking the people who they got the data from doesn't work. They just hang up as soon as you talk about it. Especially because I'm on the "do not call me" register and they are already in breach of the law by calling me in the first place.
It's going to be the same in California for companies who just ignore the regulation though.
I do agree with you that a centralised way to get your data to be deleted is great. It does feel like a band-aid to me though, I would just prefer that reselling PII would be made illegal. I don't see the point of allowing that.
You have though, you can send a mail. I had to give my data so that my sister could rent an apartment, once she got it i filled preformed Gdpr letters asking them to delete my data non necessary to their business, and if they sent my data to third parties, ask them to delete it too.
> Data brokers are defined in the bill as businesses that we don’t have a direct relationship with — and likely have never even heard of — that scrape and collect our personal information from various offline and online sources, and then aggregate our personal information, and then sell it to third parties
Credit agencies like Equifax and TransUnion satisfy that condition. They should be subject to the law, especially given Equifax's security history [0]
This doesnt apply to any information which is public record as a matter-of-fact.
So if you voted, your address and name is public record and can be used and displayed by these sites. If you got a DUI, your mugshot and arrest record may be public record and can be displayed. If you got into a custody battle and your court case was public, that can be displayed. And I guess that all makes sense in the end. If you got into a DUI, how does the government get to tell random website X that they are not allowed to say that you got into a DUI, especially when the information was public record.
So to be clear, if the peoplefinder style websites want to keep whitepages.com/user/john-smith online with an address, phone number and mugshot- They can tell you to pound sand and do so. This bill cant stop that.
Honestly, Theres alot of hype about this bill in general which is going to be... interesting... when people fail to understand what it can and cant be used for.
Additionally, this bill comes with a caveat that the sites can request proof you are living in california currently, via a license scan or some other method you get to now hand over to the data broker.
That said, in our research for https://redact.dev supporting these features from a pure API only interaction, is that most of the sites just delete you if you use their form. They dont want the headache of insane users threatening them and doing crazy shit because they dont delete their profile. And honestly the people who go through these removal processes are less than 1% of the stored data, so its mostly just a cost of doing business.