California Passes New Privacy Law

The California legislature unanimously passed the strongest data privacy law in the nation. This is great news, but I have a lot of reservations. The Internet tech companies pressed to get this law passed out of self-defense. A ballot initiative was already going to be voted on in November, one with even stronger data privacy protections. The author of that initiative agreed to pull it if the legislature passed something similar, and that's why it did. This law doesn't take effect until 2020, and that gives the legislature a lot of time to amend the law before it actually protects anyone's privacy. And a conventional law is much easier to amend than a ballot initiative. Just as the California legislature gutted its net neutrality law in committee at the behest of the telcos, I expect it to do the same with this law at the behest of the Internet giants.

So: tentative hooray, I guess.

Posted on July 3, 2018 at 10:24 AM • 24 Comments

Comments

Prince HumperdinkJuly 3, 2018 10:41 AM

"The Internet tech companies pressed to get this law passed out of self-defense."

Hadn't been paying close attention, just reading headlines but that was my instinctive response too.

Zephyr4 July 3, 2018 10:57 AM

Question: is there no form of average-person-affordable shell company offering legal anonymity which one could put all one’s internet accounts etc. into and use for all one’s internet driving ?

Jonathan F GunterJuly 3, 2018 11:03 AM

Thank GOODNESS that monopolies & oligopolies & their lobbyists have taken over the internet (just as they do with every industry which becomes a major one).

Happy "Independence Day" everyone ....

Steve BorschJuly 3, 2018 11:17 AM

Just moved to California from Minnesota (been here three weeks) and was overjoyed to see that CA took a leadership position on privacy. But like you so aptly pointed out, Bruce, I also have lots of reservations since increasingly politics surrounding the digital realm is theatre and outcomes (i.e., laws enacted) are watered down to the point of being meaningless.

echoJuly 3, 2018 1:09 PM

I note how many businesses take a position of happily complying with the law which on the surface makes them sound like responsible and well meaning citizens. Then as has been observed there is the other side where they are very keen to intervene in the democtratic process and fix the laws which they are, surprise, happy to comply with.

One of the key benefits of the EU is the requirement to sign up to the European Convention. The UK has its wiggle room hidden behind the deceitful circumvention called "parliamentary sovereignity".

When will states properly agree than human rights are core to any consitititional arrangement and they are not for sale?

Brett GlassJuly 3, 2018 2:41 PM

Bruce, you better than anyone should know that the so-called "net neutrality" law was written by Google and its lobbyists, and exempted it from regulation while giving it a large monetary gift at the expense of ISPs and their users. As for the privacy law, expect it to do likewise: come down hard on ISPs (which do NOT spy) and ignore spying by monopoly edge providers such as Google and Facebook.

David RudlingJuly 3, 2018 3:01 PM

@echo

"When will states properly agree than human rights are core to any constitutional arrangement and they are not for sale?"

Sadly, not in the lifetime of anyone old enough to be reading this blog.

RGJuly 3, 2018 6:19 PM

I’ve thought a lot about the points Bruce makes while putting myself into the author Alastair Mactaggart shoes.

Big-data threatened to Mactaggart after him personally and easily spend $100 million attacking. No human can survive without taking severe hits or worse. He could easily be destroyed in many ways and from multiple angles. There is just to many people making money off citizens personal data.

His strategy was brilliant going around the lobbyist supported politicians. He hired experts to write excellent privacy laws which would be VERY difficult for paid-off politicians to change.

From the polling 80% of Californians would vote to support the privacy initiative. This is a remarkably high number as a landslide is in the 50s.

Solution - Reintroduce the Privacy Ballot Measure
If, as expected, the big-data politicians pull every trick to water down the AB-375, then citizens must form a decentralized go-fund-me drive to put the privacy initiative back on the next ballot. The completed privacy law is 100% ready to be voted in any selected year. Grass-roots volunteers would gather signatures again without ‘announcing who they are’.

Use Big-Data Against its Evil Self
The irony is Facebook is under such intense attack by a huge number of governments they may support this ballot effort to organize their non-technical membership. There is probably enough CA members within Facebook itself to qualify.
This would earn Mark the trust he so desperately seeks:
a) Whip-them-up into a frenzy borrowing proven Russian manipulation techniques
b) Let call the new initiative Mark’s Redemption
c) If there is a dramatic privacy change at FB then I’d consider joining. That is along with many Young Sheldon’s
Please add your own humor.

Seriously we all owe the Mactaggart team our heart-felt gratitude. They are true American heros!

65535July 3, 2018 11:57 PM

The law doesn’t start until 2020 or two years from now as Bruce S. and many others note.

AB-375 Privacy: personal information: businesses

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

AB375 pdf text

“…bill would enact the California Consumer Privacy Act of 2018. Beginning January 1, 2020…”-leginfo.legiislature.ca

https://leginfo.legislature.ca.gov/faces/billPdf.xhtml?bill_id=201720180AB375&version=20170AB37591CHP

We should start recording the changes to privacy or destruction of privacy from now until 2020. I am sure there will be more arm twisting on this bill than a wrestling match.

Prins van de SchemeringJuly 4, 2018 4:55 AM

This may be a bit off-topic, but I've just finished reading Danielle Steele's book on her son Nick Traina - not my usual reading fare, but it deals with mental health, which is a topic that interests me - and in it she mentions a civil law suit brought to protect her and her son's privacy from a couple of unauthorized biographies. The law court of the time and place ruled that as a celebrity author she had very little expectation of privacy.

It occurs to me that what is good for the goose is good for the gander.

Wikileaks should publish every single detail that can be leaked about the private lives of the various CxOs and senior staff of the various private companies trying to obliterate privacy laws.

Privacy is being made into a privilege, a private law for those who can afford it, instead of being retained as a public, human right.

I was born that day in Lexington ...

JG4July 4, 2018 7:13 AM


Wishes everyone who observes Independence Day a happy, safe and sane celebration.

The mention of mental health reminded me of this book:

The Eden Express Paperback – 1975
by Mark Vonnegut (Author)
4.3 out of 5 stars | 91 customer reviews
https://www.amazon.com/Eden-express-Mark-Vonnegut/dp/B000KTC2RA

It has been nearly 40 years since I read it, so my recollections are hazy. Every amplifier is an oscillator.

RGJuly 4, 2018 8:27 AM

@Humdee Re Professor Eric Goldman data-mining blog

Privacy Professor Eric Goldman states “As an illustration of its broad reach, is my blog covered by the CA Privacy bill?
I get 50k+ visitors/year, my Google Analytics package picks up their IP addresses, and I get about $400/year from Google AdSense. Based on the bill’s expansive definition of “commercial purposes” (which seemingly includes ad revenue), I might be covered. If the bill passes and I’m covered, I would likely shut off Google ads to avoid complying with the law.”

This ‘privacy’ professor is allowing Big-Data to identify and track 50,000 of the privacy focused opposition for a measly $400/yr. Professor Goldman this is an insanely cheap sell-out! Why not charge the fingerprinting spyware at least $500?

Replacing Trust with Deception Examples:
Public libraries also allow Google Analytics to track every page the patron reads and keep a history of checked-out books. Yet librarian management claim no knowledge.

Consumer Reports allows a wide array of third-party tracking. Subscribers must submit to fingerprinting before being allowed to view product ratings. Ironically they too write about consumer privacy while simultaneously allowing your data-mining.

Unbalanced By Design
My findings (backed up by scientific studies) is the more people depend upon Big-Data the less balanced they become. Increasingly the isolation and addiction inhibit expected human development leading to the inability to nurture successful families and careers.
These adverse manifestations increasingly dominate our society as the evening news documents. Increasingly these random, senseless crimes are from isolated and depraved individuals. Its easy to see the effects of the programming in their crazed eyes.
Distracted (rather big-data induced addictions) driving is the leading cause of our road-rage epidemic.

Yet our experts and (computer illiterate) leaders unable to comprehend, trace and identify these dark technology addictions. As if from a curse, Americas future is entrusted to the immature 20 year old multi-millionaire data-miners of Silicon Valley.
Europe gets it in thatthe GDPR is the best tool to control this epidemic of insanity.
Lets build upon the new California privacy law, not destroy it.

HumdeeJuly 4, 2018 10:21 AM

@RG

To be fair to Eric he hosts his blog via the Justica network and Justica allows for Tor. So one doesn't have to share one's IP with Eric if one doesn't want too, unlike some of the other sites you mentioned. In any event I wouldn't describe Eric as a "privacy" professor. He used to be the general counsel for Trip Advisor which no one ever confused with word "privacy". He is more libertarian in his outlook than privacy conscious, though the two sometimes overlap.

/for the record I am not Eric but I have read his blog since its inception.

PeaceHeadJuly 4, 2018 4:09 PM

I am vaguely reminded of the Patriot Act which shielded corporations from litigation for their bad behavior while targeting the average US citizen unconditionally.

We seem to have a steady corporate element which defends itself at all costs, no matter what the greater context is.

I feel that both corporations and individuals are losing sight of stuff like this: https://www.schneier.com/crypto-gram/archives/2018/0515.html#7 (Supply Chain Security)

Yep, an old article^^^, but still very pertinent, indeed.

Even I have reason to take pause at some of the major issues delineated in that piece. Aside: Unanymity is rare amongst groups; blaming a group instead of individuals is not typically logical.

Hopefully, the legislation will serve as a precedent for laws elsewhere, even if it is gutted.

Until the corporate stranglehold is taken off the American people, we will always have these problems, though, in my opinion.

CallMeLateForSupperJuly 5, 2018 10:04 AM

Ever notice that lawmakers are capable of pushing out iron-clad, effective *now* legislation, and they are equally adept at squeezing out mushy legislation with effective date a-way out in the future?

Net Neutrality is important. California, even more than the other forty-nine states, understands this no-brainer. And yet! ... its lawmakers trotted out seriously defective legislation - effectively killing the stronger, ready-to-go ballot measure - and that legislation will be completely, utterly useless until 2020.

For the next 18 months CA will kick back - with "guidance" by august industry hacks - and properly eviscerate the law that they just passed because relief was necessary *now*. "Hey, we did our job: a law in on the books."

I don't know how anyone can claim this is a win.
I'm tired.

GregJuly 6, 2018 3:01 AM

What's next? Will California declare independence from the Mothership?

BTW, a belated happy Fourth of July to you new world lads.

Really?July 6, 2018 9:12 AM

California passing "Net Neutrality" laws seems like a recipe for disaster. How long before severe restrictions on speech and expression begin?

CallMeLateForSupperJuly 6, 2018 11:10 AM

@Really
"California passing "Net Neutrality" laws seems like a recipe for disaster."

Why? Would you rather have a federal solution rather that a state-by-state solution?

"How long before severe restrictions on speech and expression begin?"

Oh... now I see what animates you. You think net neutrality has to do with restricting speech. It mostly does not. I had a conversation on exactly this point with a Trumpster friend three weeks ago. From his arm-waving and spittle-punctuated four-word sentences, I quickly understood that he was misinformed.

From the first sentence of the Wiki:
https://en.wikipedia.org/wiki/Net_Neutrality
"Net neutrality is the principle that Internet service providers treat all data on the Internet equally, and not discriminate or charge differently by user, content, website, platform, application, type of attached equipment, or method of communication."

A resounding majority of U.S. citizens support net neutrality, partly because they want to put a brake on their "data plan" spiraling further north. Some of them want to determine for themselves - without their ISP's interference - their sources of news, politics, science, SECURITY, mathematics ..... in short, anything and everything.

A resounding majority of telecoms and ISPs (read: all of them) fight against net neutrality, because they don't want interference with either current "data plans" or near-future "data plans". The "stifling of innovation" that they bemoan simply means nixing their ability to fatten their bottom line, and that by way of tapping their customers' wallets.

Ann OminousJuly 7, 2018 11:37 PM

That bill has some features that look blatantly unconstitutional on 1st Amendment grounds - in particular, requiring companies to delete or not transfer personal information.

Clive RobinsonJuly 8, 2018 5:17 AM

@ Ann Ominous,

in particular, requiring companies to delete or not transfer personal information.

You appear to be trying to conflate the notion of "free speech" with "personal property".

From a legal point of view the data concerned belongs to the person who created it. In this case it is created by the activities of the persons activities. As such it is s creative "work" and has their full copyright.

The first amendment in no way alows you to use the works of others thus criminally breach their copyright.

I'm not sure if your "apparent lack of understanding" on this point is due to lack of knowledge or a deliberate attempt to sow discord for benifit. I'll let others make their own minds up on that.

echoJuly 8, 2018 3:59 PM

@Clive, Ann Ominous

An oft forgotten right under copyright law is "artistic rights". This can be used as a backstop when all other rights have been exhausted if a copyrighted work ("the content") is used by unsavoury people whose use of the work may directly or indirectly mistrepresent the creative and emotional integrity of the creator. As this is a fundamental right it may not be signed away which basically means a lot of legal boilerplate by commercial companies and worldwide none exclusive in perpetuity licences hold no force in law and mean nothing if "artistic rights" are triggered. The last case I am aware of was brought by a French artist who held different political views to a scuzzy webwite (I think it may have been a hate site) and he won.

As a seperate issue outside of the US EULAs mean little to nothing and in the UK and wider EU zilch. There is also case law that where the UK is targetted as a market then UK courts have jurisdiction with all this implies.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.