Why make this so difficult? Just ban personally targeted advertising. That's what everyone is really trying to achieve. Nobody really cares about any individual's personal data beyond using it to try to sell him something. Ban using it for advertising and it becomes worth less than the cost of collecting and storing it.
Sites can just go back to content-based targeting for ads.
Privacy is about more than just targeted ads. That is just the most obvious application. Here are a handful of other practical privacy concerns:
* Negative information about you floating free (mugshots websites, revenge porn, news articles about past behaviour)
* Health and other behavioural information (e.g. used by health, life and auto insurance. These days your medical info might be used to sue you in another state even!)
* Privacy in semi-public places (ring cameras, uber dashcams)
* Financial information being used against you (credit ratings obviously, but also being deemed a fraud risk makes a lot of transactions difficult)
* Criminal history is commonly used in job applications.
I'm not saying we need to go to one extreme - how would loans work without credit ratings, and CCTV definitly improves safety in some situations - but I just want to point out the range of issues at play. Most of these already have some kind of legal compromise.
Also beyond practical concerns there is a principal at stake too. We fundamentally deserve some degree of privacy just for it's own good.
> * Negative information about you floating free (mugshots websites...
I know that is embarrassing and subject to abuse, but making all arrests public is an important human right. The British used secret arrests against the 1770s rebellion in north america (and not to mention long before then and pretty continually since) which is why it's important in American law, though the British are hardly the only ones to use this tactic. Even the USA has done so too, most notably in the early 2000s, though not within US territory as far as I know.
Can we please remember that things can be "public" without being "online"?
The big companies don't want you to think about this because they benefit from being able to hoover up everything with a couple of clicks. There's nothing wrong with having to show up in person at a courthouse to see arrest records.
Making a human have to physically show up to make a request for a record does a nice job of adding just enough friction that you can't create these abusable repositories quite so easily.
Yeah, IIRC in New York arrest records are available and can be requested online… but there’s a $50 fee per request, and you don’t get mugshots. Enough availability to ensure the police can’t hide arrests, but also enough barrier to discourage mass collection and abuse of the data.
Mugshots, like fingerprints and now DNA, is opportunistically collected because it makes policing in general easier (you can stick "10 most wanted" pictures in the post office, if they still do that). Wanted posters with photos of wanted miscreants go back to the 1800s and drawings before then. As seen on TV they are used in mugshot books -- I wonder if those books ever have any value in the real world?
So no, I don't think that is the point, per se. But I think they do make it more likely that someone will say, "hey, DiggyJohnson, isn't that your uncle Fred?" If you're in a revolutionary or criminal group you might scan the arrest records in text, but if you don't have a specific reason, you're unlikely to but might recognise a photo.
More to the point, can we remember that things can be "online" without being freely reproducible by the surveillance industry? That's kind of the entire realization of privacy protections!
Trying to control the information by saying it's freely redistributable but you have to go down to the courthouse doesn't work - the surveillance industry just pays someone to go to the courthouse and retrieve the records however often is necessary. In fact putting up such a barrier actually helps them, as now other people looking for that data are inclined to just pay a surveillance company.
What's needed are regulations preventing companies from amassing and trading in personal information, regardless of how and where it is available. There still may be lone individuals who create their own repositories of records (ala free speech), but stomping out the commercial motive for surveillance would eliminate the sheer majority of the activity and preclude it from being a cornerstone of societal control.
If the state tried to prevent people from talking about officially public information, that seems like something that would be slapped down on first amendment grounds alone.
Normally, I agree with you. Stuff like land boundaries, budget allocations, etc. should all be free to access, aggregate, and propagate.
Arrest records are a bit different as you need to balance the rights of a person against the benefits to society.
A person should not be punished simply by having an arrest record--that violates "presumption of innocence". Blind promulgation and aggregation of such records violates lots of people's rights. The police arrest people for shitty reasons all the time and then never press charges.
If you want to promulgate an individual's arrest record, you should have to have some reason that overrides the right to "presumption of innocence" if you want to promulgate or aggregate that record. And you should have to show up with a piece of paper in person to get that record.
Measurement of conversions (ie. did somebody make a purchase after clicking the ad) is even more economically significant than targeting, and this is where ad publishers are most afraid of losing revenue due to privacy rules. The popular commentary on this subject is pretty detached from the business. The grandparent commenter’s “ban ad targeting” proposal manages to be both too extreme while also having little effect on data collection.
> The popular commentary on this subject is pretty detached from the business.
That’s because personalized ads are hostile in the extreme and shouldn’t have been allowed in the first place. It pits millions of dollars of psychological manipulation against our “self control”.
I’d rather the economy burn than continue this unethical practice.
My point is that only a fraction of user data collection is done for the purpose of ad targeting. So whether or not ad targeting should be banned for ethical reasons, such a ban is not a replacement for regulations of user data collection like those proposed in the article we are discussing here.
What is wrong with the conversion estimates they used in the days of broadcast TV and radio? Or even newspapers?
For that matter conversion metrics are not useful because the real high value purchase are not see ad buy thing. They are more of see many ads for SUV, when current car gets 'old' buy SUV. Many years of advertising are used in that targeting, and you cannot easily measure conversion.
Easily, no. But you can, at least in theory. With enough data, you can essentially tell if a customer has seen your ads, plus when and where (and not just your online ads - billboards and dealerships could be identified by using the customer's car to track their location). If they buy your car, and you see that they viewed your ads, maybe they even clicked one or otherwise browsed your site at some point, you can get some data from that. With enough aggregate data, you can begin to see correlations between certain ad viewing behavior and certain purchases.
Do they actually do this? Probably not, due to incompetence. But they could and eventually will if they aren't already.
No, people won't consume less, as long as they have the same disposable income.
Unless you mean that this will hurt the economy and people will become poorer. In that case yes, they will consume less, but not sure how it can be seen as a nice side effect.
Alternatively, imagine this: you could opt-in to targeted ads if you really like them. (I find it hard to wrap my head around this as a person who avoids almost all ads, but you do you.)
You don't use your real name, you go by SoftTalker.
I run stylometrics on your HN posts, then on every document archived by a data broker, including highschool/college papers. I identify you. I can then use that information to extort, harass, or rob you. At scale, anyone who buys this data can do this to tens of thousands of people with scripting. DefCon has had some nice presentations in the past about software that takes this data as input, and generates harassment scripts -- practically as SCRUM tickets -- to do this at scale.
Still think privacy / private data doesn't matter?
California can't end copyright. Ending copyright as you have suggested elsewhere would take the US dropping out of several important world trade treaties and make it undesirable for any company, publisher, author, or artist that does want copyright to be here.
That aside, the current copyright approach does not prohibit P2P publishing (publish with a CC0 license and you're about as disclaimed of copyright as you can be).
The US is unique in its enormous bargaining power. US power underlies the whole framework of international institutions today. No international treaties poses a serious threat to the US. Just look at what consequences the US suffered for starting a war in Iraq.
Much of the US's bargaining power on the world stage comes from the bit that companies based in the US are responsible for a sizable portion of the intellectual property created in the world (patents, software, books, movies and other media).
The US (and California) profits substantially from maintaining control of and allowing its citizens and companies to likewise maintain control of the IP that they create.
Lets go back to the original part of this thread.
California can't get rid of copyright. Suggesting it as a way of eliminating targeting advertising is a substantial leap of argumentation without any supporting material.
For copyright to be gotten rid of, this would take a concerted effort from congress to withdraw from those treaties (and you can be sure that every company in California that creates copyrighted or patented works (e.g. Silicon Valley and Hollywood) would pack up their bags from what would be the the 5th largest economy in the world if California was a state and move to the other CA a few hundred miles north. Those treaties include Berne, UCC Geneva, UCC Paris, TRIPS as part of the WTO, and WCT.
Meanwhile, how does copyright prevent P2P publishing?
How would enabling P2P publishing (which isn't prohibited now) get rid of targeted advertising?
You can publish something under a CC0 license and not be constrained.
Be the change that you want to see.
If the US was to hypothetically back out of the copyright treaties, all the other countries would still be there to enforce it.
If you want a better Netflix without the ads make that content yourself and publish it.
If you attempt to take away the ability for Netflix (and others) to be able to charge for it - you're going to be seeing material that you make yourself because no one else will.
Start this by going and making a movie and publishing it yourself - not by proposing that everyone else lose the ability to make a living off of content that they have created.
I am. Everything I build is public domain. It's cost me a lot of money but I can look myself in the mirror and see an honest man.
> not by proposing that everyone else lose the ability to make a living off of content that they have created.
Copyright is sleazy. Plain and simple. It's indefensible. It is Intellectual Slavery. I'm just saying the truth that people don't want to hear. Stephan Kinsella is the one to read/watch/listen to for all the extended and comprehensive rebuttals.
I would challenge you to first propose a structure that somehow compensates people who create artistic works now to be able to do so in the future without subjecting them to a patronage system.
Figure out how to fund research that doesn't need to rely upon licensing of patents.
The bold statements of "eliminate copyright and it will solve {problem}" without the corresponding steps that you would need to get there are intellectually dishonest and ignore the current economic system and wellbeing of the authors and artists who produce work.
I would also note that I do value the software freedoms and without copyright there would be no way to enforce the redistribution of the source and the improvements that a company makes on it. "Here's the binary, but good luck trying to back port the bug fixes we did" is something that the licensing that copyleft provides.
The approach of "burn down copyright and something wonderful will emerge from its ashes" is not a convincing argument.
> ignore the current economic system and wellbeing of the authors and artists who produce work.
I'm not ignoring it, I will freely admit that I do not care about preserving the wealth of Atherton and Beverly Hills at the expense of poor children having second rate information. If they can figure out a way to make money in a world with actual property rights, great for them.
I also don't think Oxcontin or mRNA vaccines or Fox News or CNN, etc, make a good case for having patents and copyrights.
If publisher X stuck ads on their content it would be an opportunity for publisher Y to come along and win consumers by offering the same content without the ads. It's illegal for publisher Y to do that now.
OK, I now understand what you're saying. But I don't think it works.
Take Facebook, for example. Even without copyright, the only way you could offer Facebook's content is to completely scrape Facebook, because (at least currently) that's where people post their stuff, because that's where everybody who they want to reach is. Even if you consider that an ethical thing to do (I don't), you're still going to have to have servers (plural) running all the time. That's going to take a fair amount of money, and you aren't going to have the revenue, because you aren't going to be selling ads. So I don't think that your approach will actually work economically.
Or take Netflix, as you mentioned in replies to other people. If copyright doesn't protect the movies, then you're left with love-of-the-art movies. And that's OK for those who like that kind of thing, but you're not going to get Star Wars or Marvel movies that way. You may consider that no loss, but the vast majority of movie watchers want to watch that kind of stuff, and don't want to watch unpaid passion projects. So your approach leaves consumers strictly worse off in terms of their preferences. (With one possible other option - that Marvel sticks enough product placement in their movies to pay for their creation.)
> The CPPA would create a simple way for Californians to direct all data brokers to delete their personal information, free of charge.
I wonder how something like this would actually be enforced. At the moment I can request my personal information to be deleted, but there is no way for me to determine whether such request was actually fulfilled. Even with this option to direct "all data brokers", the problem remains, and it seems to be briefly acknowledged in this sentence
> Tsukayama said that what most experts in the field agree on is that California law leads the nation in this space, but that it’s still barely enforced.
I don't know of any good way to enforce this kind of legislation, even if I totally support it.
"Data brokers would have to undergo an independent third-party audit every three years to ensure compliance with the DELETE Act provisions and submit audit reports to the California Privacy Protection Agency."
Well, I can see how that means well, but this doesn't scale to dozens of other jurisdictions doing the same thing. The audits would have to either be cheap and toothless or impossibly expensive, or, given the dozens of jurisdictions eventually doing these, probably both and other combinations besides. One can only imagine the nightmare of this jurisdiction deciding this bit of data is private, some other jurisdiction deciding it's mandatory to keep (e.g., "you must record this user's legal identity in order to ensure that future data you may receive is also deleted"), and yet a third jurisdiction deciding that it must be deleted but if and only if the user explicitly asks for it in the request. It won't take much for (real) compliance to exceed what even the big tech companies could afford.
At least something like the EU legislating this covers a significant fraction of the world economy in one go.
You've obviously never dealt with the EU privacy machinery. There is a separate privacy directorate in every single EU country. There is also a privacy group at the EU level. These groups _fight_with_each_other_...the EU level authority recently forced Ireland's DPA to fine Facebook despite the Irish authorities initially finding no enforceable infringement.
I get that everyone dislikes Facebook, but this is not a stable regulatory regime to do business in, nor is it covering all EU member countries "in one go".
Fair enough. It is true that I was being a bit idealistic for sure.
The sad reality is probably that there is no solution to this. If one imagines that the regulatory apparatus for some operation requires some percentage of the complexity and velocity of the underlying thing being regulated, well, government can manage the requisite complexity probably (though getting the correct complexity is another matter), but the velocity is just never going to happen, and the attempts are just going to look like this. By the time this is pushed through California, the actual regulations written to comply with the law as passed by the legislature, and enforcement actions begin, it will already not know what to do with things like AIs using personal information or complicated cross-company AI-based data washing schemes ("we use AIs to transfer summary data about the individuals in a complicated manner that makes it look like all the data is anonymized but in practice the data is so rich in its own complicated manner that the receiving company is de facto operating on private information but good luck proving that in a court of law, have fun with this one regulators!", etc.).
I was wondering if a “chain of custody” law for personal information can make this enforceable.
You can request your personal information from a holder of it, and along with that comes the identity of where/when/who that data was acquired from (and transitively who they got it from).
Then you can tell who sold it, both to gauge violations and also to name and shame.
And if they don’t have the chain of custody, then they are immediately in violation, and it is easily proven.
I think this is a pretty common problem with any kind of business regulation -- how do I know that a factory isn't just illegally dumping its waste? Regulators are usually working with less complete knowledge than the entities they regulate. You'd have to set up penalties large enough that the risks weren't worth it, but that ironically works better with larger companies since fly-by-night operations are free to just shut down and don't care that much about their reputations.
In order to enforce by lawsuit, the people who have standing to sue (or a regulator acting on their behalf) need to somehow know that an organization is out of compliance.
For the ADA, you can see whether there's enough parking spaces or whether the ramp is legal or whether you were denied a reasonable accommodation.
Here, there's a mandatory audit mechanism, but it's unclear whether the proper recordkeeping will be required to really allow issues to be spotted at audit.
Is there any way to know if any audit mechanism works before it's actually been put into practice?
I share your concerns, but it seems a bit early to worry that auditing + lawsuit enforcement isn't worth giving a spin.
Do we have examples of similar legislation that has or hasn't been successful with similar contexts/enforcement? The closest examples I can think of are in finance, like fair lending laws or SOX compliance; both of which are heavily dependent on auditing data.
As a sibling commenter puts out, a uniform deletion "certificate" or other notice that could be used as verification of requests would be useful to ensure that audits would have a corresponding record to use to determine what records should not be present.
Then, data broker keeps a list of such deletion notices.
If any of those notices ends up having data still stored, that's a violation. If any customer presents such a certificate but isn't in the list of such notices on the data broker, that could be a violation.
This way there's an effective, enforceable mechanism. Otherwise, a broker can just lose deletion requests entirely and no one would know.
It's surprisingly tough to find a lawyer willing to file an ada suit. Most search results are for companies to defend against suits, and my local bar association only had one firm to refer me to that didn't return my calls.
There are relatively simple ways to enforce this. For instance, requiring companies to register all trackers prior to use. And in that registration process specify all metadata that would be collected. Terms of service for implementing trackers in California could include something along the lines of permitting independent E2E auditing of all trackers and any software linked to it, e.g., software related to personalization and feature creation/selection/optimization.
There could also be something like more comprehensive enforcement of "(meta)data flushing," including a tighter turn-around time to ensure customer data that was supposed to be deleted is actually deleted, at more regular intervals. This would better ensure novelty at the time of model training/fine-tuning. These training logs would be audited as well.
Training data size would decrease. It would also act as a natural guard against data hoarding, which disproportionately benefits huge corporations (e.g., Google, Amazon).
Does it make personalization harder? In some ways yes. It also challenges us to invent solutions more sophisticated than "just feed the model more data."
One popular (and somewhat successful) legislative strategy is to create a 'private right of action' whereby an injured party can sue an offending one easily by meeting a specific burden of proof - eg if you file a complaint with a data broker and the data is not removed within a defined reasonable period, you can go to court armed with a rebuttable presumption of the broker's liability and claim some statutorily specified amount of compensation. A well-known example would be violations of the Americans with Disabilities Act.
The comparison to the ADA is a good one, but it also illustrates the issue of how verifiable the remedies are. It's much easier to prove whether a business has a ramp than that they deleted some piece of data from all of their servers everywhere
I wonder if some sort of "do not call"-style list that the government keeps would do the trick? The government maintains the list so some company can't say, "We never received any notice from them!" and the government can also audit whether each person on the list has data associated with them in any given company's database. The government would have to audit companies when a consumer contacts them (or just do it periodically for all companies, if that's feasible).
I think the bigger problem is how does a consumer know whether any random company has data on them? I mean, sure, I can figure that Google, Amazon, and Meta probably would be on that list, but the real problem is all the smaller 3rd party resellers of such data. I don't even know their names, let alone how I would figure out if they have info on me.
It would not work. Not enough people would use it, for myriad reasons.
The real answer is privacy by default. Opt-in for invasive harvesting. The science of design is well enough known that we could even legislate against dark patterns if we wanted to.
Easy way to enforce is to give anyone who reports a breach and provides evidence half of the fine. People will be constantly trying to buy data from the broker that they aren't supposed to have to get the reward. And any time they find something, it's payday.
Software on consumers' devices that records ads seen and file complaints if consumers are still being tracked? It's very easy to detect algorithmically that you're being shown personalized ads.
> I don't know of any good way to enforce this kind of legislation, even if I totally support it.
What the EU does with GDPR is put a huge fine on actors caught ignoring GDPR deletion requests. It's up to €20m or 4% of the companies global turnover, whichever hurts the most.
This is at least the billionth time it’s been pointed out, but the GDPR is not responsible for those annoying pop-ups. The GDPR is erroneously blamed for them, when in reality, the pop-ups are a deliberate choice made by site operators. Feel free to brush up on the GDPR, the EPD, and how they work together: https://gdpr.eu/cookies/
I don't think the GP is suggesting that the GDPR mandated those shitty popups, I think they're upset that the GDPR allowed them. They're basically a massive loophole. Of course the site operators are to blame for their individual popups.
That's without addressing the fact that the EPD is what triggered them.
I'm looking at this page and it seems like the annoying pop-ups are a way to comply with the regulations as described, so I'm not sure why you think I'm being unfair attributing them to the GDPR. That might not be the vision they had in mind when they drafted the law but it is the actual result.
OK but why should I? If you think this is chauvinistic think of how California set out to root out a bunch of carcinogens and ended up assuring that every second thing I buy has a warning that it might cause cancer with no real way for me to determine how seriously I should take it.
I can't help but notice in the bill itself there's no definition of what a data broker is. Does anyone know the legal definition in California? Do you have to be an incorporated person to be a data broker or can human persons have this force applied to them as well?
It sounds like data broker has to be a "business" that collects information about someone they don't have a direct relationship to and sell that to a third party. This might still include sole proprietorship businesses but it sounds like normal non-incorporated human persons and personal websites wouldn't be forced to delete things.
It's interesting to note that "Financial institutions" are given an exception from the "data broker" tag and regulations and can still do whatever they want.
> it sounds like normal non-incorporated human persons and personal websites wouldn't be forced to delete things
Natural versus artificial person is probably irrelevant. (Sole proprietorship is a "normal non-incorproated human" doing business.) If your personal website is somehow collecting information from non-visitors and then selling it, that's a data broker. In practice, I can't see why or how that would accidentally occur.
I think your implicit assumption here is that all websites are businesses in some sense? But people often run websites that have no monetary transactions involved (except hosting, domain, etc costs). Since I'm one of these I worry about being forced to delete data just because some random persons who came to my metaphorical backyard BBQ didn't realize there was a metaphorical photographer there taking pictures.
I get the spirit of the law and I'm glad incorporated entities will be regulated. I just anticipate substantial use of the 'Delete Act' for frivolous cases and malicious uses. Much like GDPR. With the good comes the bad.
I'd love to see "people search" websites like Spokeo/etc be forced to delete everything about me. once I find a website, make an account so I can get my information deleted, another 3 sites have popped up. I think even one of them wanted a copy of my drivers license before it would delete my information "obtained from public sources."
it's been frustrating. I shouldn't have to hire an identity protection service just to remove myself from annoying websites.
This site you're posting and reading comments on won't let you delete your comments and accounts. I think at best if you email and ask they might randomize your username.
I've always thought - if it's possible for someone trawling HN to build a pretty comprehensive profile of users based on usage pattern, comment structure, and occasional personal details shared (like gender, familial status, location).
I think it'd be pretty easy for most accounts that have > 1000 comments.
You still need to have the foresight to do things like not reuse usernames, even use your real name, or accidently post something that could identify you. It's still an account owned by a person
How does that work with GDPR right to be forgotten? Many users here are EU residents. YC undoubtedly has accounts with banks that have a presence in the EU, making judgements enforceable.
Stylometry will be an identifying characteristic soon if it isn't already.
Right along with this, about we set up enforcement and require all data brokers to register with the gov't and give them API access for enforcement queries. Then the gov't can have a page that lets citizens find out which data brokers have information about them. Hell, let's put a button on that page that says "Forget me."
> user data is traded like financial assets and the burgeoning trend is to recognize it as user property
This is a tortured method. We generally treat things as property when we want to facilitate its ability to be traded and leveraged. What is the advantage of the property route versus enumerated rights?
> Can the government not already purchase access to these databases?
Sure. But providing mandatory registration and a legally-required API sure makes it easier. (There is also zero chance those data don't wind up accessible by every small-town cap.)
SELECT * FROM victims WHERE flag_isForgotten = FALSE;
A better model for your purposes might be the “Bottled in Bond” model where bourbon had to be kept in government-owned whiskey aging warehouses. All PII data would have to be kept solely in government-owned databases. Your model would not be many citizens’ first choice because it makes the government surveillance absolute.
However, I don’t think there’s a good solution for those of us who’d like to return to the level of privacy afforded to us in the early ‘90s or before. I don’t believe that will ever be an option again.
Well yes, at a certain level we lose visibility into the internals and have to rely on penalties to coerce good behavior. Maybe a whistleblower law with a healthy reward?
What I want is to get all the private data collection out in the open. Average Joe can probably tell you that Google collects some information about him, maybe his browsing history or search queries. But how many people really understand that there are probably 100x or 1000x more scrapers out there putting together every bit of data they can find and correlating it?
I want to tightly regulate what companies can do with information they collect about you, especially once they start cross-referencing and selling it. Shine a very bright light on it.
That's what India did with its UID, Aadhar.
The initial days were so bad with security. Anyone and everyone could take the id number and fetch info about you.
Now you can lock access with biometrics and even after unlocking it auto locks in 5 minutes.
You can also generate a virtual unique id number to prevent fingerprinting across various services.
There are still some cases where the security of data seems to be questionable, but it's working there.
They also have oAuth support for websites to use aadhar profile. But not many services have integrated with it yet.
I hope that other jurisdictions (than the EU) will find different policies around data protection to try to achieve something that is actually good for people in practice now that they can look at how gdpr worked out.
I think the law requiring subscriptions to be easily cancelled is a good example of something that is good for people because it makes something they already want to do easier/better.
On the other hand, the thought of having to cope with umpteen different privacy laws makes me glad I don’t work on a website for the general public.
My main complaint with data protection laws is that they often require actions from users, either some kind of ‘informed consent’ like gdpr/cookie laws, or some kind of deletion request. I would much prefer some simpler laws like ‘no keeping behavioural data more than 45 days’ that don’t require people to opt in to privacy. Though there are flaws with what I wrote – what does it mean for training neural networks; there are cases where you want that memory, eg maybe if you liked a tv show/YouTube channel and there was more than 45 days between series/videos, you would want the new series to be recommended to you; there are complex chains of causality like if eg I watch a cat video, get recommended a bunch more cat videos over time, watch some of those, then in some sense the signal from the first cat video has caused me to still be getting recommended them more than 45 days later.
It seems like this requires taking action to delete a lot of data from a lot of places and puts the onus on the consumer, which I think isn’t great. But the ‘data broker registry’ might make it easier to do? I wonder what the EFF were thinking about when they supported this. Perhaps they just considered it to be strictly privacy-increasing and therefore good, and didn’t worry about second-order effects like consumer fatigue. Maybe the second-order effects don’t matter so much – they are second order after all.
I don’t think whether or not such a rule is a part of gdpr is very relevant to the effect of the rules on people outside of the regulated businesses in practice.
i saw some youtube advertisements for a service that requests data deletion on your behalf, but i was super skeptical of that because it just seems like the service you're paying to do this would then become the next centralized hub of what information of yours once existed.
I don't mind the idea of a government-based interface to all of this with strict adherence to privacy
GDPR doesn't work as described and companies have found many ways to make the process difficult. There is a clause (last case scenario) where the company can say that the data is critical to the system and can't delete it.
You probably refer to "legitimate interests". If you play that card, you are required to show a "Legitimate Interest Balancing Test", in which you show that your interests are arguably more important than the interest of the consumer: https://ico.org.uk/for-organisations/guide-to-data-protectio...
Source: I love to watch Facebook becoming the first GDPR unicorn, i.e., a company with more than 1 billion € GDPR fine.
GDPR isn't a good fit for the American system. The principles that animate it [i.e. rights of access (Art. 15), erasure (17) and objection (21)] should be incorporated into law. But a combination of public and private enforcement, plus a strong civil regulator (but one who isn't obligated, by law or practice, to respond to complaints), is a better start.
> watch Facebook becoming the first GDPR unicorn
They're paying $725mm to users in America [1]. Difference being the damages go to users, not a regulator.
The problem is that no form of data personal protection is really a good fit for the American (political) system, because the US leans heavily into the fallacy that if it's legal for one individual to do some as private activity, then allowing to be scaled up to mass corporate behavior is inherently reasonable. So telling Surveillance Valley to stop building Stasi 2.0 is akin to telling your friends that they must forget your birthday.
Furthermore, the American concept of "consent" mostly functions as a legal fiction whereby less powerful parties are coerced into signing a bunch of binding legal documents. Hence the desire to copy the GDPR verbatim - because if a privacy law used the American version of "consent", why even bother?
One way to port the overall idea of the GDPR into the US legal system might be to define a non-transferable property right in personal information (information about yourself), which could only be licensed revocably. Those two key bits would be tough though, given widespread deference to the Coase fallacy that has blessed much corporate looting.
> no form of data personal protection is really a good fit for the American system
Not true. We have the Privacy Act of '74, HIPAA, GLBA and COPPA, to say nothing of e.g. California's CCPA and Virginia's CDPA [1]. Or Illinois' biometric privacy protections [2].
> the US leans heavily into the fallacy that if it's legal for one individual to do some as private activity, then allowing to be scaled up to mass corporate behavior is inherently reasonable
This is true for rights, which don't get diluted through assembly. Not rules or the law. Plenty of laws exempt small businesses and natural persons.
> the American concept of "consent" mostly functions as a legal fiction whereby less powerful parties are coerced into signing a bunch of binding legal documents
Not entirely true. See: EULA enforceability as it pertains to natural persons [3].
> to define a property right in personal information (information about yourself), making it non-transferable and revocable at any time
One generally defines a property right to enable transferability. Revocable property isn't property, it's a license. Making information one's inalienable property that can only be revocably licensed sounds neat, but it doesn't add value over enumerating data rights.
> This is true for rights, which don't get diluted through assembly
Calling it "assembly" is disingenuous (this is directed at the legal canon, not you). Generally companies aren't just mere assemblies of people, but rather are separate legal entities whose members have limited liability. Just as it's accepted for a company to say to an employee "if you want to get paid your 1st amendment rights are irrelevant", it would be reasonable for the government to say "if you want to have a statutory liability shield, your 1st amendment rights are irrelevant for activities facilitated by the shield".
> Not entirely true. See: EULA enforceability as it pertains to natural persons
I didn't say there weren't exceptions. Just overwhelmingly when a new regulation is created that requires "consent", the main result is for there to be a new piece of paper that people are forced to sign to "give consent". Rarely is there spelled out a path where the individual can refuse to give consent and still obtain a service that didn't intrinsically require it.
> Making information one's inalienable property that can only be revocably licensed sounds neat, but it doesn't add value over enumerating data rights.
The value is that trying to carve out new rights is an uphill battle, whereas dovetailing into the customs of commerce might just be possible. For example you had mentioned carve outs in the various state attempts at privacy laws due to the 1st amendment. Whereas those carve outs (unfortunately) don't exist for copyright!
But sure, I do support trying to carve out completely new rights to repudiate our burgeoning surveillance society. It's just that the way the legislative process works in this country, it will be an amazing feat if the drafting process doesn't end up gutting most individual rights while still creating a bunch of red tape to stifle competition. Hence the attraction to copying GDPR wholesale and letting the courts sort it out.
> when a new regulation is created that requires "consent", the main result is for there to be a new piece of paper that people are forced to sign to "give consent"
You'll see my suggestions purposely skirt the question of consent. Access, erasure and objection. You can access your information held by others. You can require its deletion. And you can object to how it's used. (In practice, revocable consent. But avoiding the concept directly.)
> those carve outs (unfortunately) don't exist for copyright
Copyright is in the Constitution [1]. Its interaction with the First Amendment is why we have the fair-use doctrine [2]. I doubt the Congress could enact copyright without the Copyright Clause.
Incorporating privacy through commercial code strikes me as messy. We have many mechanisms for abrogating property rights. Do we really want to deal with e.g. civil forfeiture of a person's privacy, banks seizing possession of personal data in obscure foreclosure proceedings, or an employer holding parts of an employee's privacy rights in bond?
> the attraction to copying GDPR wholesale and letting the courts sort it out
This would involve a decade plus of anarchy, litigation and uncertainty. That is enough time for generational backlash. Lazy legislating rarely pays off.
> You'll see my suggestions purposely skirt the question of consent. Access, erasure and objection. You can access your information held by others. You can require its deletion. And you can object to how it's used.
Sure. I just see the legislative meat grinder turning "information" into narrowly construed red herrings like SSN's and account numbers, "access" into the ability to file individual written requests (which include more personal information) to specific entities you happen to know about, "deletion" into the null operation because it "infringes freedom", and "objection" into a strongly worded protest rather than anything actionable. I certainly do want to be wrong here, but this is the same country where widely-lauded healthcare reform ended up including a provision that everyone had to pay the parasites.
Good point about the perils of making one's interest in personal information more property like. I had wanted to head that off by making it non-transferable, but you're right to point out the slippery slope that legislative corruption would surely push us down.
As far as copyright, it grows ever stronger in spite of patently obvious free speech concerns (eg DMCA "anti-circumvention"), because legislation that benefits corporations wins out over legislation that benefits individual rights.
And for "lazy legislating", what I see really not paying off is when congress addresses an issue a single time and then considers the matter solved, regardless of the actual result.
> what I see really not paying off is when congress addresses an issue a single time and then considers the matter solved, regardless of the actual result
This is incrementalism. It’s the solution preference of a deliberative, consensus-building democracy. We make a move. See the effects. Iterate. It works in the long run.
The opposite, forcing through chaotic legislation, tends to result in alienation, repeal and the resignation of the issue to the partisan trash pile.
Read my sentence again - I'm bemoaning the lack of iteration. Are the disastrous bits of the CFAA and the DMCA ever going to be repealed? Will any of this new privacy legislation apply to the traditional surveillance industry ("credit bureaus") ? It seems like once commercial interests get their sponsored laws and loopholes into the endzone, we're left to suffer them indefinitely. It's why we're always reaching for "constitutionality" as the main hope for eliminating oppressive laws, rather than thinking that congress could reverse course.
could you expand upon or clarify that? i work in systems infrastructure and have been a part of implementing GDPR-driven changes in both apps and infrastructure, so it certainly seems to be working in my line of work
I'm not saying that systems are not in place, I'm just saying that it's too hard for the average consumer.
- After you've requested deletion the company has 30 days to "respond" but they can extend that with two additional months.
- They can go to extreme lengths to verify the identity of the user which they have the right to do so and if you don't respond to the confirmation they are not obligated to delete anything.
I've encountered both practices in the past (and I've only made 3 requests, ever).
The dream would have been an automated way to do it, something like a government service where each company would have to publish metadata about captured user data and once you request deletion through the service the company would receive an event, a webhook call...
If by GDPR you mean the cookie banner that appears on most websites? It's as if we ask for something and are punished for it. I'd like to see some proof that GDPR has achieved major changes in data privacy before a copy-paste.
These laws make no sense at all because basically no one is actually hurt by ad tracking (it actually improves ad quality and relevance), except if you just think advertising in general is wrong.
All of these data privacy laws are just a minority of people wanting to push back against capitalism and big tech. I get it but it's such a waste of energy.
I value my privacy. I don't have a relationship with data brokers and I see no need for them to know anything about me.
For the record, I have no issue with targeted advertising within a single org. If Google shows me ads based on my search history or youtube history or gmail contents, that's great. If I don't want Google to know anything about me, the process is easy; I stop using Google/Youtube/Gmail.
If Google shows me ads based on an online purchase at an unrelated web store, that's completely unacceptable. If I don't want Google to know anything about me, it's not clear at all how I would do that.
Sites can just go back to content-based targeting for ads.