More importantly, many companies will follow California rules even outside California. My car was built to California emissions spec at a time when very few states had stricter rules.
(The one major exception seems to be the "sell my data" opt-out and such privacy rules, that industry is sleazy enough that they'll go through extra trouble to keep screwing over non-CA residents.)
Well, CT and VT passed their own version of the California DROP system last week and there are 5 other states in play for the current 2026 legislative sessions. I think it will be a slow patchwork for more states to take similar action, but it is coming.
I will note that many "data brokers" will just honor non-California residents' requests as if they were California residents and subject to the CCPA, simply because they would rather remove a potentially litigious consumer from their databases. Given the relatively low potential revenue for a single consumer's data it just doesn't make sense to hold on to information for the kind of person who currently goes out of their way to make that kind of request.
At the same time, many data brokers do go out of their way to deny as many privacy requests as possible. Given that the CPPA/CalPrivacy is starting audits very soon I don't see this as a winning strategy for them in the long run.
Watching "The Price is Right" made California a mythical place for me as a child in the Midwest. All the cars being given away, they were sure to mention, followed "California emissions standards!"
The FTC settlement with GM allows GM to sell precise location as long as it's anonymized by attaching it to anonymous identifiers rather than personal info. It also allows non-precise location (e.g. zipcode/census-block) attached to identifying information.
Apparently no one at the FTC is smart enough to realize if Bob and anonid both move through the same sequence of approximate locations that the anonid is Bob. Or maybe they aren't that ignorant and just wanted to look like they were doing their job while protecting the surveillance status quo.
Feels like the word 'sale' may actually turn into a loophole. It should have probably been worded to use 'exchange' or 'transfer' instead. But this is progress.
Yeah, we need data minimization. As long as it's collected it is a liability for consumers, turn it into a liability for businesses to incentive them to collect as little as possible.
* Massachusetts' RMV AFAICT resells one's data, resulting in new car purchasers receiving a huge amount of fraud in their mail. It can be difficult to distinguish what is a legitimate correspondence from the dealership vs. what isn't, as the fraud mail does not clearly identify itself. (And in fact, that's the tell.)
* My Subaru runs ads for Sirius XM. (Ad, on the infotainment screen. While the car's in motion.) I did not pay for my car to run ads, obviously, and obviously that was never mentioned by the dealer, ever, before or after purchase.
Are you in the US? Currently if you are in the US and not native-born, you're at very direct risk. That data is how ICE builds their enforcement leads. It's still often wrong, so they might break down your door and arrest you at gunpoint anyways.
I always thought that is from companies that get their hands on registration data. Or I could be wrong and it is the dealer itself selling it on not the manufacturer.
Pretty sure it's registration data. Anything public is now used for junk. We transferred a piece of property this year and have been getting constant spam for realtors to sell it for us. We bought a used car from an individual and started getting spam for warranties once we registered it and got plates.
A good first step, but the harm is already done when the data is gathered. Stalking should be illegal even if you don't sell the information you gathered, I don't want Toyota or GM or Google knowing where I've been either, not just their "partners", and it's long past the time the EULA loophole was closed. Contracts exist to serve society, not the other way around.
We need private right of action. That's the big thing holding up the sweeping Mass privacy law. The house supports a private right to action and the senate only wants the attorney general enforcing the law.
I can imagine loopholes to this... nothing stops facebook/google from buying this data from companies not in Massachusetts? and facebook/google don't have to give advertisers the location information but can still use that information when determining the advertisement to return, right? In theory the big silicon valley "targets" of this bill don't actually have a huge incentive to give this data away, do they? They just need to be able to read/access it, which I don't think this law stops? Assuming the data broker is not doing business in Massachusetts itself
It'll have reach because MA has a long-arm statute and there's a rich history of applying that statute in the context of Chapter 93.
It'll have teeth but probably not to the effect that you hope.
This statute was written such that only the Attorney General can bring action; see Section 10(b). This diverges from a long history in the Commonwealth of allowing private individuals to bring civil suits for most types of Chapter 93 violations.
As a result, I anticipate that the most impactful change will be in the quantity and frequency of political donations to Mass AG candidates (and in the case of contested primaries their aligned block of candidates up and down ticket).
Consumer protection laws should always provide for a private cause of action. Otherwise they just function as a mechanism for legalized corruption.
I don't disagree with the thrust of your criticism of the dynamic (especially long term). But there is a legitimate concern that the first test cases to hit the courts need to be quite unsympathetic egregious violators rather than surveillance dynamics that have been thoroughly normalized for decades. If people start bringing private suits against neighbors that have deployed Amazon surveillance cameras, "credit bureaus", private investigators, big tech surveillance companies directly (eg Google, and especially with weak legal arguments), it is likely to set some poor precedents and create political pushback.
Section 2 already limits applicability to persons collecting or processing data on not less than 60,000 consumers, so suits brought against neighbors would be (rightfully) dismissed.
The concern about poor precedent stemming from poor cases has some rational sense, but we have the benefit of experience. Empirically it just hasn't tended to play out like that in the case of consumer protection statutes in MA. One reason this doesn't happen in practice might be the limited bandwidth of the appellate process. The SJC could (and likely would) prioritize answering questions about the statute in the context of cases brought by the AG.
The longevity pro-consumer laws in MA provides some good empirical data that cuts against the concern about push-back.
The intent of the law is probably to prevent the data from being sold*, so if the big Silicon Valley ad companies aren’t selling it, they are already complying with the law, right? The goal isn’t to destroy companies that are already not doing the thing.
* to the extent to which MA can do that… I mean it’s one state, so we should judge it’s accomplishments by that standard. One possibility could be that the rest of them get their act together, or at least, every state that engineers are willing to live in does.
but if facebook/google are the buyers, they do not violate this law... the law seems to focus on the sale & giving of this data... not the reception. This means that they just need a non-Massachusetts based data broker to sell them the data, and then they can store that data to make advertisement decisions (so long as they do not forward it along)
This is good and all States should adopt some. Eventually I’d like to see one at the federal level that supersedes state level ones so that we don’t have to deal the the mess that is taxation across 50 states. A nice uniform privacy bill at the Fed level would be nice.
No, we specifically DO NOT want uniformity. We want a minimum that states can go beyond.
In the current environment, tech companies have to bribe 50 states plus the federal legislature in order to block privacy bills. If you have federal preemption, then you just have to bribe Congress, because states can't pass ANY privacy laws whatsoever. And we already know the feds do not want a privacy law: the entire legality of the federal surveillance apparatus hinges on the fact that buying your data from third parties does not trip constitutional scrutiny. Preemption freezes the requirements in time so they will always be a few steps behind the TLAs[0].
The ideal is that every sovereign entity passes their own privacy law that applies to their territory, with a private right of action, and adtech companies are forced to adopt a "50 states legal" posture. This is, deliberately, a ratchet: it's easy for any state to require a higher standard but hard to get every state to reduce it, so privacy laws cannot be walked back in secret.
Related, General Motors got hit with a $12.75M fine for reselling OnStar location data last month: https://ccpa.world/enforcement/gm-onstar-smart-driver
More importantly, many companies will follow California rules even outside California. My car was built to California emissions spec at a time when very few states had stricter rules.
(The one major exception seems to be the "sell my data" opt-out and such privacy rules, that industry is sleazy enough that they'll go through extra trouble to keep screwing over non-CA residents.)
I will note that many "data brokers" will just honor non-California residents' requests as if they were California residents and subject to the CCPA, simply because they would rather remove a potentially litigious consumer from their databases. Given the relatively low potential revenue for a single consumer's data it just doesn't make sense to hold on to information for the kind of person who currently goes out of their way to make that kind of request.
At the same time, many data brokers do go out of their way to deny as many privacy requests as possible. Given that the CPPA/CalPrivacy is starting audits very soon I don't see this as a winning strategy for them in the long run.
No surprise. I ended up moving here.
Apparently no one at the FTC is smart enough to realize if Bob and anonid both move through the same sequence of approximate locations that the anonid is Bob. Or maybe they aren't that ignorant and just wanted to look like they were doing their job while protecting the surveillance status quo.
In which case "precise location data" is moot.
* My Subaru runs ads for Sirius XM. (Ad, on the infotainment screen. While the car's in motion.) I did not pay for my car to run ads, obviously, and obviously that was never mentioned by the dealer, ever, before or after purchase.
"Did you notice anything odd about the defendants vehicle?"
"Yes."
"What was that?"
"He had disabled his GPS and telemetry systems."
(https://epic.org/press-release-massachusetts-senate-unanimou...)
I can imagine loopholes to this... nothing stops facebook/google from buying this data from companies not in Massachusetts? and facebook/google don't have to give advertisers the location information but can still use that information when determining the advertisement to return, right? In theory the big silicon valley "targets" of this bill don't actually have a huge incentive to give this data away, do they? They just need to be able to read/access it, which I don't think this law stops? Assuming the data broker is not doing business in Massachusetts itself
It'll have reach because MA has a long-arm statute and there's a rich history of applying that statute in the context of Chapter 93.
It'll have teeth but probably not to the effect that you hope.
This statute was written such that only the Attorney General can bring action; see Section 10(b). This diverges from a long history in the Commonwealth of allowing private individuals to bring civil suits for most types of Chapter 93 violations.
As a result, I anticipate that the most impactful change will be in the quantity and frequency of political donations to Mass AG candidates (and in the case of contested primaries their aligned block of candidates up and down ticket).
Consumer protection laws should always provide for a private cause of action. Otherwise they just function as a mechanism for legalized corruption.
The concern about poor precedent stemming from poor cases has some rational sense, but we have the benefit of experience. Empirically it just hasn't tended to play out like that in the case of consumer protection statutes in MA. One reason this doesn't happen in practice might be the limited bandwidth of the appellate process. The SJC could (and likely would) prioritize answering questions about the statute in the context of cases brought by the AG.
The longevity pro-consumer laws in MA provides some good empirical data that cuts against the concern about push-back.
* to the extent to which MA can do that… I mean it’s one state, so we should judge it’s accomplishments by that standard. One possibility could be that the rest of them get their act together, or at least, every state that engineers are willing to live in does.
even if its only retained until buffer refresh, its still given away.
if its read frombuffer space and transformed into a persistent structure, its a gift that indefinately keeps giving.
There is no fine nor imprisonment for failing to follow the law.
In the current environment, tech companies have to bribe 50 states plus the federal legislature in order to block privacy bills. If you have federal preemption, then you just have to bribe Congress, because states can't pass ANY privacy laws whatsoever. And we already know the feds do not want a privacy law: the entire legality of the federal surveillance apparatus hinges on the fact that buying your data from third parties does not trip constitutional scrutiny. Preemption freezes the requirements in time so they will always be a few steps behind the TLAs[0].
The ideal is that every sovereign entity passes their own privacy law that applies to their territory, with a private right of action, and adtech companies are forced to adopt a "50 states legal" posture. This is, deliberately, a ratchet: it's easy for any state to require a higher standard but hard to get every state to reduce it, so privacy laws cannot be walked back in secret.
[0] Three Letter Agencies: CIA, FBI, NSA