Alright, forget it: It's CCPA regs review time (at least until I need to go finish prepping dinner).
Buckle up, we've got 24 glorious pages to get through: oag.ca.gov/sites/all/file…
Buckle up, we've got 24 glorious pages to get through: oag.ca.gov/sites/all/file…
Right off the bat, they're going HARD at making sure the "opt-in" requirement is REALLY SURE you're opting-in. "Affirmative authorization" is going to require requesting an opt-in and then SEPARATELY saying "yes, really, I meant it."
FYI, third parties include, among others, ad networks, ISPs, data analytics providers, AND social networks (which I presume means that California is vigilantly watching Jesse Eisenberg right now).
This definition is very interesting to me, especially as it's going to apply to renters and such. 
The inclusion of "both online and offline" activities raises some questions for me about how much businesses will be allowed to limit scope of their various privacy policies.
This could get fun (spoiler: it is going to get VERY "fun").
This could get fun (spoiler: it is going to get VERY "fun").
"Request to know" is such a weird way to phrase that particular data subject right.
Yes, I'm making fun of phrasing now - allow me my snark, this thing is going to dominate my life for the next several years.
Yes, I'm making fun of phrasing now - allow me my snark, this thing is going to dominate my life for the next several years.
Ok, not to nit-pick (except that I'm a lawyer and that is very literally my job), but the way they wrote this seems to imply that "request to opt-in" only applies in situations where the consumer has previously opted OUT, not to brand new consumers. Is this what they meant?
I do like that they're not just requiring that privacy notices be readable, accessible, etc., but also EXPLICITLY stating they should be readable across devices and accessible to those with disabilities.
You go, California.
You go, California.
(Btw, I should make clear this is stream-of-consciousness tweeting during an initial read-through. This is absolutely not a substitute for formal analysis or legal advice and I reserve the right to change my mind upon longer study and discussion.)
Ooh, you can either have a link titled "Do Not Sell My Personal Information" OR "Do Not Sell My Info." So saucy.
I am very excited for the inevitable discussions with clients about what tone/level of formality they go with here.
I am very excited for the inevitable discussions with clients about what tone/level of formality they go with here.
So businesses who sell consumer information received from sources other than the consumer have to either confirm with the source that they got the information correctly OR contact the consumer and give them the option to opt-out.
Methinks this will lead to some creepy emails!
Methinks this will lead to some creepy emails!
Alright, this? This right here? This is gonna cause some issues (ignore my flawless art skills, please).
Who wants to take bets on how long before we see the first complaint that a business posted signs that were hard to find/read?
Who wants to take bets on how long before we see the first complaint that a business posted signs that were hard to find/read?
Ah, yes, my favorite legislation: TBD.
(Btw, I get what they're saying here (I think), but there is so much "not" involved in this sentence.)
Ah, we're entering "Notice of Financial Incentive," where they explain how you definitely can't offer different price/services if someone opts out except that also you can.
Gotta be honest, I am so excited to see how companies are going to calculate the exact value of getting to sell consumer's data (also, important to note here that "sell" doesn't solely mean "exchange for money" - it's a whole thing).
Congrats, you've presented the world with "how privacy policies can creep you the hell out."
I cannot imagine my reaction if I clicked on a policy and it greeted me with "Hi, Calli!"
I cannot imagine my reaction if I clicked on a policy and it greeted me with "Hi, Calli!"
Who the hell is going to call a telephone number to discuss their data when they have the option of just typing out their request and avoiding human contact?
This was not drafted by millennials.
This was not drafted by millennials.
This is very GDPR-reminiscent: details about verifying identity before responding to the request, timelines on response, extensions, etc.
It's like the GDPR and CCPA are brothers, but WHICH IS THE STRONGER AND HOTTER BROTHER??? (I'm very tired - sorry)
It's like the GDPR and CCPA are brothers, but WHICH IS THE STRONGER AND HOTTER BROTHER??? (I'm very tired - sorry)
(There is a clear answer w/r/t Hemsworths and I just can't discuss it any more, I shall not, I am a professional.)
I'm sorry, what?
I'M SORRY, WHAT???
I'M SORRY, WHAT???
DELETION AND DE-IDENTIFICATION ARE NOT THE SAME, WHAT THE HELL.
Have you heard of the concept of RE-identification? Have you read anything @paulohm has written for the last decade???
I-
Have you heard of the concept of RE-identification? Have you read anything @paulohm has written for the last decade???
I-
There is two-step confirmation ALL THROUGH THIS.
Which in some cases is useful to confirm intention/clarity and in some cases is just going to be very annoying for consumers.
Which in some cases is useful to confirm intention/clarity and in some cases is just going to be very annoying for consumers.
Alright, some decently-clear guidance for service providers dealing with data subject requests, purpose limitation, etc., I appreciate that.
Did the CCPA just require businesses to actually pay attention to browser do-not-track requests and privacy settings?!?
INTERESTING.
INTERESTING.
(Up to this point, these settings have basically been cute decorations in the browser info that the vast majority of businesses ignored because, lol, who was going to make you pay attention.)
There's going to be a whole little side-industry of "authorized agents" opting consumers out of stuff willy-nilly and it's going to be real interesting seeing how they structure these businesses/services.
The next few items are looking pretty standard - keep logs of requests, respond correctly, addressing opt-out requests, etc.
(I'm sure there are some sneaky surprises that will be nightmares later, but for now...)
(I'm sure there are some sneaky surprises that will be nightmares later, but for now...)
Alright, we've got some specifics of how to respond to household information which...this seems like it could possibly be misused by domestic abusers to track the activity/information of their victims in some cases?
...am I paranoid (yes, but I might also be right).
...am I paranoid (yes, but I might also be right).
I mean, it does say the business will provide AGGREGATE information for the household unless it gets verifiable requests from all household members for specific information, but...still.
There is so. much. detail about verification (which, yes, good, but boring when I am trying to finish this so I can go eat dinner).
Lots of details about the personal information of minors (divided into 0-13, 13-16, and presumably Zoolanders).
(Wrong miners/minors)
(Wrong miners/minors)
More discussion about the difference between differences in price/service based on opting out (BAD) and differences in price/service based on opting out (GOOD).
It's very clear and useful, definitely not gonna be a nightmare to abide by, nope, no.
It's very clear and useful, definitely not gonna be a nightmare to abide by, nope, no.
Wait, there's a whole section on how to calculate the value of a user's data!!!
Oh God, it's math. It's terrible, terrible math.
I am not strong enough.
I am not strong enough.
Also (and with the caveat that I am, in fact, no fooling, very very bad at math), these seem...not helpful?
We've reached it. The end. The 24th page. The finale.
Everything is so clear. I understand so well. I know it all.*
*I do not, but will maintain that I do when questioned.
Everything is so clear. I understand so well. I know it all.*
*I do not, but will maintain that I do when questioned.
Godspeed to us all as we go on the magical mystery CCPA tour together.
May it be less terrifying than the Wonka tour.
May it be less terrifying than the Wonka tour.
