Plenty of tasty information was recently published in this piece from Wired on how not to write privacy legislation. And on how bananapants the whole ballot initiative/proposition thing is in CA (I first voted there, have had family there since the 1920s, so I know this inside-out and sideways, sadly).
“The California Consumer Privacy Act (CCPA) was intended to give Californians the right to know what data businesses are collecting about them, to opt out of the sale of that data, and to make businesses delete the data they’ve already gathered. But those rights are mostly theoretical, thanks to a handful of missteps by the law’s drafters. First, the CCPA specifies that users have the right to opt out of the “sale” of their data. But tech companies argue that many transfers of user information that seem to raise privacy concerns aren’t sales at all, because no one is paying for data: Websites commonly give user data to third parties like Facebook in order to more effectively sell subscriptions and advertising.
Second, the CCPA ended up including an exception for “service providers” who need user data to perform a “business purpose.” Companies like Facebook and Google have seized on that language, arguing that they provide the service of microtargeted advertising. Taken together, the two provisions essentially exempt targeted advertising from the privacy law—which, given how central advertising is to all the tracking of users online, is a bit like exempting coal plants from a law promoting clean air.
“The ‘sale’ and the ‘service provider’ issue are two huge loopholes that companies are currently exploiting,” says Justin Brookman, the director of consumer privacy and technology policy at Consumer Reports. “If you say ‘Do not sell’ today, many companies are doing nothing.”
Casey here – that last bit is very like the Swiss cheese that is the business associate language in HIPAA, which I’ve been talking about for a long time, including here.