More importantly, many companies will follow California rules even outside California. My car was built to California emissions spec at a time when very few states had stricter rules.
(The one major exception seems to be the "sell my data" opt-out and such privacy rules, that industry is sleazy enough that they'll go through extra trouble to keep screwing over non-CA residents.)
Well, CT and VT passed their own version of the California DROP system last week and there are 5 other states in play for the current 2026 legislative sessions. I think it will be a slow patchwork for more states to take similar action, but it is coming.
I will note that many "data brokers" will just honor non-California residents' requests as if they were California residents and subject to the CCPA, simply because they would rather remove a potentially litigious consumer from their databases. Given the relatively low potential revenue for a single consumer's data it just doesn't make sense to hold on to information for the kind of person who currently goes out of their way to make that kind of request.
At the same time, many data brokers do go out of their way to deny as many privacy requests as possible. Given that the CPPA/CalPrivacy is starting audits very soon I don't see this as a winning strategy for them in the long run.
Feels like the word 'sale' may actually turn into a loophole. It should have probably been worded to use 'exchange' or 'transfer' instead. But this is progress.
Yeah, we need data minimization. As long as it's collected it is a liability for consumers, turn it into a liability for businesses to incentive them to collect as little as possible.
I always thought that is from companies that get their hands on registration data. Or I could be wrong and it is the dealer itself selling it on not the manufacturer.
A good first step, but the harm is already done when the data is gathered. Stalking should be illegal even if you don't sell the information you gathered, I don't want Toyota or GM or Google knowing where I've been either, not just their "partners", and it's long past the time the EULA loophole was closed. Contracts exist to serve society, not the other way around.
We need private right of action. That's the big thing holding up the sweeping Mass privacy law. The house supports a private right to action and the senate only wants the attorney general enforcing the law.
I can imagine loopholes to this... nothing stops facebook/google from buying this data from companies not in Massachusetts? and facebook/google don't have to give advertisers the location information but can still use that information when determining the advertisement to return, right? In theory the big silicon valley "targets" of this bill don't actually have a huge incentive to give this data away, do they? They just need to be able to read/access it, which I don't think this law stops? Assuming the data broker is not doing business in Massachusetts itself
It'll have reach because MA has a long-arm statute and there's a rich history of applying that statute in the context of Chapter 93.
It'll have teeth but probably not to the effect that you hope.
This statute was written such that only the Attorney General can bring action; see Section 10(b). This diverges from a long history in the Commonwealth of allowing private individuals to bring civil suits for most types of Chapter 93 violations.
As a result, I anticipate that the most impactful change will be in the quantity and frequency of political donations to Mass AG candidates (and in the case of contested primaries their aligned block of candidates up and down ticket).
Consumer protection laws should always provide for a private cause of action. Otherwise they just function as a mechanism for legalized corruption.
I don't disagree with the thrust of your criticism of the dynamic (especially long term). But there is a legitimate concern that the first test cases to hit the courts need to be quite unsympathetic egregious violators rather than surveillance dynamics that have been thoroughly normalized for decades. If people start bringing private suits against neighbors that have deployed Amazon surveillance cameras, "credit bureaus", private investigators, big tech surveillance companies directly (eg Google, and especially with weak legal arguments), it is likely to set some poor precedents and create political pushback.
Section 2 already limits applicability to persons collecting or processing data on not less than 60,000 consumers, so suits brought against neighbors would be (rightfully) dismissed.
The concern about poor precedent stemming from poor cases has some rational sense, but we have the benefit of experience. Empirically it just hasn't tended to play out like that in the case of consumer protection statutes in MA. One reason this doesn't happen in practice might be the limited bandwidth of the appellate process. The SJC could (and likely would) prioritize answering questions about the statute in the context of cases brought by the AG.
The longevity pro-consumer laws in MA provides some good empirical data that cuts against the concern about push-back.
but if facebook/google are the buyers, they do not violate this law... the law seems to focus on the sale & giving of this data... not the reception. This means that they just need a non-Massachusetts based data broker to sell them the data, and then they can store that data to make advertisement decisions (so long as they do not forward it along)
This is good and all States should adopt some. Eventually I’d like to see one at the federal level that supersedes state level ones so that we don’t have to deal the the mess that is taxation across 50 states. A nice uniform privacy bill at the Fed level would be nice.
No, we specifically DO NOT want uniformity. We want a minimum that states can go beyond.
In the current environment, tech companies have to bribe 50 states plus the federal legislature in order to block privacy bills. If you have federal preemption, then you just have to bribe Congress, because states can't pass ANY privacy laws whatsoever. And we already know the feds do not want a privacy law: the entire legality of the federal surveillance apparatus hinges on the fact that buying your data from third parties does not trip constitutional scrutiny. Preemption freezes the requirements in time so they will always be a few steps behind the TLAs[0].
The ideal is that every sovereign entity passes their own privacy law that applies to their territory, with a private right of action, and adtech companies are forced to adopt a "50 states legal" posture. This is, deliberately, a ratchet: it's easy for any state to require a higher standard but hard to get every state to reduce it, so privacy laws cannot be walked back in secret.
Related, General Motors got hit with a $12.75M fine for reselling OnStar location data last month: https://ccpa.world/enforcement/gm-onstar-smart-driver
More importantly, many companies will follow California rules even outside California. My car was built to California emissions spec at a time when very few states had stricter rules.
(The one major exception seems to be the "sell my data" opt-out and such privacy rules, that industry is sleazy enough that they'll go through extra trouble to keep screwing over non-CA residents.)
I will note that many "data brokers" will just honor non-California residents' requests as if they were California residents and subject to the CCPA, simply because they would rather remove a potentially litigious consumer from their databases. Given the relatively low potential revenue for a single consumer's data it just doesn't make sense to hold on to information for the kind of person who currently goes out of their way to make that kind of request.
At the same time, many data brokers do go out of their way to deny as many privacy requests as possible. Given that the CPPA/CalPrivacy is starting audits very soon I don't see this as a winning strategy for them in the long run.
(https://epic.org/press-release-massachusetts-senate-unanimou...)
I can imagine loopholes to this... nothing stops facebook/google from buying this data from companies not in Massachusetts? and facebook/google don't have to give advertisers the location information but can still use that information when determining the advertisement to return, right? In theory the big silicon valley "targets" of this bill don't actually have a huge incentive to give this data away, do they? They just need to be able to read/access it, which I don't think this law stops? Assuming the data broker is not doing business in Massachusetts itself
It'll have reach because MA has a long-arm statute and there's a rich history of applying that statute in the context of Chapter 93.
It'll have teeth but probably not to the effect that you hope.
This statute was written such that only the Attorney General can bring action; see Section 10(b). This diverges from a long history in the Commonwealth of allowing private individuals to bring civil suits for most types of Chapter 93 violations.
As a result, I anticipate that the most impactful change will be in the quantity and frequency of political donations to Mass AG candidates (and in the case of contested primaries their aligned block of candidates up and down ticket).
Consumer protection laws should always provide for a private cause of action. Otherwise they just function as a mechanism for legalized corruption.
The concern about poor precedent stemming from poor cases has some rational sense, but we have the benefit of experience. Empirically it just hasn't tended to play out like that in the case of consumer protection statutes in MA. One reason this doesn't happen in practice might be the limited bandwidth of the appellate process. The SJC could (and likely would) prioritize answering questions about the statute in the context of cases brought by the AG.
The longevity pro-consumer laws in MA provides some good empirical data that cuts against the concern about push-back.
even if its only retained until buffer refresh, its still given away.
if its read frombuffer space and transformed into a persistent structure, its a gift that indefinately keeps giving.
There is no fine nor imprisonment for failing to follow the law.
In the current environment, tech companies have to bribe 50 states plus the federal legislature in order to block privacy bills. If you have federal preemption, then you just have to bribe Congress, because states can't pass ANY privacy laws whatsoever. And we already know the feds do not want a privacy law: the entire legality of the federal surveillance apparatus hinges on the fact that buying your data from third parties does not trip constitutional scrutiny. Preemption freezes the requirements in time so they will always be a few steps behind the TLAs[0].
The ideal is that every sovereign entity passes their own privacy law that applies to their territory, with a private right of action, and adtech companies are forced to adopt a "50 states legal" posture. This is, deliberately, a ratchet: it's easy for any state to require a higher standard but hard to get every state to reduce it, so privacy laws cannot be walked back in secret.
[0] Three Letter Agencies: CIA, FBI, NSA