blog: Don Marti


State privacy law features from the power user point of view

06 February 2021

For those who are planning to subvert democracy in the USA or target vulnerable Americans for scams, I have some bad news. People across the nation are coming together to support new state privacy laws.

Here in California, I say, "right on." All this state political action is not surprising. Privacy laws and regulations are incredibly popular.
California polling before our latest privacy initiative showed 88 percent in favor. Mandating privacy protection is so popular that the argument against the initiative in the voter guide had to focus on how it didn't do enough.

Vote NO on Proposition 24 because it was written behind closed doors with input from giant tech corporations that collect and misuse our personal information—while the measure’s sponsor rejected almost every suggestion from 11 privacy and consumer rights groups.

I'm not just a California privacy law proponent. I'm also a user. A power user. My goal for 2020 was to use the CCPA to opt out of all personalized advertising, and if you count the stuff I'm already protected from by my regular privacy tools, I have mostly succeeded. (I still get targeted ads on Twitter, but those are really just for ridiculosity. Not only do I lack the budget for an F-15EX airplane, I don't even have a pilot's license.)

That meant I did a lot of CCPA opt-outs in 2020. I even got back on Facebook, to CCPA any recognizable brand trying to target me on there. (I didn't bother with the sketchy Facebook advertisers, like all the companies offering software and courses for making money drop-shipping cheap products to people who click on Facebook ads.) The Consumer Reports CCPA Authorized Agent study (PDF) was part of my year of using the CCPA, and I also did a bunch of CCPA opt outs and Right to Knows on my own. On my computers, ccpa is a shell script now, so I can CCPA a company faster than anybody. Time me.

Privacy law features I depend on

As a power user, I'm willing to use services and write code to make my privacy opt-outs work. I understand that there are good reasons for putting privacy laws in the USA on an opt-out basis instead of making them consent-based. I'm fully prepared to do my part of the work, even if that means dorking around with laser printers or fax machines.

If a missing piece in a state privacy law is something that I can work around, I'll do it. So this list is only going to cover what I think are the essentials for making a state privacy law workable.

Reasonable identity verification for opt outs: The CCPA does not require identity verification for an opt out, but companies can deny an opt out if they believe it to be fraudulent. This makes an opt out easier than a full CCPA deletion or Right to Know. Realistically, making people scan their drivers' licenses to opt out is going to do more to deter opt outs than to make them work any better.

Authorized agents: People hate filling out forms, especially minor variations on the same form, over and over. Giving people the ability to delegate the work is what makes an opt-out-based privacy law practical. I know that early CCPA implementations were kind of rough, but the future is in automation and delegation.

Dark patterns: Unless the law covers Dark Patterns, companies are incentivized to make opt-out processes that are technically legal but that keep increasing the time required.

Definition of what is being opted out of: When people ask me about the CCPA, the most common thing they want to opt out of is "stop this company targeting me on Facebook." Please compare your privacy law to how Facebook Custom Audiences work. If the definitions in the law don't cover this high-profile example of creepy privacy violation, you're missing a key part of what voters want, and you need to fix it. (Yes, research shows that 31-36% of people are "Kevins" who want personalized ads. Kevin's desires are already met, so the law needs to focus on helping the rest of the people exercise their rights.)

That's about it. Let me just end with a quick rule of thumb: you know you have a good state privacy law when the surveillance marketing companies lobby for a Federal privacy law to preempt it. If your state isn't making them complain about "uncertainty" and "patchwork of regulations" then you're missing something.

figuring out the CCPA escalation path

Why Google’s approach to replacing the cookie is drawing antitrust scrutiny

Apple’s Tim Cook warns of adtech fuelling a ‘social catastrophe’ as he defends app tracker opt-in

Trust Web Times Interview Series: Brendan Riordan Butterworth

Lawmakers Take Aim at Insidious Digital ‘Dark Patterns’

Facebook predicts ‘significant’ obstacles to ad targeting and revenue in 2021

It's time for Europe to take private data from the hands of powerful tech monopolies and give it back to the people

Investors Want Proof That Digital Ads Aren’t Funding Misinformation