More administrative business

I added yet another section to the Privacy Policy and Your California Privacy Rights pages containing a summary of CCPA requests I received in the previous calendar year. You can find the table in the “CCPA Request Metrics (Record-Keeping Disclosures)” subsections of those pages. (Both tables are identical, obviously; the Your California Privacy Rights page is intended as essentially a California-specific excerpt.) Some additional considerations below the cut:

I don’t THINK I’m technically required to disclose those metrics (the threshold for the regulatory requirement is buying, receiving for commercial purposes, and/or selling personal information from 10 million or more consumers in a calendar year, and it would take some truly outlandish interpretation of the law’s definitions for me to come anywhere near that), but the extremely ominous warning email from the attorney general’s office put me in a “better safe than sorry” mood. (To be clear, it was a mass email not individually directed at me — I am, unhappily, on their CCPA mailing list — but it triggers a panic attack every single time.)

Figuring out how to calculate and present these metrics was challenging. The totals are not a big deal, but the disclosure requirements demand that you disclose the “median or mean” time it took you to “substantively” respond to each type of request. There are also some mystifying stipulations on distinguishing requests from “consumers” from requests from “all individuals”; so far as I could see, the regulations don’t actually define either of these terms or explain how they’re supposed to be different for disclosure purposes, so I’m honestly unsure what they’re looking for.

As with many aspects of these regulations, the disclosure requirements include a series of demands that are, as often as not, framed in ways that are not nearly as clear or understandable (to say nothing of practical) as the people who wrote the regulations seem to have thought. (For instance, I know that mean and median are not the same thing, but I’m not at all sure the attorney general’s office does.) Given that the potential consequences for even an accidental violation of any of the regulations to which they decide I’m subject are ruinously expensive, that is far from comforting.

Going through this much work and worry for a website for which I have created no new content in some time is really quite agonizing, so if you are annoyed by these updates, join the club!

3 Comments

Add a Comment
  1. I admire your tenacity, transparency and good will in responding to the law. You are a model of what the Attorney General’s Office should want.

    Does any of the correspondence from the AG have contact information so that you can ask clarifying questions? If not, are there state-level lobbying groups that could try to get clearer answers for you?

    The current AG, Rob Bonta, is a recent appointee who will need to run for election in 2022. He has apparently never run a state-wide race before, so he should be on doubly good behavior. Bonta also presents himself as a reformer, so I would hope that his staff would get with the program and be responsive to stakeholder calls for greater clarity.

    1. Well, aside from not wanting to put myself on their radar any more than I have by the public comments I’ve made on the regulations, the problem now is that there’s a newly constituted agency that will be responsible for privacy enforcement, or will shortly become so. This also means there will likely be yet more asinine and frustrating regulations written by a completely different set of people, possibly with divergent interpretations of the law and existing regulations, which is really not an encouraging or appetizing thought in any respect. Half the problem with the current regulations is that the people who wrote them obviously thought the intent and intended scope were much clearer than they actually are, and focused less on clarity than on taking a punitive tone. The consequence is that the regulations contain lots of absolute statements that make their ambiguities and troubling, possibly unintended implications into really high-stakes issues. Having a different set of people doing the same thing in different, potentially contradictory ways is going to make it worse.

      The bitter irony of the whole business is that laws that were inspired by the obvious and ongoing bad faith of the tech industry has been framed and structured in ways that give big companies in general and big tech companies in particular huge structural advantages in terms of compliance, while clearly impeding their bad-faith business model not at all. For example, Facebook has no reason to be troubled by the California regulations’ draconian limits on response times to requests — they have whole compliance departments to handle what requests their system doesn’t just automate on demand — but it means that a self-employed person like me could be subjected to life-ending fines for daring to be out of email communication for more than a couple of days at a time, even if it’s because I’m in the hospital.

      I guess it’s just as well that I’m philosophically opposed to camping.

  2. Your website is a treasure for automotive enthusiasts, Aaron. Know that your time and effort is appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments may be moderated. Commenting signifies your acceptance of our Comment Policy — please read it first! You must be at least 18 to comment. PLEASE DON'T POST COPYRIGHTED CONTENT YOU AREN'T AUTHORIZED TO USE!