| ▲ | Massachusetts bans sale of precise location data in new privacy rights bill(techcrunch.com) |
| 203 points by 01-_- 5 hours ago | 31 comments |
| |
|
| ▲ | jboggan 3 hours ago | parent | next [-] |
| California very quietly passed AB-1542 last week which includes precise location data, health data, SSNs, etc. I expect many states to follow suit. Related, General Motors got hit with a $12.75M fine for reselling OnStar location data last month: https://ccpa.world/enforcement/gm-onstar-smart-driver |
| |
| ▲ | yencabulator 2 hours ago | parent | next [-] | | > I expect many states to follow suit. More importantly, many companies will follow California rules even outside California. My car was built to California emissions spec at a time when very few states had stricter rules. (The one major exception seems to be the "sell my data" opt-out and such privacy rules, that industry is sleazy enough that they'll go through extra trouble to keep screwing over non-CA residents.) | | |
| ▲ | jboggan 2 hours ago | parent [-] | | Well, CT and VT passed their own version of the California DROP system last week and there are 5 other states in play for the current 2026 legislative sessions. I think it will be a slow patchwork for more states to take similar action, but it is coming. I will note that many "data brokers" will just honor non-California residents' requests as if they were California residents and subject to the CCPA, simply because they would rather remove a potentially litigious consumer from their databases. Given the relatively low potential revenue for a single consumer's data it just doesn't make sense to hold on to information for the kind of person who currently goes out of their way to make that kind of request. At the same time, many data brokers do go out of their way to deny as many privacy requests as possible. Given that the CPPA/CalPrivacy is starting audits very soon I don't see this as a winning strategy for them in the long run. |
| |
| ▲ | nullc 9 minutes ago | parent | prev [-] | | The FTC settlement with GM allows GM to sell precise location as long as it's anonymized by attaching it to anonymous identifiers rather than personal info. It also allows non-precise location (e.g. zipcode/census-block) attached to identifying information. Apparently no one at the FTC is smart enough to realize if Bob and anonid both move through the same sequence of approximate locations that the anonid is Bob. Or maybe they aren't that ignorant and just wanted to look like they were doing their job while protecting the surveillance status quo. |
|
|
| ▲ | danesparza 3 hours ago | parent | prev | next [-] |
| Feels like the word 'sale' may actually turn into a loophole. It should have probably been worded to use 'exchange' or 'transfer' instead. But this is progress. |
| |
| ▲ | Cider9986 3 hours ago | parent [-] | | Yeah, we need data minimization. As long as it's collected it is a liability for consumers, turn it into a liability for businesses to incentive them to collect as little as possible. |
|
|
| ▲ | post_break 4 hours ago | parent | prev | next [-] |
| Does this include vehicle data? That's a big one. Your new car selling you out constantly. |
| |
| ▲ | stronglikedan 2 hours ago | parent [-] | | I've been driving connected cars for a decade and I haven't felt sold out yet. What am I missing? | | |
| ▲ | deathanatos an hour ago | parent | next [-] | | * Massachusetts' RMV AFAICT resells one's data, resulting in new car purchasers receiving a huge amount of fraud in their mail. It can be difficult to distinguish what is a legitimate correspondence from the dealership vs. what isn't, as the fraud mail does not clearly identify itself. (And in fact, that's the tell.) * My Subaru runs ads for Sirius XM. (Ad, on the infotainment screen. While the car's in motion.) I did not pay for my car to run ads, obviously, and obviously that was never mentioned by the dealer, ever, before or after purchase. | |
| ▲ | tencentshill an hour ago | parent | prev | next [-] | | Are you in the US? Currently if you are in the US and not native-born, you're at very direct risk. That data is how ICE builds their enforcement leads. It's still often wrong, so they might break down your door and arrest you at gunpoint anyways. | |
| ▲ | wmf 2 hours ago | parent | prev | next [-] | | Tail risk. Only <1% of people get punished by their car's data. IMO that's still too much. | |
| ▲ | post_break an hour ago | parent | prev | next [-] | | Your driving habits, and everyone around you are impacting car insurance for example. | |
| ▲ | criddell 2 hours ago | parent | prev | next [-] | | I bought a car earlier this year and it took about a week before I started getting car warranty junk mail for the new car. | | |
| ▲ | cogogo 2 hours ago | parent [-] | | I always thought that is from companies that get their hands on registration data. Or I could be wrong and it is the dealer itself selling it on not the manufacturer. | | |
| ▲ | Loughla 18 minutes ago | parent [-] | | Pretty sure it's registration data. Anything public is now used for junk. We transferred a piece of property this year and have been getting constant spam for realtors to sell it for us. We bought a used car from an individual and started getting spam for warranties once we registered it and got plates. |
|
| |
| ▲ | chaps 2 hours ago | parent | prev [-] | | Are you asking for articles that show how connected car data is being sold left and right? |
|
|
|
| ▲ | Cider9986 3 hours ago | parent | prev | next [-] |
| this is the bill we need to pass in the house instead of them trying to age-(identity)gate social media. (https://epic.org/press-release-massachusetts-senate-unanimou...) |
|
| ▲ | like_any_other 4 hours ago | parent | prev | next [-] |
| A good first step, but the harm is already done when the data is gathered. Stalking should be illegal even if you don't sell the information you gathered, I don't want Toyota or GM or Google knowing where I've been either, not just their "partners", and it's long past the time the EULA loophole was closed. Contracts exist to serve society, not the other way around. |
|
| ▲ | john_strinlai 4 hours ago | parent | prev | next [-] |
| still waiting for any of the many existing privacy bills, worldwide, to start doing meaningful enforcement. |
| |
| ▲ | Cider9986 3 hours ago | parent [-] | | We need private right of action. That's the big thing holding up the sweeping Mass privacy law. The house supports a private right to action and the senate only wants the attorney general enforcing the law. |
|
|
| ▲ | ldoughty 4 hours ago | parent | prev | next [-] |
| Will this have reach and teeth though? I can imagine loopholes to this... nothing stops facebook/google from buying this data from companies not in Massachusetts? and facebook/google don't have to give advertisers the location information but can still use that information when determining the advertisement to return, right? In theory the big silicon valley "targets" of this bill don't actually have a huge incentive to give this data away, do they? They just need to be able to read/access it, which I don't think this law stops? Assuming the data broker is not doing business in Massachusetts itself |
| |
| ▲ | fultonn 4 hours ago | parent | next [-] | | > Will this have reach and teeth though? It'll have reach because MA has a long-arm statute and there's a rich history of applying that statute in the context of Chapter 93. It'll have teeth but probably not to the effect that you hope. This statute was written such that only the Attorney General can bring action; see Section 10(b). This diverges from a long history in the Commonwealth of allowing private individuals to bring civil suits for most types of Chapter 93 violations. As a result, I anticipate that the most impactful change will be in the quantity and frequency of political donations to Mass AG candidates (and in the case of contested primaries their aligned block of candidates up and down ticket). Consumer protection laws should always provide for a private cause of action. Otherwise they just function as a mechanism for legalized corruption. | | |
| ▲ | mindslight 3 hours ago | parent [-] | | I don't disagree with the thrust of your criticism of the dynamic (especially long term). But there is a legitimate concern that the first test cases to hit the courts need to be quite unsympathetic egregious violators rather than surveillance dynamics that have been thoroughly normalized for decades. If people start bringing private suits against neighbors that have deployed Amazon surveillance cameras, "credit bureaus", private investigators, big tech surveillance companies directly (eg Google, and especially with weak legal arguments), it is likely to set some poor precedents and create political pushback. | | |
| ▲ | fultonn 3 hours ago | parent | next [-] | | Section 2 already limits applicability to persons collecting or processing data on not less than 60,000 consumers, so suits brought against neighbors would be (rightfully) dismissed. The concern about poor precedent stemming from poor cases has some rational sense, but we have the benefit of experience. Empirically it just hasn't tended to play out like that in the case of consumer protection statutes in MA. One reason this doesn't happen in practice might be the limited bandwidth of the appellate process. The SJC could (and likely would) prioritize answering questions about the statute in the context of cases brought by the AG. The longevity pro-consumer laws in MA provides some good empirical data that cuts against the concern about push-back. | |
| ▲ | kmeisthax 3 hours ago | parent | prev [-] | | Couldn't this be mitigated by, say, having the private right of action not start until a few years into the applicability of the law? |
|
| |
| ▲ | rolph 4 hours ago | parent | prev [-] | | once you allow someone to read data, it has been given away. even if its only retained until buffer refresh, its still given away. if its read frombuffer space and transformed into a persistent structure, its a gift that indefinately keeps giving. | | |
| ▲ | ldoughty 3 hours ago | parent [-] | | but if facebook/google are the buyers, they do not violate this law... the law seems to focus on the sale & giving of this data... not the reception. This means that they just need a non-Massachusetts based data broker to sell them the data, and then they can store that data to make advertisement decisions (so long as they do not forward it along) |
|
|
|
| ▲ | mc32 4 hours ago | parent | prev | next [-] |
| This is good and all States should adopt some. Eventually I’d like to see one at the federal level that supersedes state level ones so that we don’t have to deal the the mess that is taxation across 50 states. A nice uniform privacy bill at the Fed level would be nice. |
| |
| ▲ | yndoendo 4 hours ago | parent | next [-] | | This seems more symbolic since I don't see were the law has any teeth. There is no fine nor imprisonment for failing to follow the law. | |
| ▲ | kmeisthax 2 hours ago | parent | prev [-] | | No, we specifically DO NOT want uniformity. We want a minimum that states can go beyond. In the current environment, tech companies have to bribe 50 states plus the federal legislature in order to block privacy bills. If you have federal preemption, then you just have to bribe Congress, because states can't pass ANY privacy laws whatsoever. And we already know the feds do not want a privacy law: the entire legality of the federal surveillance apparatus hinges on the fact that buying your data from third parties does not trip constitutional scrutiny. Preemption freezes the requirements in time so they will always be a few steps behind the TLAs[0]. The ideal is that every sovereign entity passes their own privacy law that applies to their territory, with a private right of action, and adtech companies are forced to adopt a "50 states legal" posture. This is, deliberately, a ratchet: it's easy for any state to require a higher standard but hard to get every state to reduce it, so privacy laws cannot be walked back in secret. [0] Three Letter Agencies: CIA, FBI, NSA |
|
|
| ▲ | josefritzishere 4 hours ago | parent | prev [-] |
| This is very exciting. |
