FLOSS 583: California Consumer Privacy Act Tools

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!


I was rather confused because I thought I was listening to the OSI episode, so it took me a while to figure out why you kept talking about what I assumed was a tangent, but I found it interesting to hear about what’s going on over there.

However, I did have to engage my “Americans talking about GDPR without understanding it” restrained brain, because there seems to be this pervasive idea that GDPR requires cookie notices that are pointless because you basically have to accept, probably because as I understand it that’s all people outside the EU tend to be shown. (At this point I feel I should say I’m not a lawyer, so may get some of this wrong.) That was older regulation, and was pretty stupid. What GDPR requires is a lawful basis for processing personally identifiable information, one of which is consent, and so with GDPR you get popups asking you to consent to the use of cookies, and crucially, you can opt out of non-essential cookies and still use the service. You can’t refuse access to a service because someone doesn’t consent to the use of their PII when there is no other lawful basis for processing it - see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/consent/what-is-valid-consent/

Consent means giving people genuine choice and control over how you use their data. If the individual has no real choice, consent is not freely given and it will be invalid.

This means people must be able to refuse consent without detriment, and must be able to withdraw consent easily at any time. It also means consent should be unbundled from other terms and conditions (including giving separate granular consent options for different types of processing) wherever possible.

And the example:

An online furniture store requires customers to consent to their details being shared with other homeware stores as part of the checkout process. The store is making consent a condition of sale – but sharing the data with other stores is not necessary for that sale, so consent is not freely given and is not valid. The store could ask customers to consent to passing their data to named third parties but it must allow them a free choice to opt in or out.

The store also requires customers to consent to their details being passed to a third-party courier who will deliver the goods. This is necessary to fulfil the order, so consent can be considered freely given - although ’performance of a contract’ is likely to be the more appropriate lawful basis.

Sorry for the verbosity, but “Americans not understanding GDPR and talking about it based on misinformation” is one of my pet peeves. It’s a bit lower down the list than racism and police brutality, but it is on there.

1 Like

Correct. Having been a Data Protection Officer at a previous employer and working in IT and having to comply with GDPR now, you hit the nail on the head. It is very frustrating when people hark on about cookie notices and other parts of data protection that they quote wrongly. Oh, and I always want to call it DSGVO when I speak English, I’m now so used to calling it by its German name (Datenschutzgrundverordnung).

Another classic, to go off at a tangent, is Jeff Jarvis always misrepresenting the right to be forgotten in Europe. He seems to have drunk the Google anti-RTBF coolade and doesn’t seem to have actually read the legislation itself. Or his seeming to think he understands Germans, even though with every word he contradicts what I see on a daily basis… /rant

I like Jeff, but when it comes to Europe, he often seems to go off the deep-end, without actually understanding what he is talking about.

1 Like