They were saying "don't write to us, talk to the people who own the cameras and ask them to delete the data". A company that manufactures video cameras is not the one to talk to when someone records you, talk to the person who recorded you.

But a reasonable person would say -- the data is stored on Flock servers, not with the camera owners. And Flock would say, just because we sell data storage functionality to camera owners doesn't mean we own the data, anymore than a storage service you rent a space from owns what you put in that space.

But then an even more reasonable person would say: the infrastructure is designed in such a way as to create inadvertent sharing, and the system has vulnerabilities that compromise the data, so Flock has responsibility for setting up the system in such a way that it's basically designed to violate privacy.

And that is the main criticism of Flock. You need to have a more nuanced criticism. It would be really interesting to see this litigated.

I think you should write them back and ask that they provide you with a customer list and continually update you as they get new customers so that you may follow the advice they've given you.

Wait, is it your data? If you drive your car in front of a Ring camera on my house (I don't have a Ring camera don't @ me), is it your claim that you own the data on that camera?

Read a few of your posts. Just wanted to comment on how I like your to-the-point succinct style and how you care about privacy. :)

As a suggestion, I saw you have RSS:

https://honeypot.net/feed.xml

I didn't see it mentioned in the main page or About or Archive. Maybe add it to a more visible place?

The data ownership is really interesting, as many threads here are going into. I wonder if it's possible to sidestep that entirely, though! Under the CCPA, "personal information" is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked — directly or indirectly — with a particular consumer or household. That says nothing about ownership.

To the extent that Flock is only storing the data on behalf of their customers, I'd understand they wouldn't be required to delete it. But to the extent that they are indexing it, deriving from it, aggregating it across customers, and sharing it via their platform, it seems they should be required to remove that data from those services.

But then again, I am not a lawyer!

Nice work all the same. These systems need to be prodded and tested. Even unsuccessful results such as this tell us something about the situation we're in.

This answer is relevant: https://oag.ca.gov/privacy/ccpa#collapse6d

In short, Flock is a "service provider" and not the entity doing the recording.

Perhaps you can make a case that they are a "data broker" instead (https://oag.ca.gov/privacy/ccpa#collapse1i), but that is a separate law, and what you are really looking at is a combination of license plate, time and location being collected as data being collected and sold without your consent.

Obviously, I am not a lawyer (and not even US-based), but I like when privacy is respected :)

You might reach out to the California AG. I suspect they are itching for this kind of thing right now.

maybe eff.org would be able to help you lawyer up or otherwise to push this forward. good luck!

I am not a lawyer myself but can't one argue that this company has duty to ensure that data it is processing for client is legally obtained.

If they are processing data after being told it was not obtained with consent do they not have any liability?

It’s not clear to me that it is actually your data. If I take a picture of you in a public place, I own the picture, not you.

But maybe I am unclear on how Flock works.

> which seems to directly oppose the CCPA.

I have some background in data privacy compliance.

It sounds like they are claiming to be a Service Provider under CCPA, which is similar to a Processor under GDPR. Long story short, a Controller is the one legally responsible for ensuring the rights of the data subject, and a service provider/processor is a "dumb pipe" for a Controller that does what they're told. So IF they are actually a Service Provider, they're correct that the legal responsibility for CCPA belongs to their customers and not them.

That's a big IF, though.

Being a Processor/Service Providor means trade-offs. The data you collect isn't yours, you're not allowed to benefit from it. If Flock aggregates data from one customer and sells that aggregate to a different customer, they're no longer just a service provider. They're using data for their own purposes, and cannot claim to be "just" a service provider.

Under GDPR, I believe that would be accurate. I think CCPA was to some extent inspired by GDPR so I wouldn't be surprised if they copied this point too.

Which, hilariously, means that under GDPR, you only need to contact the web site, and they have to go talk to their 1207 partners that value your privacy to fulfill your request (I'm sure that in practice they'll say "sorry it's all 'anonymous' so we can't" or "we can't be sure that it's you even though you provided the identifier from your cookies"). I'm really disappointed that NOYB hasn't started going after web sites like that - that's quickly put a damper on the whole web surveillance economy.

I tried the same, got a similar response, and complained to the AG. Nothing.

These laws get complicated quickly. There's a specific ALPR law in the CA civil code which seems to carve out several exceptions for a business like Flock:

https://leginfo.legislature.ca.gov/faces/codes_displayText.x...

The enforcement provisions are rather bleak as well and afford no opportunity to directly bring a case against the agency that operates the system but instead just the individual who misuses it.

I think one of the more direct attacks would be going after jurisdictions that chronically have officers misusing the system. I think you're going to have to create precedent in this way to foment actual change.

>It's my data, not their customers'.

Just because data is about you, that doesn't mean it is your data.

The CCPA clearly violates the 1st Amendment. If you're out in public, then people are allowed to see you, to remember it, to communicate that it happened, etc.

Isn't this just the routine fascist playbook at this point? Start by declaring that the law doesn't even apply to them, on whatever flimsiest of bases.

Personally I would really like to see torts for attorneys who willfully promulgate blatantly incorrect legal interpretations - they're effectively providing incorrect legal advice. A non-attorney is likely to believe such advice coming from a member of the Bar, and the net goal is to discourage the target from seeking further legal advice.