Flock has knowledge/use of the data. Their system processes can relate the photos “owned” by two different entities. They’re interacting with it and selling their access to it as a feature. That’s obviously distinct from S3.

But you knew that.

I don't live in a state with a law like California's so your "gotcha" isn't relevant.

Californians would have standing under the law but need expensive lawyers to litigate.

AWS has employed expensive lawyers to argue semantics; they host OS VMs and databases. This provides them legal cover for what AWS customers store.

Amazon the retailer stores customer data. A non-customer would have standing under California law to litigate removal of PII should they decide to hire lawyers.

Your reductionism is to law what a Linux beige box on a routable IP, no firewall, hosting a production health database with creds set to admin/pwd1234 is to software engineering.

Coincidentally 1234 happens to be the code to my luggage.

Devils advocate here. There is currently an article on the front page about a US bill to compel operating systems to collect age verification / id data. If something like that was actually in place and every packet on the internet was stamped with your digital id then you could feasibly demand that aws purge/filter your data out of their systems.

If AWS maintained private infrastructure that stored and indexed data associated with people's license plates and vehicles and then charged customers to do searches against that data then yes, you could write them to ask them to purge data pertaining to you.

If Flock was just an opaque cloud storage service for law enforcement to back up their mass surveillance to then sure, your argument would have merit; it's not, it's a giant database of photos, locations, times, license plate information, and likely a lot more. They're not selling cloud storage, they're selling (leasing?) surveillance devices and tools.

Does AWS actively and by design parse and keep track of personally identifiable information of the data that AWS customers store on their S3 buckets? If that were the case they would absolutely be subject to CCPA (and GDPR) requests for deletion.

However, I suspect that is not the case. AWS is agnostic as to the type of data stored on S3, and deletion of PII stored on S3 is the sole responsibility of the AWS customer that chooses to store it.