Yes, the exemptions in the federal law only apply to the federal law. However, the federal law also preempts state laws relating to security freezes:
15 U.S.C. § 1681t is the preemption section of the FCRA. So 1681t(b) ends up as (relevant part only):
This is so sad. Although the exemptions are understandable, the “follow the money” principle leads me to believe that Equisux et al. will continue to make money from people who’ve frozen their data.
Exemption (J) seems to be the most worrisome. I expect to once again be inundated with junk mail for credit cards, and anyone else that the data whorehouses decide to sell my data to.
To me, that exemption doesn’t seem to allow that. It seems like it’s more for something like opening a bank account, without an extension of credit.
@anotheruser does this change affect the ability to opt-out of preapproval solicitations?
I’m also concerned that this prong can be stretched too broadly. There are CRAs like EWS (similar to Chex), SageStream/IDA, and ARS that might be able to make an argument that their reports are used only for fraud screening, not credit risk analysis.
It is worth noting that the federal law will still be an improvement for many people, as some existing state laws contain similar exemptions. Arizona’s, for instance, includes similar exemptions. (But others like California’s do not.)
It does not. However, security freezes are not considered a prescreened solicitation opt-out on their own, under this exemption:
§ 604(c) is 15 U.S.C. § 1681b(c), the section of the FCRA pertaining to prescreened solicitations. The opt-out provisions under 1681(e) are unchanged.
I didn’t want to create a new post for this lone article. This seemed like a good place to include it.
Goes to show that even if you do your darned best to protect your personal information, you can’t fully trust any business to do the same.
At least not until penalty for not securing our data is higher than the cost of securing it.
Or the cost of lobbying against any reform on liability for data storage/handling parties becomes prohibitive.
In some large companies (Google for example) the penalty to mitigate your information from being sold or shared must be in the multi millions. This is the information age. You can do things proactively to minimize your exposure but the reality is every websearch you do, every credit card you use, anywhere you go with a smart phone or any picture you post to facebook can potentially track you; the things you buy, the places you go to, the things you do. As more data becomes compiled across many companies it’s even more susceptible to hacker or data breach. There’s really nothing we as a consumer of society can really do.
Most people don’t care. Data analytics and data capturing is the future and it will be a billion dollar industry. Choose to live off the grid or recognize there will be a lot of data you truly can’t protect and no company is guaranteed to protect it (no bank accounts, smart phone, and cash only purchases anyone? Better stock up on your guns & ammo and food stuffs). Even then it’s only a matter of time before facial recognition software begins to advertise to you walking into a store. You have all seen the sci fi movies and netflix films of the last decade, right?
Edit: I appreciate the OP is about minimizing spam mail, etc, and perhaps this is a de-rail/rant. However, it’s imprtant to recognize the trend for the future. Political play and regulation of some sort must come into the picture eventually, but how many years did it finally take to start taxing internet sales? It’s even farther behind on any kind of legislative enforcement.
We haven’t talked much about online privacy other than email and online ads. There are a few things you can do. Maybe I’ll add it to the wiki.
Not all of those steps will stop all tracking all the time, but they are steps in the right direction.
Not much we can do about Mastercard selling us out, but I believe it is still possible (but not trivial) to disconnect our online presence from our real world identity and render the data useless.
That’s best case scenario. Worst is Enemy of the State and Minority Report.
Also, Gattaca – for the love of the Flying Spaghetti Monster, do not do a DNA test on yourself if you can’t do it anonymously.
Yep, apathy is a huge problem. Ignorance too.
Well said. All my computers remain on Windows 7 which is a wonderful OS. However, 2020 looms. And Windows 10 sucks.
I actually started, back circa 2000, with Linux. I even have Linus’s book, Just for Fun, and enough Linux manuals to choke a horse.
Perhaps, as you suggest, it will soon be time to return home.
Better yet, delete your Google account and use an email provider where you are paying for the product instead of being the product. I use FastMail.
Little Snitch on macOS.
For the same reason, use iOS mobile devices.
A reasonable alternative for non-technical people.
I was contemplating another benefit of using email forwarders (aliases) recently. I realized that most people probably have only one email address, and not only do they use it for their personal email, but also as their User ID / logon for all kinds of accounts, including social media and banking. The User ID should really be treated as a secret the same way as password and secondary backup questions & answers. If you advertise your email address to the world, you’re giving away half of the information required to logon to your other online accounts. You’re also giving someone half of what’s required to get into your inbox, which can cause all kinds of havoc if you use one email address for everything. It would allow the hacker to bypass any multi-factor authentication that sends an email with one-time codes for password resets or for logins from new devices.
Using separate email addresses for all online User IDs and using them exclusively can keep them secret. Even better if those addresses are not fully fledged email accounts, but are forwarders / aliases that just forward the email to another, completely secret address. Even if a hacker obtained your forwarder, they couldn’t login to your email.
The best way to do this is to get your own domain ($10-$15/yr) and web hosting ($3-$10/mo) with unlimited email accounts and forwarders. It’s not easy though.
Agreed. I have my own domain (via Gandi) with email hosted by FastMail. I can create aliases @mydomain or @any of FastMail’s domains. Most of mine are on my domain, but I use aliases @FastMail’s domains for anonymity in some cases.
Also, use U2F 2FA whenever available and disable SMS fallback. FastMail, Google, and Gandi support it. (That’s not meant to be an exhaustive listing.)
If email hosting is the primary purpose, I would definitely suggest using a proper email provider rather than some random shared web host that includes email as a feature (but really just a checkbox on the feature list), unless their email service is actually a G Suite signup (as I recall some hosts doing in the past).
Wiki’d (new word?!) the info from my earlier post on general online privacy.
I read their pricing and it seemed like it was $3-$5/mo per account, so if you have to pay for aliases it’s not very cost effective. Unless an alias isn’t an account and is free…
Wiki’d!
I suppose the following are too obvious for the wiki:
It isn’t really clear from their pricing page, but aliases are not user accounts and are free (up to 600 aliases per account + 15 per user). Aliases are associated with one user account; user accounts are actual separate logins.
I’ll add to the wiki that YubiKeys are the most widely used keys, sort of the industry standard right now. There are others (U2F is a standard, though YubiKeys aren’t just U2F keys), but I’d be cautious.
Quite well thought out … or maybe I think that because I’ve got them covered.
I am not aware of a non-fingerprintable browers. My browser is FF 5x esr (Noscripted) which randomly masquerades as IE, various versions of FF and Netscape. Yet, when I check my fingerprint:
without Javascript - supposedly un-fingerprintable, yet 13.5 bits of info (1 in 12000)
with Javascript - 21 bits of info and 1 in 2.1 million. 
Can you share the name of a non-fingerprintable browser?
Thanks.
Along the same vein, I use one browser for surfing places that have non-identifiable or false data. I use a completely separate pc with a different OS and browser for all $ related items. Thus, they may easily fingerprint me, but I’ve already given them the info.
Nope, doesn’t exist. This is more of a wish and an awareness campaign . I hear the Tor Browser actively tries to defend, and the latest version of the most popular browser (Chrome) on the most popular OS (latest Windows) maybe with a common monitor resolution and no custom fonts may result in a very common (i.e. useless) fingerprint.