[figgis]

> So if I forward all of the data to another company outside of CA, does my company count as processing data?

You are still processing that data. Part of processing that data involves you shipping it off...

> What if the code that forwards that data is written by another company and I'm just hosting it on my site? Everything goes through their code and I'm paid to just setup a website to host their code.

You are as responsible, if not more, in making sure that compliance is met. You are the one hosting the code. The data is moving through your servers.

> Maybe I do collect info in CA but I sell the data for $1, but the company also buys some consulting services for the actual price of that data that I'm selling them?

That's just being a jerk. But better hope you don't pass the 50k mark...

[Novashi]

>You are still processing that data. Part of processing that data involves you shipping it off...

>The data is moving through your servers.

So if a random company gets breached, everyone involved from cloud providers to ISPs are also responsible because they facilitated moving and storing the data and they are just hosting code?

This is problematic. Cloud providers give you permission to publish code. I could position myself to allow another company to publish code on my popular website to collect data and my role is basically no different than a cloud provider. We don't have to agree that is what it's specifically for, I just need to give them access to upload their own code for whatever expensive fee.

[figgis]

>So if a random company gets breached, everyone involved from cloud providers to ISPs are also responsible because they facilitated moving and storing the data and they are just hosting code?

ISP's aren't (supposed to be) "storing" that data. They are transferring bits between computers. You on the other hand are hosting a website with some sort of form that people input PII into. You are accepting that PII, whether or not it gets forwarded or not is irrelevant. You are processing it. So do your due diligence, contact your users and let them know what is going on, and speak with a lawyer for more information.

[Novashi]

>You on the other hand are hosting a website with some sort of form that people input PII into.

That's what cloud providers do! If there's a spirit-of-the-law that is supposed to protect them, this would be a good time to write that in!

[heavenlyblue]

Do they specifically mention rental cars in the code of law, when they say that the driver can't drive over the speed limit?

[Novashi]

"Process PII" is incredibly vague. You could define that in a hilarious amount of ways with the amount of complexity we introduce to our software products, especially with code we don't even write ourselves that widens your security surface.

This is especially true if you use a service that allows others to inject code into your code base. If NPM has a security failure that leads to a breach at a company, who is at fault? Both? Or only the company that chose to use the code? An NPM package might be processing PII after all. Does that mean NPM can never be held responsible for security breaches?

Secondly, your example would be backed up by historical cases and this law is brand new, so it is not clear. I'm not even sure how you guys can confidently argue that the new law ISN'T outright vague.

[heavenlyblue]

>> You could define that in a hilarious amount of ways with the amount of complexity we introduce to our software products, especially with code we don't even write ourselves that widens your security surface.

You could define in a hilarious amount of ways in which your chef can pee in the broth you ordered in a local diner. But it generally doesn't happen, does it?