Upon closer inspection, it seems like this law would only apply to large business or businesses that actually sell personal information. If that's the case then it's more reasonable than I initially thought.

I was concerned that every blog and startup might need to implement the functionality, but it seems like that might not be the case.

But what if the personal information is not sold but shared for free, will this law apply? I can see the big comnpanies finding so many loopholes in this.

If I'm reading the quoted portion correctly, it'd apply to large companies whether or not they sell personal information.

But if the large company doesn't sell, then it would be a blank page for the most part?

I'd have to read more of the law than was quoted on HN to know for sure, but I suspect there would at least be rights to learn what data they have on you and rectify inaccurate data.

Maybe some deletion right too but the above is the part commonly found in other privacy laws, such as in Canada where I now live.

None of this depends on whether they share your data, let alone share in exchange for compensation.

> functionality

A link to a static page "we don't collect user data" is now "functionality"?

I was referring to the requirement of a page with an opt-out form, but since this law wouldn't impact small websites it's a moot point anyway.