California's new privacy law could lead web companies to begin honoring browser-based “do not track” tools, the architect of that law suggested Tuesday in testimony to the Senate Judiciary Committee.
The California Consumer Privacy Act, which takes effect next year, allows state residents to learn what personal information about them is held by businesses, request deletion of that information, and to opt out of its sale.
Privacy advocate Alastair Mactaggart testified Tuesday that businesses could comply with that opt-out provision by honoring do-not-track requests that web users can send via settings in their browsers.
“The browser companies will have a setting. You say, 'I want to always not sell my information,'” Mactaggart told lawmakers. “You click that once in your browser, then every site you go to, you don't have to worry about it...You've now told all these companies, don't sell my information.”
His comments came in response to questions by Sen. Diane Feinstein (D-California), who criticized the opt-out approach for relying on notifications to consumers that could be difficult for them to read. She said an opt-out notice could be so small that people would “have to read it with a magnifying glass.”
Years ago, major browser manufacturers began offering a do-not-track setting aimed at enabling consumers to opt out of online behavioral advertising. But those settings don't actually prevent anyone from tracking users. Instead, the headers send a signal to publishers and ad networks -- which are free to disregard them.
Currently, most companies disregard those settings. In fact, so few companies honor the settings that Apple recently removed its do-not-track tool from Safari.
The hearing comes as Congress is ramping up efforts to pass an online privacy law. Much of the momentum for a new law comes from the revelation that data consultancy Cambridge Analytica harvested information from up to 87 million Facebook users.
But some of the push is also coming from the ad industry and tech companies, which want a national law that would override state laws, including the new California measure.
Feinstein said at Tuesday's hearing that she won't support a federal privacy law that is weaker than California's new law.
Google senior privacy counsel Will DeVries said the company will back a federal law that's at least as strong as California's -- but added that Google wants to see some revisions to the California measure. “With some fixes those are important rights,” he said.
He elaborated in written testimony that Europe's GDPR's “flexible and nuanced approach” is preferable to California's law, which only allows people to opt out of the “sale” of their information and not other types of data sharing.
“The GDPR,” he wrote, “generally requires some user control over all data processing unless the processing is necessary to provide a service to the user or other specific circumstances apply.”