California Attorney General Xavier Becerra has unveiled a set of proposed regulations that aim to flesh out the state's groundbreaking new privacy law.
“It’s time we had control over the use of our personal data. That includes keeping it private,” Becerra stated Thursday when he released the proposed rules.
The California Consumer Privacy Act, slated to take effect January 1, gives consumers the right to learn what personal information has been collected about them by companies, to have that information deleted, and prevent the sale of that data to third parties.
The bill's sweeping definition of “personal information” includes data that could potentially be linked to individuals -- including data used for ad targeting, such as persistent identifiers, browsing history and IP addresses. The measure also defines “sale” as including transfers or disclosures to third parties.
The proposed regulations include instructions for businesses on how to allow people to opt out of disclosure of their information.
The potential rules call for companies that collect online data to place a “clear and conspicuous” a link stating “Do Not Sell My Personal Information” or “Do Not Sell My Info” on sites or mobile pages.
Companies must also offer at least one other opt-out method, such as a toll-free phone number or email address.
Companies can also place a “do not sell” button or logo on their websites and mobile apps, in addition to the links. Specs for that button or logo will be shown in an upcoming version of the regulations.
One of the most significant proposed regulations requires companies to honor opt-out requests that people make through browsers, plug-ins or privacy settings.
That proposal is worded as follows: “If a business collects personal information from consumers online, the business shall treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request ... for that browser or device, or, if known, for the consumer.”
Assuming it is finalized, that proposal paves the way for new privacy tools, as well as a version of a browser-based do-not-track mechanism.
“It does create the potential for a privacy plug-in,” says Jules Polonetsky, CEO of the industry-funded think tank Future of Privacy Forum.
He adds that the proposed rule could also enable browser-based “do-not-sell” tools, similar to the current do-not-track headers. Years ago, major browser manufacturers began offering a tool that sends a “do-not-track” signal to publishers and ad networks. But users who activate those signals don't necessarily communicate that they want their data “sold,” at least as that term is defined by the California law, according to Polonetsky.
That's because some browser developers explain “do-not-track” in a way that is inconsistent with California's opt-out law.
For instance, Google Chrome tells people who activate do-not-track that many websites will still collect and use their browsing data for ads -- but California's law allows people to opt-out of disclosure of data used for targeted ads.
Becerra plans to hold hearings in December on the proposed rules, and is accepting comments through December 6.
Dave Grimaldi, executive vice president for public policy at the Interactive Advertising Bureau, stated Thursday that the organization is evaluating the proposed regulations and plans to submit comments to Becerra.