California should delay enforcement of the state's sweeping new privacy law until January of 2022, the U.S. Chamber of Commerce says in a recent filing with the state attorney general.
The landmark Consumer Privacy Act, which takes effect next month, gives consumers the right to learn what personal information about them is held by businesses, request deletion of that information, and to opt out of its sale. The law's broad definition of personal information includes web-browsing activity and other data used for targeted advertising.
The measure is set to take effect in January, with enforcement scheduled to begin July 1, 2020.
The country's largest business group now says July 1 is too soon, given that the regulations implementing the law are also scheduled to be finalized on that date.
“For a benchmark for a reasonable time for compliance, California should look to the European Union's General Data Protection Regulation,” the Chamber of Commerce writes in comments filed this month with state Attorney General Xavier Becerra.
The organization adds that the European Union adopted final GDPR regulations in April 2016, and that the law didn't take effect until May of 2018.
The group's comments are now available on the California attorney general's website, which hosts seven PDF files containing 1,736 total pages of comments from numerous groups that weighed in on proposed regulations.
The Chamber of Commerce noted in its comments that a new ballot initiative proposed by Alastair Mactaggart, who pushed for the California Consumer Privacy Act, could require businesses to adopt different procedures.
“The ongoing proposed ballot initiative known as the California Privacy Rights Act ... would change many of CCPA's requirements after companies spent time investing in compliance with the original Act,” the group writes.
The Chamber of Commerce also weighed in against the idea that companies must honor do-not-track signals.
Browser developers have offered do-not-track signals for years, but those signals don't prevent tracking. Instead, the signals communicate a do-not-track request to ad tech companies and publishers, which are free to honor the requests or not. Currently, those requests are widely ignored.
Regulations proposed in October by Becerra would require companies to honor opt-out requests that people send through browsers, plug-ins or privacy settings.
The Chamber argues that browser-based opt-out techology “is not sufficiently interoperable and developed to ensure that all parties that receive such a signal can operationalize it.”
The group says businesses shouldn't be required to honor any mechanisms that were not “designed specifically for CCPA.”
Google also argued in its comments to Becerra that there was no “standard technology” for privacy plugins or settings to communicate opt-out requests.
“The draft regulations do not specify how such browser plugins or other privacy settings should communicate these choices or how such signals would need to be honored,” Google wrote.
The ad industry has also said it opposes a requirement to honor browser-based signals, arguing this mandate would be “extralegal,” because it isn't in the text of the law.