California should delay enforcement of the state's
sweeping new privacy law until January of 2022, the U.S. Chamber of Commerce says in a recent filing with the state attorney general.
The landmark Consumer Privacy Act, which takes effect next
month, gives consumers the right to learn what personal information about them is held by businesses, request deletion of that information, and to opt out of its sale. The law's broad
definition of personal information includes web-browsing activity and other data used for targeted advertising.
The measure is set to take effect in January, with enforcement scheduled
to begin July 1, 2020.
The country's largest business group now says July 1 is too soon, given that the regulations implementing the law are also scheduled to be finalized on that date.
“For a benchmark for a reasonable time for compliance, California should look to the European Union's General Data Protection Regulation,” the Chamber of Commerce writes in comments filed this month with state Attorney General Xavier Becerra.
The organization
adds that the European Union adopted final GDPR regulations in April 2016, and that the law didn't take effect until May of 2018.
The group's comments are now available on the California
attorney general's website, which hosts seven PDF files containing 1,736 total pages of comments from numerous groups that weighed in on proposed
regulations.
The Chamber of Commerce noted in its comments that a new
ballot initiative proposed by Alastair Mactaggart, who pushed for the California Consumer Privacy Act, could require businesses to adopt different procedures.
“The ongoing proposed
ballot initiative known as the California Privacy Rights Act ... would change many of CCPA's requirements after companies spent time investing in compliance with the original Act,” the group
writes.
The Chamber of Commerce also weighed in against the idea that companies must honor do-not-track signals.
Browser developers have offered do-not-track signals for years, but
those signals don't prevent tracking. Instead, the signals communicate a do-not-track request to ad tech companies and publishers, which are free to honor the requests or not. Currently, those
requests are widely ignored.
Regulations proposed in October by
Becerra would require companies to honor opt-out requests that people send through browsers, plug-ins or privacy settings.
The Chamber argues that browser-based opt-out techology “is not
sufficiently interoperable and developed to ensure that all parties that receive such a signal can operationalize it.”
The group says businesses shouldn't be required to honor any
mechanisms that were not “designed specifically for CCPA.”
Google also argued in its comments to Becerra that there was no “standard technology” for privacy plugins or
settings to communicate opt-out requests.
“The draft regulations do not specify how such browser plugins or other privacy settings should communicate these choices or how such signals
would need to be honored,” Google wrote.
The ad industry has also said it opposes a requirement to honor browser-based signals, arguing this mandate would be “extralegal,”
because it isn't in the text of the law.