California Attorney General Xavier Becerra has unveiled a revised version of proposed regulations implementing the new state's landmark new privacy law.
Among other changes, the new proposal would narrow the definition of “personal information” covered by the measure.
The California Consumer Privacy Act, which took effect last month, gives consumers the right to learn what information has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties.
The bill itself defines “personal information” as data that could reasonably be linked to individuals -- and mentions data that that can be used for ad targeting, including persistent identifiers, browsing history and IP addresses.
Becerra, who is tasked with developing regulations that to implement the bill, proposed in guidance issued late last week that data should only be considered “personal information” if it's stored in a way that could reasonably link it to particular individuals or households.
“If a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be 'personal information,'" the document says.
That approach contrasts with regulators' position in the European Union, where IP addresses are always considered personal information.
The new guidance could enable ad tech companies to argue that they can't identify consumers based on their IP addresses, and therefore may sell data about those IP addresses -- even if consumers have attempted to opt out of the sale of personal information, according to attorney Tanya Forsheit, chair of the privacy and data security group at Frankfurt Kurnit Klein & Selz.
“There will be companies that will take this position,” she predicts.
The revised proposal also includes a graphic of an optional opt-out button that companies can place on their websites.
If companies use that button, they must place it to the left of a link that states either “do not sell my personal information” or “do not sell my info.”
The proposed button -- which resembles a toggle icon -- is widely seen by privacy professionals as confusing when paired with the suggested language, according to Forsheit.
"There's unanimous dislike of this," she says.
The original proposed regulations would have required companies to honor opt-out requests that people make through browsers, plug-ins or privacy settings. The revised proposal also requires companies to honor those requests, but only if consumers affirmatively activate the opt-out mechanism.
In other words, companies wouldn't have to honor do-not-track requests that are set by default.
“Any privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to the opt-out of the sale of personal information,” the revised proposal states. “The privacy control shall require that the consumer affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.”
The proposed regulations issued late last week replaces a set of proposals issued by Becerra last October. His office is accepting comments through February 25 on the new proposals.