• by Wendy Davis , Staff Writer @wendyndavis, February 27, 2020

California's sweeping new privacy law will soon become more business friendly, if a set of regulations proposed by Attorney General Xavier Becerra are finalized. That's according to some prominent consumer groups, who are urging Becerra to rethink a set of proposals unveiled earlier this month.

The latest potential regulations “are largely a step backwards for protecting consumers’ privacy, particularly in terms of consumers’ attempting to stop the sale of their information,” eight watchdogs including the Electronic Frontier Foundation, ACLU, and Campaign for a Commercial Free Childhood said in comments submitted this week to Becerra.

They add that the newest proposals, which replace a set of proposed regulations floated last year, "make a number of changes to the original draft that are business-friendly at consumers’ expense."

The California Consumer Privacy Act broadly gives consumers the right to learn what personal information has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties. But the law contains ambiguities -- including what precise data is going to be considered “personal information,” and how consumers should communicate their desire to prevent the sale of that data.

Earlier this month, Becerra proposed that data such as IP addresses should only be considered “personal information” if it is stored in a way that could reasonably link it to particular individuals or households.

Under that definition, a company that collects IP addresses may be able to transfer them to third parties.

But the consumer groups say the key question isn't whether the seller can tie the data to a specific person or household, but whether the recipient can do so.

“Privacy laws must -- and the CCPA does -- take into account the modern reality that information is not 'anonymous' and thus not personal merely because its current possessor lacks the capacity to associate it with a specific person,” the groups write.

They add that people have already been identified based on “anonymous” information, as happened in 2006 after AOL released three months' worth of search queries from 650,000 members.

AOL took steps to "anonymize" the members, but some users were nonetheless identified based on patterns in their search queries. Most famously, within days of the July 2006 data release, The New York Times identified AOL user Thelma Arnold.

“Protecting information like IP addresses that can be used to track consumers’ online activity is the goal of modern privacy laws including the CCPA,” the watchdogs write.

The groups also take issue with the way the proposal treats browser-based tools, like the do-not-track headers.

The proposed regulations require companies to honor opt-out requests that people make through browsers, plug-ins or privacy settings -- but only if consumers affirmatively activate the opt-out mechanism.

The advocacy groups oppose that qualification, arguing that it could exclude some do-not-track headers currently in use.

“A consumer’s choice to use tools that are privacy protective by default should not mean they have fewer protections,” the groups write. “Any pro-consumer privacy regulation should not incentivize companies to not protect privacy by default -- that is an absurd consequence.”

Becerra is expected to issue final regulations before July 1.