California AG Moves Forward With Privacy Regulations

California Attorney General Xavier Becerra has finalized a set of proposed privacy regulations that would require web companies to honor requests by consumers to opt out of the sale of their data on a global basis.

On Monday, Becerra forwarded the proposed regulations to the state's Office of Administrative Law, which now has up to 90 days to approve them. Becerra has requested approval on an expedited basis, in order to begin enforcement by July 1.

The California Consumer Privacy Act, which took effect in January, gives consumers the right to learn what information has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties.

Among the most controversial of the regulations is a requirement that web companies honor a universal do-not-sell mechanism. Specifically, the proposed regulations would require companies to honor "user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information."

Browser developers have offered do-not-track signals for years, but those signals don't prevent tracking. Instead, the signals communicate a do-not-track request to ad tech companies and publishers, which are free to honor the requests or not.

Currently, those requests are widely ignored. But those existing do-not-track controls could potentially function as global do-not-sell requests, depending on how the browser developers describe the controls to users.

Ad industry groups including the Association of National Advertisers, American Association of Advertising Agencies, Interactive Advertising Bureau, American Advertising Federation, Network Advertising Initiative and Digital Advertising Alliance previously urged Berecca to drop the requirement to honor a global opt-out.

The groups contend the mandate would violate the First Amendment by unnecessarily restricting commercial speech. Instead, the groups argued, they should only be required to honor opt-outs on a company-by-company basis.

The ad industry also says forcing companies to honor universal opt-outs is “extralegal,” because the California Consumer Privacy Act doesn't include that requirement in its text.

“The California legislature had the opportunity to enact a browser-based signal requirement on multiple occasions, but never chose to do so,” a coalition of industry groups wrote to Becerra last December.

Becerra rejected the ad industry's arguments, stating in written comments issued Tuesday that the mandate to honor a globa opt-out is neccesary.

“Without it, businesses are likely to reject or ignore tools that empower consumers to effectuate their opt-out right,” the agency wrote.

The agency justified the mandate by noting most web companies fail to respect browser-based do-not-track signals.

“The majority of businesses disclose that they do not comply with those signals, meaning that they do not respond to any mechanism that provides consumers with the ability to exercise choice over how their information is collected,” the agency wrote. “Accordingly, the [Attorney General] has concluded that businesses will very likely similarly ignore or reject a global privacy control if the regulation permits discretionary compliance. The regulation is thus necessary to prevent businesses from subverting or ignoring consumer tools related to their CCPA rights."

The watchdog Consumer Reports praised the proposed requirement that companies to honor a universal opt-out.

“Opting out of hundreds of companies one-by-one just isn’t workable, so we’re glad that the AG is requiring companies to honor universal opt-outs,” Justin Brookman, Consumer Reports director of privacy and technology policy, stated.

But the group also expressed disappointment that Becerra didn't address an ambiguity in the law that could allow companies to continue to serve people with targeted ads -- even after they attempt to opt out of the sale of their data.

The final regulations reflect “a missed opportunity to clarify that behavioral advertising falls under the CCPA opt-out,” Brookman stated.

The uncertainty stems from the law's definition of "sale." While the measure broadly defines “sale” as including transfers and disclosures. it also says transfers to service providers that are made for “business purposes” -- including advertising and marketing -- are not sales.

Last year, Consumer Reports and other advocates urged Becerra to say the “business purposes” exception doesn't allow companies to share data about consumers in order to serve them with targeted ads.

The groups' request came after the Interactive Advertising Bureau suggested in a compliance framework that ad tech companies can, in certain circumstances, serve targeted ads to consumers who have opted out of the sale of their data.

Facebook also reportedly told advertisers last year that it doesn't need to change how its trackers operate, due to the law's definition exemption that allows companies to make transfers for business purposes.

 

Next story loading loading..