• by Wendy Davis  @wendyndavis, June 9, 2020

The ad industry is hoping to scuttle a proposed privacy regulation in California that would require companies to honor requests by consumers to opt out of the sale of their data on a global basis.

That proposed rule, loosely characterized a mandate to follow browser-based do-not-track commands, goes further than the “intent and scope” of the California Consumer Privacy Act, the American Association of Advertising Agencies, American Advertising Federation, Association of National Advertisers, Digital Advertising Alliance, and Interactive Advertising Bureau stated this week.

The organizations plan to ask the California Office of Administrative Law to reject the proposed rule, which was among the proposed privacy regulations sent to the Office of Administrative Law last week by Attorney General Xavier Becerra.

The agency now has around 90 days to approve the proposed rules. Becerra requested approval on an expedited basis, in order to begin enforcement by July 1.

The California Consumer Privacy Act, which took effect in January, gives consumers the right to learn what information has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties.

Among Becerra's proposed regulations is a requirement that companies honor "user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information."

The ad industry opposes the requirement to honor browser-based commands, arguing that the law doesn't authorize any mandate to honor universal opt-outs. Instead, ad groups say they should only be required to honor opt-outs on a company-by-company basis.

“The CCPA does not say anything about browser controls,” ANA executive vice president Dan Jaffe stated this week. Becerra “illegally created this new requirement,” he added.

Browser developers have offered do-not-track signals for years, but those signals don't prevent tracking. Instead, the signals communicate a do-not-track request to ad tech companies and publishers, which are free to honor the requests or not.

Those existing do-not-track controls could potentially function as global do-not-sell requests, depending on how the browser developers describe the controls to users.

The ad groups also reiterated their concerns that Becerra is moving forward too quickly, given the existing public health crisis.

The organizations stated this week that Becerra's attempt to begin enforcement by next month overlooks “the significant disruption that has impacted businesses as they work to protect employees and consumers from COVID-19.”

The self-regulatory group Network Advertising Initiative separately criticized the proposed regulation regarding global privacy controls. 

That proposal does not “make it sufficiently clear that those controls must signal a user-enabled preference to opt out of sales of personal information, instead of default settings established by intermediaries that do not express an actual user preference,” president and CEO Leigh Freund wrote Tuesday in a blog post.

She adds that the lack of clarity “will lead to confusion in the marketplace about which signals that purport to convey user-enabled privacy preferences should be treated as authentic consumer requests to opt out of sales.”

Freund also notes that the proposed California Privacy Rights Act ballot initiative, which could be voted on in November, appears to be inconsistent with a requirement to honor a global opt-out.

That ballot initiative appears to give web companies the option of either placing an opt-out link on their home pages, or honoring a browser-based do-not-track signal.