The ad industry is hoping to scuttle a proposed privacy
regulation in California that would require companies to honor requests by consumers to opt out of the sale of their data on a global basis.
That proposed rule, loosely characterized a mandate
to follow browser-based do-not-track commands, goes further than the “intent and scope” of the California Consumer Privacy Act, the American Association of Advertising Agencies, American
Advertising Federation, Association of National Advertisers, Digital Advertising Alliance, and Interactive Advertising Bureau stated this week.
The organizations plan to ask the California
Office of Administrative Law to reject the proposed rule, which was among the proposed privacy
regulations sent to the Office of Administrative Law last week by Attorney General Xavier Becerra.
The agency now has around 90 days to approve the proposed rules. Becerra requested
approval on an expedited basis, in order to begin enforcement by July 1.
The California Consumer Privacy Act, which took effect in January, gives consumers the right to learn what information
has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties.
Among Becerra's proposed regulations is a requirement that
companies honor "user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to
opt-out of the sale of their personal information."
The ad industry opposes the requirement to honor browser-based commands, arguing that the law doesn't authorize any mandate to honor
universal opt-outs. Instead, ad groups say they should only be required to honor opt-outs on a company-by-company basis.
“The CCPA does not say anything about browser controls,”
ANA executive vice president Dan Jaffe stated this week. Becerra “illegally created this new requirement,” he added.
Browser developers have offered do-not-track signals for years,
but those signals don't prevent tracking. Instead, the signals communicate a do-not-track request to ad tech companies and publishers, which are free to honor the requests or not.
Those
existing do-not-track controls could potentially function as
global do-not-sell requests, depending on how the browser developers describe the controls to users.
The ad groups also reiterated their concerns that Becerra is moving forward too quickly,
given the existing public health crisis.
The organizations stated this week that Becerra's attempt to begin enforcement by next month overlooks “the significant disruption that has
impacted businesses as they work to protect employees and consumers from COVID-19.”
The self-regulatory group Network Advertising Initiative separately criticized the proposed regulation
regarding global privacy controls.
That proposal does not “make it sufficiently clear that those controls must signal a user-enabled preference to opt out of sales of
personal information, instead of default settings established by intermediaries that do not express an actual user preference,” president and CEO Leigh Freund wrote Tuesday in a blog post.
She adds that the lack of clarity “will lead to
confusion in the marketplace about which signals that purport to convey user-enabled privacy preferences should be treated as authentic consumer requests to opt out of sales.”
Freund
also notes that the proposed California Privacy Rights Act ballot initiative, which could
be voted on in November, appears to be inconsistent with a requirement to honor a global opt-out.
That ballot initiative appears to give web companies the option of either placing an opt-out
link on their home pages, or honoring a browser-based do-not-track signal.