Despite objections by the ad industry and business groups, California's Attorney General Xavier Becerra said Wednesday he will begin enforcing the state's new privacy law.
“Today we begin enforcement of the California Consumer Privacy Act,” Becerra stated. “We encourage every Californian to know their rights to internet privacy and every business to know its responsibilities.”
He added: “The website of every business covered by the law must now post a link on its homepage that says ‘Do Not Sell My Personal Information.'”
The California Consumer Privacy Act, which took effect January 1, gives state residents the right to learn what information has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties.
Becerra's office must notify companies of violations and give the companies up to 30 days to come into compliance with the law, before bringing an enforcement action. The law provides for fines of $2,500 to $7,500 per violation.
State lawmakers tasked Becerra with crafting regulations to implement the privacy law.
In June, Becerra proposed a set of regulations, but they have not yet been finalized by state officials.
Those proposed rules include a requirement that web companies honor a universal do-not-sell mechanism.
Specifically, the proposed regulations would require companies to honor "user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.”
Ad industry groups including the Association of National Advertisers, unsuccessfully urged Becerra to push back the enforcement date due to the COVID-19 pandemic and the lack of final regulations.
The ANA and other organizations also objected to the requirement to honor universal opt-out requests, arguing that the statute itself doesn't include that obligation.
“The California legislature had the opportunity to enact a browser-based signal requirement on multiple occasions, but never chose to do so,” a coalition of industry groups wrote to Becerra last December.
Browser developers have offered do-not-track signals for years, but those signals don't prevent tracking. Instead, the signals communicate a do-not-track request to ad tech companies and publishers, which are free to honor the requests or not.
Currently, those requests are widely ignored. But those existing do-not-track controls could potentially function as global do-not-sell requests, depending on how the browser developers describe the controls to users.
Last month, Becerra said in written comments that the mandate to honor global opt-out is necessary, given that web companies historically failed to respect browser-based do-not-track signals.
“The majority of businesses disclose that they do not comply with those signals, meaning that they do not respond to any mechanism that provides consumers with the ability to exercise choice over how their information is collected,” the agency wrote. “Businesses will very likely similarly ignore or reject a global privacy control if the regulation permits discretionary compliance. The regulation is thus necessary to prevent businesses from subverting or ignoring consumer tools related to their CCPA rights."
Although the law is now enforceable, the regulations -- including the global opt-out rule -- won't be enforceable until granted final approval, according to the ad industry self-regulatory group Network Advertising Initiative.