Despite objections by the ad industry and business
groups, California's Attorney General Xavier Becerra said Wednesday he will begin enforcing the state's new privacy law.
“Today we begin enforcement of the California Consumer Privacy
Act,” Becerra stated. “We encourage every Californian
to know their rights to internet privacy and every business to know its responsibilities.”
He added: “The website of every business covered by the law must now post a link on its
homepage that says ‘Do Not Sell My Personal Information.'”
The California Consumer Privacy Act, which took effect January 1, gives state residents the right to learn what
information has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties.
Becerra's office must notify companies of violations
and give the companies up to 30 days to come into compliance with the law, before bringing an enforcement action. The law provides for fines of $2,500 to $7,500 per violation.
State lawmakers
tasked Becerra with crafting regulations to implement the privacy law.
In June, Becerra proposed a set of regulations, but they have not yet been finalized by state officials.
Those
proposed rules include a requirement that web companies honor a universal do-not-sell mechanism.
Specifically, the proposed regulations would require companies to honor "user-enabled global
privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal
information.”
Ad industry groups including the Association of National Advertisers, unsuccessfully urged Becerra to push back the enforcement date due to the COVID-19 pandemic and the
lack of final regulations.
The ANA and other organizations also objected to the requirement to honor universal opt-out requests, arguing that the statute itself doesn't include that
obligation.
“The California legislature had the opportunity to enact a browser-based signal requirement on multiple occasions, but never chose to do so,” a coalition of industry
groups wrote to Becerra last December.
Browser developers
have offered do-not-track signals for years, but those signals don't prevent tracking. Instead, the signals communicate a do-not-track request to ad tech companies and publishers, which are free to
honor the requests or not.
Currently, those requests are widely ignored. But those existing do-not-track controls could potentially function as global do-not-sell requests, depending
on how the browser developers describe the controls to users.
Last month, Becerra said in written
comments that the mandate to honor global opt-out is necessary, given that web companies historically failed to respect browser-based do-not-track signals.
“The majority of
businesses disclose that they do not comply with those signals, meaning that they do not respond to any mechanism that provides consumers with the ability to exercise choice over how their information
is collected,” the agency wrote. “Businesses will very likely similarly ignore or reject a global privacy control if the regulation permits discretionary compliance. The regulation is thus
necessary to prevent businesses from subverting or ignoring consumer tools related to their CCPA rights."
Although the law is now enforceable, the regulations -- including the global opt-out
rule -- won't be enforceable until granted final approval, according to the ad industry self-regulatory group Network Advertising Initiative.