• by Wendy Davis  @wendyndavis, August 17, 2020

California has finalized regulations implementing the state's landmark privacy law, including a requirement that web companies honor browser-based do-not-sell signals.

The move allows Attorney General Xavier Becerra, who already began enforcing the text of the law, to also prosecute companies that violate the new regulations.

California's Consumer Privacy Act, which went into effect in January, gives state residents the right to learn what information has been collected about them by companies, have that information deleted, and prevent the “sale” of that data to third parties. (The law's broad definition of sale includes disclosures made for “valuable consideration” -- a term left undefined in the law.)

Becerra's office must notify companies of violations and give the companies up to 30 days to come into compliance with the law before bringing an enforcement action. The law provides for fines of $2,500 to $7,500 per violation.

Association of National Advertisers Executive Vice President for Government Relations Dan Jaffe says the organization “will watch with keen interest how the California AG enforces the law,” and “will be soliciting feedback from our members on next steps.”

Many of the differences between the proposed regulations and the final ones approved by the state's Office of Legislative Affairs final version are minor, but there were a few substantive revisions.

Among others, the final version of the regulations no longer includes a provision that would have required companies to obtain consumers' explicit consent before using their information for a different purpose than what was initially disclosed.

That provision was withdrawn at Becerra's request, and his office can resubmit it at a later date.

Another proposed regulation that was withdrawn by Becerra before being finalized would have required companies to offer opt-out mechanisms that are easy for consumers to execute.

Consumer Reports criticized those revisions.

“California should make it easier, not harder for consumers to exercise the rights under the CCPA, so these changes are a step in the wrong direction,” Consumer Reports policy analyst Maureen Mahoney said.

One of the most controversial of newly approved regulations requires companies to honor global do-not-sell requests that consumers send via “user-enabled” controls, including browser settings.

Ad industry groups -- including the Association of National Advertisers, American Association of Advertising Agencies, American Advertising Federation, Digital Advertising Alliance, and Interactive Advertising Bureau -- opposed that requirement, arguing that the statute itself doesn't include the mandate.

Browser developers have offered do-not-track signals for years, but those signals don't prevent tracking. Instead, the signals communicate a do-not-track request to ad tech companies and publishers, which are free to honor or reject the requests.

Currently, the signals are widely ignored. But those existing do-not-track controls could potentially function as global do-not-sell requests, depending on how the browser developers describe the controls to users.