California's new privacy law, which requires companies to allow state residents to opt out of the sale of their personal data, also gives consumers the right to designate an authorized agent to opt out on their behalf.
But not all companies covered by California's law are honoring opt-out requests made by agents, according to a new study by Consumer Reports.
For the study, Consumer Reports arranged to serve as a designated agent for 124 California residents, and then issued opt-out requests to 21 companies -- including Acxiom, Amazon, AT&T, Neustar, Oracle and Starbucks. Each company received a total of 10 opt-out requests.
A slim majority (54%) of the companies confirmed that they stopped the sale of at least some data.
But five companies (24%) said they didn't sell data and “dismissed” the opt-out requests, while three (14%) didn't confirm that the opt-outs had been processed, according to Consumer Reports. One company requested “non-standard” information, and Consumer Reports did not complete the process for that company.
Several companies contacted by Consumer Reports responded to the opt-out requests by directing consumers to an external site.
“Even if this method were effective in limiting data sharing, it adds to the complexity of the opt out for consumers,” Consumer Reports writes. “Instead of sending consumers to a secondary opt-out portal, companies could have registered the consumer’s preference in their own database in response to the opt out and subsequently not sent the consumer’s personal information to third parties for targeted ads.”
Consumer Reports said some businesses that denied “selling” personal information appeared to engage in behavioral targeting, based on their privacy policies.
California's privacy law contains an ambiguity that could allow companies to draw on personal information for ad-targeting purposes despite people's attempt to opt out. (The California Privacy Rights Act, which was passed last November and will go into effect in 2023, closes that potential loophole.)
The current law's ambiguity stems from its key definitions. The measure defines “sale” as including transfers and disclosures -- which would appear to cover transfers to ad-tech companies. But the statute also says transfers made for business purposes, pursuant to contracts with “service providers,” are not sales.
In 2019, the Interactive Advertising Bureau suggested in a compliance framework that companies could, in some circumstances, enter into "service provider" contracts with ad-tech companies, and then serve targeted ads to people who had opted out of the sale of their data.
Soon after the IAB issued the framework, Consumer Reports and other advocacy groups urged Attorney General Xavier Becerra to say the exception for “service providers” doesn't apply when ad-tech companies engage in behavioral advertising.
Last year a different trade group, the Network Advertising Initiative, warned advertisers and publishers against that potential loophole.
Consumer Reports, which is submitting its findings to California, is now urging the state attorney general to “clarify that data shared for cross-context targeted advertising is a sale,” and to “clarify that companies cannot transfer data to service providers for behavioral advertising if the consumer has opted out of sale.”
“Giving consumers the ability to rein in targeted advertising was a primary goal of the CCPA,” the report's authors state.
They add that in 2019, the California legislature rejected an amendment that would have explicitly exempted targeted advertising from the law's requirements.
“For many consumers, behavioral advertising is a serious abuse of their personal privacy,” the authors add. “Not only does the widespread collection of data involved in this tracking leave consumers potentially more vulnerable to security breaches and inadvertent disclosure of damaging information, but it also reveals more about consumers than they might want to share with others such as their sexual preferences, health issues, and political activities.”