California's new privacy law, which requires
companies to allow state residents to opt out of the sale of their personal data, also gives consumers the right to designate an authorized agent to opt out on their behalf.
But not all
companies covered by California's law are honoring opt-out requests made by agents, according to a new study by Consumer Reports.
For the study, Consumer Reports arranged to serve as a
designated agent for 124 California residents, and then issued opt-out requests to 21 companies -- including Acxiom, Amazon, AT&T, Neustar, Oracle and Starbucks. Each company received a total of
10 opt-out requests.
A slim majority (54%) of the companies confirmed that they stopped the sale of at least some data.
But five companies (24%) said they didn't sell data and
“dismissed” the opt-out requests, while three (14%) didn't confirm that the opt-outs had been processed, according to Consumer Reports. One company requested “non-standard”
information, and Consumer Reports did not complete the process for that company.
Several companies contacted by Consumer Reports responded to the opt-out requests by directing consumers to an
external site.
“Even if this method were effective in limiting data sharing, it adds to the complexity of the opt out for consumers,” Consumer Reports writes. “Instead of
sending consumers to a secondary opt-out portal, companies could have registered the consumer’s preference in their own database in response to the opt out and subsequently not sent the
consumer’s personal information to third parties for targeted ads.”
Consumer Reports said some businesses that denied “selling” personal information appeared to engage
in behavioral targeting, based on their privacy policies.
California's privacy law contains an ambiguity that could allow companies to draw on personal information for
ad-targeting purposes despite people's attempt to opt out. (The California Privacy Rights Act, which was passed last November and will go into effect in 2023, closes that potential loophole.)
The current law's ambiguity stems from its key definitions. The measure defines “sale” as including transfers and disclosures -- which would appear to cover transfers to ad-tech
companies. But the statute also says transfers made for business purposes, pursuant to contracts with “service providers,” are not sales.
In 2019, the Interactive Advertising
Bureau suggested in a compliance framework that companies could, in some circumstances, enter into "service provider" contracts with
ad-tech companies, and then serve targeted ads to people who had opted out of the sale of their data.
Soon after the IAB issued the framework, Consumer Reports and other advocacy groups urged
Attorney General Xavier Becerra to say the exception for “service providers” doesn't apply when ad-tech companies engage in behavioral advertising.
Last year a different trade
group, the Network Advertising Initiative, warned advertisers and publishers
against that potential loophole.
Consumer Reports, which is submitting its findings to California, is now urging the state attorney general to “clarify that data shared for cross-context
targeted advertising is a sale,” and to “clarify that companies cannot transfer data to service providers for behavioral advertising if the consumer has opted out of sale.”
“Giving consumers the ability to rein in targeted advertising was a primary goal of the CCPA,” the report's authors state.
They add that in 2019, the California legislature
rejected an amendment that would have explicitly exempted targeted advertising from the law's requirements.
“For many consumers, behavioral advertising is a serious abuse of their
personal privacy,” the authors add. “Not only does the widespread collection of data involved in this tracking leave consumers potentially more vulnerable to security breaches and
inadvertent disclosure of damaging information, but it also reveals more about consumers than they might want to share with others such as their sexual preferences, health issues, and political
activities.”