Last year, California voters approved a new privacy measure that expands on the state's already broad law.
That new measure, slated to take effect in 2023, has some ambiguities that are already prompting disagreements between the ad industry and privacy advocates.
A key one centers on whether the law requires companies to honor requests to opt out of behavioral advertising, when those requests are made via tools like the Global Privacy Control.
The Global Privacy Control, available as a downloadable extension, allows consumers to send a “do-not-sell” request to every site they visit, as opposed to opting out on a site-by-site basis.
The ad industry this week argued in comments to the Privacy Protection Agency that the new law allows companies to ignore requests made through such global tools -- provided those companies offer opt-out links on their own websites.
Consumer advocates disagree.
The dispute has its origins in the current privacy law -- which was passed in 2018 and took effect last year.
That law gives consumers the right to learn what personal information about them is held by businesses, request deletion of that information, and opt out of its sale. (While the law uses the word “sale,” it defines the term broadly enough that it appears to cover the types of data transfers that fuel online ad targeting.)
California's Attorney General said last year that companies must honor opt-outs made through a universal “do-not-sell” mechanism -- even though the text of law doesn't mention global opt-outs.
The new Privacy Rights Act expands on the earlier law in several ways, including by enshrining provisions about global opt-out controls. But the Privacy Rights Act's language regarding global opt-outs is confusing and ambiguous.
On one hand, Privacy Rights Act has some language suggesting companies need not honor opt-outs made through tools like the Global Privacy Control, provided the companies post prominent opt-out links on their own websites.
The Association of National Advertisers, Interactive Advertising Bureau and other industry groups point to that language in their comments, arguing that businesses "can elect whether or not to offer consumers an opt-out preference signal option or an option to opt out via a clearly labeled homepage link.”
But there's a wrinkle to the ad groups' argument: The Privacy Rights Act also has language suggesting that companies have no choice about honoring global opt-outs. Specifically, one section of the law provides that consumers can authorize others to opt out on consumers' behalf -- and says those authorized opt-outs can be made via universal mechanisms.
The advocacy group Consumer Reports interprets that language as requiring companies to respect all requests made through the Global Privacy Control and other universal opt-out tools.
“Consumers deserve an easy and practically usable way of globally expressing certain privacy preferences,” Consumer Reports writes in its comments to the agency.
“Global controls can't work in practice if adherence to them is optional,” adds Justin Brookman, director of technology policy at Consumer Reports.
The advocacy organization is specifically urging the Privacy Protection Agency to “put an end to any uncertainty” and clarify that companies “must always honor global preference signals that comply with the statute’s requirements.”