California's privacy regulator has proposed new rules that appear to broaden residents' ability to control how their data is shared.
The proposed regulations, released late last month by the California Privacy Protection Agency, would prohibit businesses from selling or sharing consumers' information for purposes unrelated to its collection, without opt-in consent.
On Friday, the agency elaborated that California's privacy law restricts businesses from “collecting, using, retaining, and sharing consumer personal information in a manner that is inconsistent with consumer expectations, unless they obtain the consumer’s explicit consent.”
The proposed regulations spell out companies obligations under the Consumer Privacy Rights Act -- which will take effect next year, and broadens the original California Consumer Privacy Act. Taken together, the two measures will give consumers the right to tell companies not to share or sell their information for a host of purposes, including online behavioral advertising.
The new proposed regulations, combined with an explanation released Friday, appear in some circumstances to impose obligations beyond simply honoring do-not-sell-or-share requests, according to privacy lawyer Daniel Goldberg, a partner in the law firm Frankfurt Kurnit Klein & Selz.
That broad approach “threatens many business models,” Goldberg writes, adding that he expects the industry "to push back significantly."
The proposed regulations include examples of the type of restrictions under consideration.
One example involves forcing consumers to consent to data collection for all purposes -- expected ones as well as surprising ones. In that example, the agency discusses a scenario involving a mobile app that offers information about the price of nearby gasoline.
If that app developer wanted to share users' location with data brokers, the developer would be required to obtain the users' explicit consent to do so, even when users had already agreed to share their locations in order to find gas stations.
The proposed regulations also would require companies to honor opt-out signals -- such as browser commands -- as opposed to forcing consumers to opt out of data sharing on a company-by-company basis.
The ad industry previously argued to the Privacy Protection Agency that California's law allows companies to ignore requests made through browser commands, provided those companies offer opt-out links on their own websites.
California's privacy agency will hold a public hearing Wednesday on the proposed regulations.