• by Wendy Davis  @wendyndavis, June 8, 2022

California's privacy regulator should rethink new proposed rules that would give consumers broad rights to wield control over data, the industry group Association of National Advertisers argues.

“We strongly believe that several of the proposed draft rules ... contravene the law by creating requirements that are significantly different from, and in some cases diametrically opposed to, the requirements set forth in the [California Privacy Rights Act],” Chris Oswald, executive vice president of the ANA, says in a letter sent late Tuesday to the California Privacy Protection Agency.

A draft of the proposed regulations, issued late last month, spells out companies' obligations under the Consumer Privacy Rights Act -- which will take effect next year. That measure expands the original California Consumer Privacy Act.

Taken together, the two laws give consumers the right to tell companies not to share or sell their information for a host of purposes, including online behavioral advertising.

Among other provisions, the proposed rules would require businesses to obtain consumers' opt-in consent before selling or sharing their information for purposes unrelated to its collection.

The agency said one example of the type of activity that would require companies to obtain opt-in consent involves internet service providers' sharing of customers' geolocation data. Specifically, the agency wrote that internet service providers that collect geolocation data in order to determine bandwidth use, or track outages, or other purposes relating to service can't then share that geolocation information with data brokers without consumers' explicit consent.

But the Association of National Advertisers says proposed rule goes beyond the law, arguing that the California Privacy Rights Act allows companies to share geolocation data on an opt-out basis.

“The proposed draft rules consequently exceed the agency's authority by handing down complete bans and other limitations by regulatory fiat,” the advertising organization writes.

The potential regulations also would require to honor opt-out signals -- including commands sent via a browser -- as opposed to forcing consumers to opt out of data sharing on a company-by-company basis.

The Association of National Advertisers, like other ad groups, argues that the California Privacy Rights Act allows companies to ignore requests made through browser commands, provided those companies offer opt-out links on their own websites.

The law “gives businesses the choice either to allow consumers to opt out through a do-not-sell link on their homepage(s) or through user-enabled global privacy controls,” the ad organization writes.

“In direct contrast to this optional structure set forth in the text of the law itself, the agency proposes that adherence to user-enabled global privacy controls is mandatory,” the group adds.

Some privacy advocates disagree with the organization's interpretation and argue that the California Privacy Rights Act requires companies to honor global opt-out commands.

The text appears to have contradictory provisions. One section of the Privacy Rights Act says companies "can elect whether or not to offer consumers an opt-out preference signal option or an option to opt out via a clearly labeled homepage link.”

But another provision says consumers can authorize others to opt out on consumers' behalf -- and that those authorized opt-outs can be made via universal mechanisms.