Tough new proposed privacy regulations in
California are inconsistent with the state's recently passed Privacy Rights Act, the major ad organizations say in a letter sent Tuesday to the state's privacy agency.
“We are
concerned that several provisions in the proposed regulations contravene the clear text” of the law, the Association of National Advertisers, Interactive Advertising Bureau, American Association
of Advertising Agencies, American Advertising Federation, and Digital Advertising Alliance write.
The groups are urging the California Privacy Protection Agency to revise the proposed rules
“to ensure that they align more clearly with the text” of the California Privacy Rights Act.
Their letter comes around two months after the agency unveiled a set of proposed
regulations that appear to broadly limit companies' ability to collect or harness data. One controversial provision of the proposed
regulations would prohibit businesses from collecting, using or sharing consumers' information for purposes unrelated to its collection, without opt-in consent.
The ad industry argues that
this restriction would be inconsistent with the state's Consumer Privacy Rights Act -- which will take effect next year, and broadens the original California Consumer Privacy Act. Taken together, the
two measures will give consumers the right to tell companies not to share or sell their information for a host of purposes, including online behavioral advertising.
The ad groups specifically
argue that the Consumer Privacy Rights Act allows companies to use information for purposes that are “consistent and compatible” with disclosures made to consumers -- even if unrelated to
the data's collection.
When the privacy agency released the proposed regulations, it also set out examples of situations that would require companies to obtain consumers' opt-in consent to the
use of their data.
In one example involving location data, the agency said companies that collect location data from consumers must also obtain explicit consent to share that information with
data brokers.
But the ad groups say the text of the Consumer Privacy Rights Act would allow the information to be transferred without separate opt-in consent, provided those transfers were
disclosed to consumers.
The proposed regulations also would require companies to honor opt-out signals -- such as browser commands -- as opposed to forcing consumers to opt out of data sharing
on a company-by-company basis.
The ad groups argue that California's law allows companies to ignore requests made through browser commands, as long as those companies offer opt-out links
on their own websites. The organizations point to a section of the law that says companies "may elect” to comply with opt out signals or to include opt-out links in the footer of their
websites.
“The proposed rules contradict this statutory language by stating that processing such signals is mandatory,” the ad groups write.
Privacy advocates disagree with
the industry about whether the law requires companies to honor opt-out signals. Advocates point to a different provision of the law that says consumers can authorize others to opt out on consumers'
behalf -- and that those authorized opt-outs can be made via universal mechanisms.
Consumer Reports flags that language in separate comments to the agency, adding that opt-out approaches to
privacy require universal opt-out mechanisms.
“In order to function effectively, opt-out regimes need global opt-out options; for global opt-out options to function effectively,
companies must be required to adhere to them,” Justin Brookman, director of technology policy for Consumer Reports, writes.
He writes that if the law “is interpreted
counterintuitively to not require adherence to universal signals, the law will be a failure and Californians will not have the ability to practically limit the sharing or selling of their
data.”
The ad industry groups also say the proposed regulations would cause confusion, noting they don't call for standardization of opt-out preference signals.
“The agency
should create a process to address the requirements for opt-out preference signals ... rather than make businesses guess which signals comply with the law’s mandates as well as how companies
should address conflicting signals with respect to a single individual,” the groups write.
Santa Clara law professor Eric Goldman also raises concerns about the opt-out signals. He says
in separate comments that the California agency should add a certification process before
designating a technology as an opt-out preference signal.
The agency “should develop a process for validating software that meets the regulatory standards, publicize its determination to
the community, and give businesses an adequate period to make the technical adjustments on their side,” he writes.