• by Wendy Davis  @wendyndavis, August 24, 2022

Tough new proposed privacy regulations in California are inconsistent with the state's recently passed Privacy Rights Act, the major ad organizations say in a letter sent Tuesday to the state's privacy agency. 

“We are concerned that several provisions in the proposed regulations contravene the clear text” of the law, the Association of National Advertisers, Interactive Advertising Bureau, American Association of Advertising Agencies, American Advertising Federation, and Digital Advertising Alliance write.

The groups are urging the California Privacy Protection Agency to revise the proposed rules “to ensure that they align more clearly with the text” of the California Privacy Rights Act.

Their letter comes around two months after the agency unveiled a set of proposed regulations that appear to broadly limit companies' ability to collect or harness data. One controversial provision of the proposed regulations would prohibit businesses from collecting, using or sharing consumers' information for purposes unrelated to its collection, without opt-in consent.

The ad industry argues that this restriction would be inconsistent with the state's Consumer Privacy Rights Act -- which will take effect next year, and broadens the original California Consumer Privacy Act. Taken together, the two measures will give consumers the right to tell companies not to share or sell their information for a host of purposes, including online behavioral advertising.

The ad groups specifically argue that the Consumer Privacy Rights Act allows companies to use information for purposes that are “consistent and compatible” with disclosures made to consumers -- even if unrelated to the data's collection.

When the privacy agency released the proposed regulations, it also set out examples of situations that would require companies to obtain consumers' opt-in consent to the use of their data.

In one example involving location data, the agency said companies that collect location data from consumers must also obtain explicit consent to share that information with data brokers.

But the ad groups say the text of the Consumer Privacy Rights Act would allow the information to be transferred without separate opt-in consent, provided those transfers were disclosed to consumers.

The proposed regulations also would require companies to honor opt-out signals -- such as browser commands -- as opposed to forcing consumers to opt out of data sharing on a company-by-company basis.

The ad groups argue that California's law allows companies to ignore requests made through browser commands, as long as those companies offer opt-out links on their own websites. The organizations point to a section of the law that says companies "may elect” to comply with opt out signals or to include opt-out links in the footer of their websites.

“The proposed rules contradict this statutory language by stating that processing such signals is mandatory,” the ad groups write.

Privacy advocates disagree with the industry about whether the law requires companies to honor opt-out signals. Advocates point to a different provision of the law that says consumers can authorize others to opt out on consumers' behalf -- and that those authorized opt-outs can be made via universal mechanisms.

Consumer Reports flags that language in separate comments to the agency, adding that opt-out approaches to privacy require universal opt-out mechanisms.

“In order to function effectively, opt-out regimes need global opt-out options; for global opt-out options to function effectively, companies must be required to adhere to them,” Justin Brookman, director of technology policy for Consumer Reports, writes.

He writes that if the law “is interpreted counterintuitively to not require adherence to universal signals, the law will be a failure and Californians will not have the ability to practically limit the sharing or selling of their data.”

The ad industry groups also say the proposed regulations would cause confusion, noting they don't call for standardization of opt-out preference signals.

“The agency should create a process to address the requirements for opt-out preference signals ... rather than make businesses guess which signals comply with the law’s mandates as well as how companies should address conflicting signals with respect to a single individual,” the groups write.

Santa Clara law professor Eric Goldman also raises concerns about the opt-out signals. He says in separate comments that the California agency should add a certification process before designating a technology as an opt-out preference signal.

The agency “should develop a process for validating software that meets the regulatory standards, publicize its determination to the community, and give businesses an adequate period to make the technical adjustments on their side,” he writes.