Consumer Groups Urge Calif. Privacy Agency Not to Weaken Opt-Outs
California Privacy Rights Act (CPRA) author Alastair Mactaggart warned the California Privacy Protection Agency (CPPA) to reject industry “disinformation” that it will be voluntary to honor users’ browser opt-out signals. The CPPA held its second day of partially virtual hearings Thursday on draft rules implementing CPRA, the successor law to the California Consumer Privacy Act (CCPA). Consumer privacy groups urged the CPPA not to delay enforcement from Jan. 1, as business groups requested Wednesday (see 2208240067).
“There is no choice here for businesses” but to honor opt-out signals, said Mactaggart. When the CPRA says consumers “may” opt out via third parties including the global privacy control (GPC), it means they must have that right, said the Californians for Consumer Privacy founder: It doesn’t mean the agency has a choice on whether to require it. Also, Mactaggart urged the CPPA to reconsider a draft rule that would allow businesses that receive the opt-out signal to then ask the user for more information. People will turn off the GPC if it results in every website asking for their email address or other information, he said.
Receiving an opt-out shouldn’t trigger companies to ask users for personal information, agreed Electronic Privacy Information Center law fellow Sara Geoghegan. Absent clarification, EPIC is "concerned that businesses might try to undermine the efficacy of opt-out preference signals by bombarding consumers with confirmatory pop-ups and fomenting consent fatigue.”
Resist changing the draft GPC rules, said Consumer Reports Director-Technology Policy Justin Brookman. If following those signals isn’t mandatory, consumers’ "opt-out rights are not going to be usable or workable." People find it "tedious" and "confusing" to opt out site by site, he said. Brookman suggested the agency make a list of which specific GPC signals companies will be required to treat as binding.
Don't delay implementing CPRA, which was passed in 2020 and builds on 2018’s CCPA, Brookman said: “Companies have had several years now to adhere to California law.” Geoghegan agreed that’s more than enough time.
The Digital Advertising Alliance is concerned several draft rules contravene the law on which they're based, and that the privacy agency has underestimated costs from new and unclear requirements, said CEO Lou Mastria. He urged the CPPA to explore public-private partnerships, including with the alliance’s YourAdChoices program, to deliver more quickly on the agency’s mission.
Don’t let rules hinder small businesses from competing with bigger companies, cautioned Ben Medina of the San Juan Capistrano Chamber of Commerce.
The CPPA should certify opt-out preference signals, said Santa Clara University law professor Eric Goldman in written comments Tuesday. It was “ridiculous” for then California Attorney General Xavier Becerra (D) to tweet last year that GPC was a qualifying opt-out signal under CCPA, but “the tweet at least provided guidance to the business community about the department’s views,” said Goldman. “Businesses would otherwise have to guess what technologies qualify because the regulations do not provide any other official signals to businesses. The CPPA should develop a process for validating software that meets the regulatory standards, publicize its determination to the community, and give businesses an adequate period to make the technical adjustments on their side.”
CPRA enforcement should be postponed because the California agency missed its July 2022 deadline to finalize rules, Goldman said. The delay finishing rules means “businesses will not get an appropriate and fair turnaround time to implement the regulations,” he said. “The CPPA should provide explicit guidance on an updated schedule for businesses’ expected compliance obligations and the CPPA’s enforcement efforts.”