On June 2, 2020, the Office of the California Attorney General (“OAG”) submitted its final proposed regulations under the California Consumer Privacy Act (CCPA). The OAG press release suggests these final regulations clarify “important transparency and accountability mechanisms for businesses subject to the law.” A number of those reviewing these final regulations correctly point out that they have not changed much from the last draft.
The most striking feature of these proposed regulations, however, is actually found in the explanatory reasoning jointly filed by the AG. The OAG Statement of Reasons suggests the OAG may have, in effect, mandated more than what was expressly required under CCPA, namely an opt-out setting for the sale of personal information that can be managed by consumers on a global basis.
By way of background, consumers have long had the capability to send “Do Not Track” (DNT) header signals from their browsers – with privacy advocates long providing tutorials on how consumer-choice DNT tools could be implemented on browsers. Given that a DNT signal is a machine-readable header and not an embedded cookie, i.e., a file placed by websites into a consumer’s computer in order to store privacy preferences, consumers can delete installed cookies without disrupting their global DNT signal. Some companies such as Apple actually do not even respond to DNT signals because they claim that they do not “track its customers over time and across third party websites to provide targeted advertising.”
The OAG sets forth in § 999.315 the relevant “Requests to Opt-Out” language later interpreted by the OAG in its Statement of Reasons.
Section 999.315(c) of the OAG’s regulations reads: “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.” And, the final Subsection (d)(1) reads: “Any privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to opt-out of the sale of personal information.”
Previously, an EFF-led privacy coalition recommended the deletion of the following clause from § 999.315(d)(1): “The privacy control shall require that the consumer affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.” That recommendation was adopted by the OAG and the “affirmative selection” language was deleted – obviating the need for a potential website-by-website affirmative opt-out selection by consumers.
While the § 315(d)(1) recommendation was adopted, the OAG chose not to adopt the EFF coalition’s recommendation to add the following clause at the end of § 315(c): “A business shall treat a “Do Not Track” browsing header as such a choice.” By rejecting this suggested new language, the OAG chose not to limit the scope of any implementation technology. As reflected in the OAG’s Statement of Reasons, this rejection actually ends up being an even more meaningful nod in the direction of the EFF Coalition.
Specifically, the OAG recognized it’s goal was in imposing clear regulatory parameters while not imposing technological requirements that might be limiting on a company:
By requiring that a privacy control be designed to clearly communicate or signal that the consumer intends to opt-out of the sale of personal information, the regulation sets clear parameters for what the control must communicate so as to avoid any ambiguous signals. It does not prescribe a particular mechanism or technology; rather, it is technology-neutral to support innovation in privacy services to facilitate consumers’ exercise of their right to opt-out. The regulation benefits both businesses and innovators who will develop such controls by providing guidance on the parameters of what must be communicated. And because the regulation mandates that the privacy control clearly communicate that the consumer intends to opt-out of the sale of personal information, the consumer’s use of the control is sufficient to demonstrate that they are choosing to exercise their CCPA right.
More to the point, the OAG also explains:
Subsection (d) requires a business that collects personal information online to treat user-enabled global privacy controls as a valid request to opt-out. This subsection is forward-looking and intended to encourage innovation and the development of technological solutions to facilitate and govern the submission of requests to opt-out. Given the ease and frequency by which personal information is collected and sold when a consumer visits a website, consumers should have a similarly easy ability to request to opt-out globally. This regulation offers consumers a global choice to opt-out of the sale of personal information, as opposed to going website by website to make individual requests with each business each time they use a new browser or a new device. (emphasis added).
Perhaps anticipating some push back, the OAG goes into detail regarding its authority by referencing prior experience with DNT requirements under the California Online Privacy Protection Act (Bus. & Prof. Code, § 22575 et seq.) (CalOPPA). To that end, on May 21, 2014, the OAG previously released a set of recommendations to assist with compliance of CalOPPA’s DNT disclosures.
As the primary enforcer of [CalOPPA], the OAG has reviewed numerous privacy policies for compliance with CalOPPA, which requires the operator of an online service to disclose, among other things, how it responds to “Do Not Track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about their online activities over time and across third-party websites or online services. (Bus. & Prof. Code, § 22757, subd. (b)(5).) The majority of businesses disclose that they do not comply with those signals, meaning that they do not respond to any mechanism that provides consumers with the ability to exercise choice over how their information is collected. Accordingly, the OAG has concluded that businesses will very likely similarly ignore or reject a global privacy control if the regulation permits discretionary compliance. The regulation is thus necessary to prevent businesses from subverting or ignoring consumer tools related to their CCPA rights and, specifically, the exercise of the consumer’s right to opt-out of the sale of personal information. Contrary to public comments that the user-enabled global privacy setting is outside of the scope of the OAG’s authority, subsection (d) is authorized by the CCPA because it furthers and is consistent with the language, intent, and purpose of the CCPA. (emphasis added).
Not surprising given its technology neutral approach, the manner in which companies will comply with a global opt-out capability is not spelled out by the OAG. Companies may address a global opt-out setting controlled by consumers by either taking on this obligation utilizing a new product or investing internally in developing a solution. Any such feature, however, will likely be tested by the OAG and courts. No matter how this new requirement is implemented, however, it is very likely the OAG will come out swinging given that the November 2020 ballot initiative spearheaded by Alastair Mactaggart – the California Privacy Rights Act, would create the “California Privacy Protection Agency” as a new enforcement arm and potential competition for the OAG.