May 2020 – California’s Attorney General Xavier Becerra and his team have run an inclusive and transparent process in their construction of California Consumer Privacy Act (CCPA) regulations. Their original proposal and subsequent modifications go a long way toward clarifying the rights consumers can exercise under the law and the actions businesses must take to comply.
In the latest modifications, however, the draft regulations could have explained more about one critical component. The law clearly puts consumers in charge of whether or not they opt-out of the sale of their information. But the most recent modifications to the regulatory language introduce certain ambiguity that some read as empowering third parties to make that choice for them, including a small group of browser operators. It is hard to tell if it was the author’s initial intent.
Is Opt-In an Appropriate Choice for Sensitive Data?
The public record on this question is clear – a “Do Not Sell” choice should be easy to exercise at the website level or at the browser or device level, but the consumer must affirmatively make that choice. Neither the browser nor any other third-party can set that preference for him or her.
In the Privacy for America proposal sent to Congress, the advertising trade associations recognize that an opt-in choice is appropriate for sensitive data. That information should require greater default protection from distribution.
An opt-in choice design mandate for sensitive data can act as a signal to consumers that they should exercise greater caution in sharing that kind of information. But the CCPA does not create an opt-in requirement for that subset of information and nowhere does it call for or allow third parties to impose a blanket opt-in choice architecture on consumers.
Alastair McTaggart recognized the consumer-driven opt-out choice architecture of the CCPA in his testimony before the US Senate in March 2019 stating: “every site doing business in California will be required to have a “Do Not Sell My Information” button. All sites will also be required to accept what are called “third party opt-outs”, which will allow consumers to delegate a third-party to opt them out of all the sites they visit.”
He goes on to add:
“Thus we envisage that browser companies or mobile phone companies will simply create controls, like a browser button that users can enable, which will indicate to every single site a consumer visits not to sell that consumer’s information.”
The Attorney General’s proposal prior to the latest modification was clearly in line with the consumer control principle. It did mandate that businesses have to treat browser plug-ins, device settings, or other mechanisms that communicate a consumer’s choice to opt-out as a valid request and respect it. It then went on to make clear that, “Any privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to opt-out of the sale of personal information. The privacy control shall require that the consumer affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.”
In the latest modification, the AG issued earlier this month, however, that last sentence was struck. On first reading, some privacy advocates and others, including myself, misread that to mean that the current “Do Not Track” settings would become the defacto “Do Not Sell” settings and have the power of law. On second reading that doesn’t seem to be the case because a prohibition on tracking and a prohibition on selling are two different things. Because I was not the only one confused, the AG should clarify that point.
But more importantly, striking the line I highlighted in italics introduces destabilizing ambiguity. The regulations clearly say in multiple places that “global privacy controls, such as a browser plugin or privacy setting” must be user-enabled. The now-struck line underscored that point and made it clear and concrete that the user must make the choice, not have it pre-selected for them by the browser or any other party. We feel the intention and language of the law and regulation are both intended to keep others from choosing on behalf of the user. Removing that key line opens the door to debate, however, which will undercut the effectiveness of the law and its implementation.
It is rational to expect, for example, that browsers willing to make a “Do Not Track” default choice for consumers will likely and easily create a default “Do Not Sell” choice for them as well. The AG striking the language requiring that the consumer affirmatively select their choice and not be designed with pre-selected settings reads to many as empowering browsers to set a default choice for consumers inconsistent with the law. The law does not intend to allow that, the deliberation of it and its supporters did not make the case for that outcome, and the regulations should not allow the law to be turned on its head.
We do not believe the Attorney General intends to turn an opt-out law into an opt-in law through regulation nor do we think he would concentrate the power to make choices for consumers in the hands of a small group of browser companies. In order to make that clear, we hope that he will restore the language struck in the latest modification to ensure the consumer is put back in control of his or her choices.