The Office of the Attorney General of California made a small addition to its frequently asked questions page on the California Consumer Privacy Act that certainly did not go unnoticed.
The update involved the Global Privacy Control, a signal delivered through a browser extension that automatically allows users to exercise their rights to opt out of the sale of their personal information.
The attorney general's CCPA FAQ page states the GPC "must be honored by covered businesses as a valid consumer request to stop the sale of personal information." The decision from the attorney general not only has ramifications for how do-not-sell requests are handled in California, but also for current and future U.S. state privacy laws as well.
"The requirement to honor a global privacy control opt-out request has been in the CCPA regulations since their passage but it's great to see the AG provide additional clarity for companies that are affected by the law," researcher and technologist Ashkan Soltani, one of the architects of the GPC, said in an email to The Privacy Advisor. "The GPC specification is currently widely recognized by a number of key publishers including the [New York] Times, Washington Post and Weather Channel, as well as hundreds of thousands of websites hosted by WordPress and CafeMedia. Even Google has recognized GPC as a way to comply with CCPA for their third-party advertising services."
Perkins Coie Partner, Privacy & Security, Co-chair, Ad Tech Privacy & Data Management Dominique Shelton Leipzig, CIPP/US, said the move is "not terribly surprising."
"Recall that Secretary Xavier Becerra tweeted, back when he was our California [Attorney General], that GPC should be recognized under the CCPA," Shelton Leipzig said via email. "The [attorney general]’s office is relying on CCPA Reg. 999.315 (c), which states a 'business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer's choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.'”
Though the update may not be surprising, WireWheel CEO Justin Antonipillai said this new development is an important one, citing California's history as a thought leader on enhancing the customer experience and its endorsement of the Global Privacy Control as both a concept and the actual framework.
"It’s a big deal because currently, even if companies are taking do-not-sell requests, most of them live with a single company. It’s either sitting in cookies or in their own database," Antonipillai said. "This has the potential to make consumer choice a lot more simple."
DuckDuckGo Senior Public Policy Manager Katie McInnis also sees how the decision will benefit users.
"For too long, individuals have had to bear the brunt of protecting their privacy online," McInnis said in an email. "With its plan to recognize signals like the Global Privacy Control, California will make it easier for users to opt out of the sale of their information and start taking back their privacy online. We hope other jurisdictions with privacy rights follow California's lead in recognizing browser-based signals like the GPC as a simple and effective way for users to signal their privacy preferences."
Not everyone is convinced the attorney general's declaration will make life easier for consumers who wish to flex their do-not-sell rights.
Frankfurt Kurnit Klein & Selz Partner, Chair, Privacy and Data Security Group Tanya Forsheit, CIPP/US, CIPT, PLS, believes the attorney general's position will create more confusion for consumers and organizations working to comply with the CCPA and honor do-not-sell requests. While Forsheit doesn't object to the GPC as a tool to facilitate do-not-sell requests, the way the CCPA is currently written does not mesh with the text on the attorney general's FAQ page.
"The actual language of the update is confusing because it starts by saying you have to have two methods to request an opt-out, which is in the law," Forsheit said. "Then it’s says one way to do that is through a user-enabled global privacy control, like the GPC, and so far so good. But then if you keep going, you get to the last sentence of the FAQ update, and it says that under law it must be honored by covered business as a valid consumer request to stop the sale of personal information. That’s not actually what the law says. The CCPA does not mandate honoring GPC."
Even with the potential confusion, Forsheit sees a way to clear the air. She said the California Privacy Rights Act could be a vehicle to solidify the GPC's role in the Golden State, with the California Privacy Protection Agency acting as the driving force.
"I would really hope the CPPA addresses GPC in the [regulations] so we get some clarity," Forsheit said. "If this is really what businesses are required to do, it should be something that works across the board, not just on certain browsers and certain platforms. It doesn’t work across the board. A consumer is not going to understand that if they use GPC, they are not getting opted out everywhere."
Antonipillai also cited the CPPA's role in etching the GPA in stone.
"I think these kinds of implementation frameworks or suggestions or concepts are likely to included much more formally through rulemaking in the next round," Antonipillai said. "That has always been a really powerful thing about CPRA. It really is the first U.S. law that authorizes the concept of rulemaking for a state agency."
The attorney general's edict on the GPC will obviously change how organizations approach do-not-sell requests in California, and its influence will likely stretch across the country.
In fact, Antonipillai and Shelton Leipzig have already seen it in another recently minted privacy law. The Colorado Privacy Act essentially incorporates the concept of the Global Privacy Control. It may be the first state privacy law to approach a version of the GPC, but no one should expect it to be the last.
"The Colorado Privacy Act expressly indicates that residents of that state can opt out of targeted advertising and the sale of personal information," Shelton Leipzig said. "The definition of sale is similar to CCPA to be very broad to include any exchange for valuable consideration. The Colorado law states expressly that individuals can opt-out of targeted advertising/sales 'via a global device setting.'"
"Each version of a privacy law adopts a 90% approach of California, and then builds on it," Antonipillai said. "Now that Colorado has adopted the general concept of GPC, I think most other laws will look to that pretty quickly, as well."
Photo by Vital Sinkevich on Unsplash
If you want to comment on this post, you need to login.