Los Angeles, CA — As a two-day comment period begins today over new privacy regulations, Consumer Watchdog is highlighting stringent rules for personal data use as well as red flags to be addressed if Californians wish to maximize control over their personal information.
The California Privacy Protection Agency is taking public comment on Wednesday and Thursday pursuant to drafting regulations implementing the California Consumer Privacy Rights Act, amended by voters in 2020 to provide consumers with more control over their personal data.
“We applaud that the rules strive to make it easier for people to take control of their data more than ever before,” wrote Justin Kloczko, Consumer Watchdog’s tech and privacy advocate in a letter to the privacy board.
This includes needed guidance on what can be considered a dark pattern, the kind of deceptive language and design businesses often use to extract user consent online, and categories of collected sensitive personal information.
Read the letter here.
The nonprofit advocacy group also commends the agency for providing clarity on a global privacy preference signal, a hallmark of the new law that empowers consumers to easily opt-out of data collection. In addition, the regulations state that a business should display a message on its website as to whether it has honored a user’s preference signal.
“We are pleased to see the agency has made a global opt-out mandatory for businesses to honor, a topic that has been highly disputed among the business community. The global preference signal is an easy, fluid way for users to notify all businesses of their privacy preferences,” said Kloczko.
Many advertising and tech industry firms who see our data as a pot of gold have come out against a global opt-out, including the California Retailer’s Association and the California Chamber of Commerce. The chamber, which includes among its members major personal data recipients Google, Amazon and Facebook, insurance companies State Farm and Allstate, and big banks Wells Fargo and JP Morgan Chase, said, incorrectly, “a global opt-out is voluntary under the California Privacy Rights Act.”
However, Consumer Watchdog is concerned about businesses making it difficult for consumers to exercise that opt-out right. Under the proposed regulation Section 7025, it says, “a business may provide the consumer with an option to provide additional information if it will help facilitate the consumer’s request to opt-out of sale or selling.”
“This opens the door to a lot of friction in the form of pop-ups or worse service, which goes against the intent of the law. Companies may still ask for a name or email even if users express to not have their data shared or sold. The ability for a business to have the so-called ‘last say’ in this exchange over data sharing will exhaust users and should be simply eliminated,” wrote Consumer Watchdog.
Further, draft provisions state businesses have 15 days to honor a person’s request to stop selling or sharing data with third-parties, as well as 15 days to limit use and disclosure of sensitive personal information.
“This is a large window that threatens to upend the entire law. And the regulation is not backed up by the statutory language,” wrote Consumer Watchdog.
“Even when someone opts out, personal information will still be sold because businesses are granted a two-week grace period to honor a request. It will also spur companies to concentrate on using and selling data within the window, producing a Wild West effect on data selling,” wrote Consumer Watchdog.
“And even though it says a business should honor a request ‘as soon as feasibly possible,’ a business will cite 15 days as ‘soon as feasibly possible.’ Businesses should be forced to honor a person’s opt-out request as soon as they are able to sell your data, which apparently is instantaneous. This gap should be closed,” wrote Consumer Watchdog.
Finally, Consumer Watchdog appreciates regulations on use limits and protecting consumer data from being used beyond its expected purpose. This is particularly salient in light of car companies collecting reams of personal data as outlined in our report, “Connected Cars and the Threat to Your Privacy”. The regulations require data collection and use by any business – including a business collecting data through the infotainment system in cars – be proportionate to the purpose. For example, under section 7002, a car company that knows your location for emergency services such as a car accident should not use geolocation for an unrelated purpose.
– 30 –