The era of more online privacy is approaching, and California is a pioneer. This is our first Truth in Privacy dispatch. Last week, a slew of entities spoke about rulemaking before the California Privacy Protection Agency, which will soon draw up the strongest online privacy laws in the country. Elemental to the new law is people’s ability to opt-out of their personal data being shared or sold by a business. A hallmark will be webpages accepting a global opt-out signal.
It’s a topic that has come up a lot since the law’s passage, including during the three-day stakeholder sessions. What is the scope of the law’s opt-out rights? Many advertising and tech industry firms said, incorrectly, that the law doesn’t allow for an opt-out, including the California Retailer’s Association and the California Chamber of Commerce. Companies don’t want you to be able to opt-out of data selling because it is a cash cow. Unsurprisingly, the chamber, which includes among its members personal data hoovers Google, Amazon and Facebook, insurance purveyors State Farm and Allstate, Toyota, and big banks Wells Fargo and JP Morgan Chase, said, “a global opt-out is voluntary under the California Privacy Rights Act.”
“What they are saying is not true.”
Alastair Mactaggert
That is dishonest, plain and simple. Every business that meets a certain size and traffics in enough personal data must provide some sort of opt-out option for users. It must either have a “Do Not Sell” button on a homepage, or a business must honor a consumer’s preferences signal to opt out. And the business cannot retaliate against a user for exercising that right.
The law, under section 135(a)(1), states that a business’s website must “provide a clear and conspicuous link…titled, ‘Do Not Sell or Share My Personal Information.’”
Alternatively, a business can allow for opt-out by respecting a “Do Not Track” signal sent by a consumer’s browser or other device. Under 135(b)(1)(a), a business will not be required to have a “Do Not Sell” button, “if the business allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism…”
Granted, there has been some dispute over this, but it was put to bed almost a year ago by the California Attorney General’s office. In a statement, the AG’s office said businesses must satisfy privacy control signals as a valid opt-out request.
“GPC is one option for consumers who want to submit requests to opt-out of the sale of personal information via a user-enabled global privacy control. Under law, it must be honored by covered businesses as a valid consumer request to stop the sale of personal information,” wrote the attorney general.
So the law requires businesses to honor consumers’ opt out requests. But the advertising and technology industries that make money off our every move don’t want you to know that.
Alastair Mactaggert, who spurred the new privacy law a couple years ago, responded to the chamber’s comments during stakeholder sessions. “What they are saying is not true.”
The chamber’s comments are on par for an organization that has criticized the privacy law, and consistently sided with big business and against consumers.
Stay tuned for more updates. The privacy board, the first of its kind in the country, will begin drafting rules in the coming months. The new law will take effect Jan. 1, 2023.