Both consumer advocates and business groups are dissatisfied with how California privacy regulators say company websites must recognize universal opt-out tools.
Businesses claim the California Privacy Protection Agency shouldn’t mandate opt-out recognition from external sources in the first place. Advocates fear the requirement as drafted is loose enough to encourage “dark patterns” that would nudge users toward opting in to data tracking.
Ever since California unveiled its draft changes to the state’s privacy rules in May, website tracking opt-outs have been one of the biggest points of contention. Robust recognition of opt-out requests has the potential to incur significant compliance costs for businesses.
The agency is updating its rules to expand consumers’ options over how businesses collect and use personal information under the California Privacy Rights Act. Any proposed changes are slated to go into effect in January, with enforcement scheduled to begin July.
Mandatory Recognition
There are multiple ways for a consumer to express intent to opt out of sharing data. The simplest way is to click opt-out buttons or links on a specific website. But there also are apps, browsers, and other platforms, such as Global Privacy Control, that emit opt-out signals for virtually every site visited.
Platforms like GPC aim to remove the hassle of having to exercise privacy rights for each individual site. Businesses are concerned over the technical and logistical hurdles they’d face recognizing these signals. For example, if a consumer forgets to turn off a universal opt-out signal but is also partaking in a particular site’s opt-in rewards program, it could be unclear how a business should proceed.
“Without clarity on what signals are valid under the law and how companies are to respond to them at a technical level, the goals of the CPRA with respect to universal opt-out choices will not be met,” Cynthia Pantazis, state policy director for
Privacy regulations in the state already require recognizing opt-out signals, but there is no one clear gold standard of what a signal should be as outlined in the law. Different signals can have different privacy settings and formats, and businesses question whether they accurately reflect what a consumer wants.
Business want one or the other—the option of posting opt-out links on their sites or recognizing opt-out signals. That reflects more closely what the California Privacy Rights Act granted in giving businesses flexibility, they said.
But the privacy agency has held firm in mandating signal recognition, arguing that a plain reading of the CPRA shows the flexibility only exists for site-specific opt-out links.
“There is no other reading that makes any sense here, and suggestions to the contrary are simply from Surveillance Economy firms and their defenders, trying to wriggle out of having to comply with consumer choice,” said Alastair Mactaggart, chair of Californians for Consumer Privacy and a member of the privacy agency board, in public comment.
‘Frictionless’
The draft rules wouldn’t require businesses to put opt-out links on their websites if they process opt-out signals from external apps in a “frictionless” manner. A frictionless manner means that businesses can’t:
- charge a fee for recognizing an opt-out signal
- change the consumer experience with the product or service
- display pop-ups, notifications, graphics, etc. in response to the signal
Businesses that do include opt-out links or buttons on their sites may process external signals in a “non-frictionless” manner—meaning in ways that could change the user experience.
That flexibility worries consumer advocates, who say the implication is that businesses posting opt-out links will be permitted to have intrusive pop-ups or engage in other dark patterns that unfairly nudge a user to opt in over opting out.
“We love the opt-out preferences, but the whole idea of the opt-out preference signal is to be a frictionless communication to the consumer’s privacy choice,” said Emory Roane, policy counsel for Privacy Rights Clearinghouse.
Advocates and business groups point out that the term “frictionless” doesn’t appear in the privacy act.
The state privacy agencysaid in a filing that the “frictionless” concept stems from a section of the law governing how businesses respond to an opt-out signal. For instance, both the section and definition prohibit charging a fee or displaying a pop-up.
However, two provisions from that section—those saying that businesses can’t intentionally degrade the consumer experience or coerce a user into opting in—weren’t included under the definition of “frictionless” in the draft rules. That’s because “responding in that manner wouldn’t be allowed under any circumstance,” the CPPA said.
Despite those assurances, the regulations appear to be in conflict in certain parts, said Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation. That can be confusing for both businesses and consumers.
“I think even introducing the phrase ‘non-frictionless’, which I guess means ‘friction;' is confusing in general,” she said. “It’s not an easy thing to wrap your head around.”
To contact the reporter on this story:
To contact the editors responsible for this story:
To read more articles log in.
Learn more about a Bloomberg Law subscription.