Companies Prefer California Opt-Out Guidance Instead of Rules

Data brokers, trade groups and online platforms are urging California’s privacy agency not to pursue new rulemaking related to consumers’ privacy rights, saying they already face enough challenges complying with looming requirements.

Businesses largely called for non-binding guidance over formal rules in response to questions from the agency about the need for new regulations to make rights under California’s privacy law easier to exercise and facilitate. Comments were published Wednesday.

The California Privacy Protection Agency, the only state privacy agency, also asked for feedback on consumers’ and businesses’ experience with opt-out preference signals, which let users broadcast “do not sell” signals across websites they visit.

“We urge the agency to refrain from embarking on new rulemakings in those areas at a time where businesses are devoting considerable resources to come into compliance with the regulation package relating to cyber audits, risk assessments, and automated decisionmaking, which was finalized merely three months ago after a lengthy multi-year rulemaking process,” the California Chamber of Commerce said in its comments to the agency.

Opt Outs

The agency, known as CalPrivacy, has ramped up actions against companies that don’t let consumers easily object to the sharing of their personal data. This year alone, it issued a combined $1.5 million in fines against Ford Motor Co. and PlayOn Sports, a media and tech company used in high school sports and events, over opt outs requests. CalPrivacy went after retailer Todd Snyder Inc. and American Honda Motor Co. last year over similar violations.

California’s privacy agency sought feedback on some of the challenges consumers and companies face in submitting or processing opt-out preference signals.

Businesses face “meaningfully unequal capacity to process opt-out preference signals depending on their size and technical infrastructure,” TechNet told CalPrivacy. While larger companies are well-positioned to implement such controls, smaller businesses have relied on third parties which has made “signal processing technically difficult even with genuine compliance intent,” said the group, which represents companies including Apple Inc., eBay Inc., and Uber.

The California Chamber of Commerce said CalPrivacy needs to keep in mind that other states, including Colorado and Connecticut, already rely on one set of standards around opt outs, which could be complicated by any additional moves. Colorado and Connecticut are investigating companies’ compliance with the states’ opt out requirements.

Authorized Agents

Online platforms raised some of the challenges they face when interacting with authorized agents that submit privacy rights requests on behalf of consumers.

Such agents are “abusing the law” by submitting swaths of improper requests, said David M. Stauss, partner at Troutman Pepper Locke, who filed comments on behalf of data broker clients registered in the state.

There is a lack of standards for how submissions from agents can be “structured or verified,” according to the Business Information Coalition, which represents data brokers including RocketReach LLC and ZoomInfo Technologies LLC. Requests submitted by agents often fail to clearly identify the consumer or which right is being exercised, or provide enough evidence that a consumer has authorized the agents to act on their behalf.

The group, alongside other lawyers and trade associations representing digital platforms, urged the agency to establish minimum standardized requirements for agents.

Consumer Rights

Tech industry groups largely challenged the agency’s justification of new rules as a means to reduce friction for consumers’ exercising privacy rights.

“Reducing friction isn’t a goal that should be pursued at all costs,” Tech Net said.

Existing rules are prescriptive enough to ensure consumers can exercise their privacy rights, some industry groups said, and they warned that new rules around bespoke language or interface design could contradict other state requirements.

“Regulations that specify that businesses must use certain language, preferred framing of consumer choices, or other presentation mandates may implicate protections for commercial speech,” the Association of National Advertisers, which represents thousands of US companies including advertising agencies and tech providers, said in its letter.

The group warned that CalPrivacy’s rulemaking authority “isn’t unlimited.”