California consumers had a lot to celebrate on January 1 when the California Consumer Privacy Act (CCPA), the landmark online privacy law, finally went into effect. For the first time, California consumers have key privacy protections, such as the right to access, delete, and stop the sale of their information, and greater transparency about how their data is used. These safeguards are particularly important because the federal government has failed to act to protect consumers’ privacy online.
But even though companies had more than a year to prepare for CCPA compliance, many companies do not appear to be taking the CCPA very seriously.
Rather than comply with the law’s clear purpose of giving consumers control over their data, many companies instead are taking advantage of potential loopholes.
Even before the law went into effect, companies signaled that they planned to evade compliance with the CCPA. The Interactive Advertising Bureau (IAB), a trade group that represents the ad tech industry, is advising companies to evade the opt-out by abusing a provision in the CCPA meant to allow a company to perform certain limited services on its behalf. Google, a major ad tech platform, announced that it will follow IAB’s lead. If a consumer opts-out, Google will continue to serve ads to consumers, including ads with third-party ad tracking. In addition, Facebook has announced that its “like” buttons, which allow the company to track Facebook users’ behavior across the web — even if they are not logged in — is outside of the consumer opt-out.
Further, even though California Attorney General Becerra has proposed requiring companies to accept browser privacy settings as a request to opt-out, making it much easier for consumers to opt-out from many companies in a single step, the IAB hasn’t provided detailed guidance to companies on how to comply with browser opt-outs.
For many sites, unless the consumer takes additional steps to opt-out, including digging through labyrinthine privacy policies for more details and going to multiple separate sites to exercise their preferences, their sensitive browsing data will continue to be tracked and shared with numerous third parties to deliver advertisements. One Twitter user pointed out that the Los Angeles Times requires consumers to go to five separate sites — in addition to opting out separately of the site — just to stop the sale of their data for targeted advertising. TikTok sends consumers to two additional sites to manage their third-party targeted advertising preferences, though elsewhere in their privacy policy they claim that they do not “sell your personal information to third parties.” These approaches frustrate one of the main objectives of the CCPA — to give consumers a simple way to stop the trade of consumer data on the open market.
Many companies appear to be running the same playbook as they did when Europe’s GDPR went into effect. Despite the GDPR, because of a lack of enforcement to date, companies operating in Europe have been able to get away with maintaining their existing data use practices. Too often, they’ve used coercive consent prompts that don’t give consumers an informed choice over the sharing of their data. Luckily, European regulators are expected to push back in response to formal complaints about violations. A recent report from the Information Commissioner’s Office — the UK regulator for the GDPR — declared these practices to be violative of the GDPR, setting the stage for further action.
Attorney General Becerra cannot afford to be as slow to take action as European regulators. The attorney general has broad authority to issue regulations to further the privacy intent of the CCPA. Consumer Reports, along with 11 other privacy groups, has called on the attorney general to clarify that the transfer of data for advertising constitutes a sale, in order to preserve consumers’ ability to exercise their privacy preferences under the new law. Though these data transfers are clearly covered by the CCPA, the attorney general should make it even more clear that companies are prohibited from tracking consumers across the web in spite of an opt-out.
Finally, given the lack of a private right of action covering the privacy provisions of the CCPA, Attorney General Becerra needs to honor his commitment to making an example of companies that are not making good-faith efforts to comply. While enforcement won’t start until July 1, the attorney general must act now to put companies on notice about the consequences for those seeking to circumvent the law.
Californians deserve better than the cynical efforts of companies seeking to avoid honoring consumers’ constitutional right to privacy. Attorney General Becerra needs to send a clear message to companies: It’s time to respect consumers’ right to say no to invasive tracking and sale of their personal information.