California Attorney General Announces New Ways for Consumers to Assert Privacy Rights
Written by Rick Buck, Chief Privacy Officer, WireWheel
The California Office of the Attorney General recently announced two ways to make it easier for consumers to assert their privacy rights and business to comply with the CCPA opt-out rules related to the sale of personal information.
The Frequently Asked Questions page on the CCPA website has been updated stating that the Global Privacy Control (GPC) signal “must be honored by covered businesses as a valid consumer request to stop the sale of personal information.” GPC is a browser-based global opt-out setting that enables consumers to automatically send their Do Not Sell My Personal Information preference to participating websites as an alternative to having to manually submit requests to each website individually.
While this announcement is a clear endorsement, GPC has always been a part of the CCPA. The law requires businesses collecting personal information online to honor user-enabled global privacy controls including a browser plug-in or privacy setting that signals the consumer’s choice to opt-out of the sale of their personal information. Under the CCPA businesses must treat those signals as a valid CCPA “Do Not Sell” request.
The validity of GPC, however, has been called into question by the legal and business communities. CCPA states that opt-out tools must be free of defaults constraining or presupposing a consumer’s intent. The opt-out tool must also allow consumers to “selectively consent” to an individual business’s “sale” of their personal information or “use or disclosure” of their sensitive information. The current version of GPC has been called out for not meeting these requirements because it does not provide these options and because it is enabled by default in browsers.
California’s newly formed California Privacy Protection Agency (CPPA) will ultimately have the authority to define a technical standard for an opt-out preference signal with its own requirements. The deadline for CPPA to finalize regulations is July 1, 2022. The current language around the requirement to honor GPC will either need modifications or removal before CCPA takes effect on January 1, 2023.
Consumer Privacy Tool
A new Consumer Privacy Tool is now available to help consumers send a notice of non-compliance to businesses allegedly violating the CCPA.
The Attorney General’s office launched a new online Consumer Privacy Interactive Tool allowing consumers to directly notify businesses that they believe are not complying with the CCPA Do Not Sell My Personal Information requirements. The tool asks consumers through a series of questions about the business in question. A report is generated with the information that can then be sent to the businesses. The tool and reports may be used by the AG’s office to trigger a 30-day cure period notice letter to the business.
For now, the tool (V1.0) is limited to drafting notices for a missing or non-conspicuous “Do Not Sell My Personal Information” link on a business’s website. Future versions of the tool may have more robust notices for other types of CCPA violations.
As evidenced by the announcement around GPC and the Consumer Privacy Tool, the AG’s office is focused on enforcement and compliance of the CCPA. Covered businesses should re-evaluate and update their CCPA compliance programs.