Last week, the California Office of the Attorney General (OAG) released final proposed regulations (Regulations) to implement the California Consumer Privacy Act (CCPA), drawing to an end a rulemaking process that has spanned over a year near to an end. During this process, the OAG solicited comments on three distinct versions of the proposed regulations and modified the proposed regulations in response to those comments. The NAI has been highly engaged throughout the rulemaking process and submitted detailed comments on each version of the proposed regulations with input from its CCPA working group.
The NAI appreciates the remarkable effort the OAG has invested in the CCPA rulemaking process to date -- it has reviewed thousands of pages of comments submitted by dozens of stakeholders throughout the process. Further, the OAG provided reasoned responses to each comment it received in the package of materials accompanying the Regulations. As a result, the Regulations represent thoughtful engagement with stakeholders that is on balance likely to promote consumer privacy as well as business compliance with the CCPA.
Nevertheless, the NAI remains concerned that the provisions on global privacy controls are unclear and could allow intermediaries to thwart user preference; the requirements for vendors are vague and burdensome for service providers who want to follow the law; and the accelerated timeline for enforcement is impractical.
First, the provisions in the Regulations relating to “global” privacy controls, such as browser or device settings, do not make it sufficiently clear that those controls must signal a user-enabled preference to opt out of sales of personal information, instead of default settings established by intermediaries that do not express an actual user preference. This lack of clarity in the Regulations will lead to confusion in the marketplace about which signals that purport to convey user-enabled privacy preferences should be treated as authentic consumer requests to opt out of sales. This is likely to frustrate both business efforts to respect authentic consumer choices and a consumer’s ability to clearly signal those choices. Further, the structure of the provisions on “global” privacy controls in the Regulations appear to be both more stringent than, and inconsistent with, those found in the proposed CPRA ballot initiative, which will become California law if it is passed this November. This will lead to further confusion regarding the long-term expectations under California law for businesses to respond to “global” privacy controls such as browser or device settings.
Second, the Regulations missed an opportunity to further clarify how businesses can structure contractual relationships with their vendors in a way that complies with the CCPA’s provisions on “service providers.” Website publishers, brand advertisers, and digital advertising companies all interact to complete transactions for advertising inventory that fund the open internet, and many are seeking to amend their contractual agreements to avoid “sales” of personal information in connection with those transactions for ad space. Amending those contracts can be a protracted and difficult process for all parties involved, but businesses and their vendors have been working in good faith to make the necessary changes based on the statutory language of the CCPA. Unfortunately, the Regulations have further called into question how vendors can process personal information for their clients by including new conditions on service provider relationships that are not found in the CCPA. This is likely to lead to continued confusion about what a statutory service provider can and can’t do for its clients and, potentially, further expensive and time-consuming negotiations over those questions. There is broad agreement that service providers may not retain personal information to build consumer profiles for their own commercial purposes, but further technical contract negotiations around the provisions of the Regulations will not result in any discernible benefit to consumer privacy, while they are likely to hinder the advertising transactions that fund the content consumers enjoy on the web or in free mobile apps.
Third, the accelerated timeline for enforcement of the Regulations by the OAG is inappropriate given the limited amount of time businesses will have to comply with these specific requirements. This is a truly impractical timeline for businesses to comply with a new, complex set of regulations that defies norms at the state, federal or international level. The short timeline is further exacerbated by the public health and economic challenges that both California businesses and regulators are facing. Governor Newsom attempted to ease the burdens faced by the Office of Administrative Law (OAL) by issuing an executive order allowing the OAL an additional 60 calendar days to review new regulations. Regardless, the OAG has made a last-minute appeal to the OAL to expedite its review of the Regulations and make them effective as soon as possible. This request for a compressed timeline for enforcement deprives both businesses and regulators of desperately needed time to understand and evaluate the provisions of complex Regulations that have been evolving for months.
NAI member companies are well-prepared to comply with new privacy requirements because they have long adhered to the robust consumer privacy protections found in the NAI Code of Conduct, including the requirement to provide an easy-to-use opt-out mechanism for consumers who don’t want to receive tailored advertisements. However, because of the remaining ambiguities and other problems with the Regulations, the NAI urges the OAG to step up its efforts to engage with the digital advertising industry to provide still-needed education and guidance on its expectations, instead of blunt enforcement tools that will not be as effective at shaping industry-wide practices. As privacy leaders, NAI members stand ready to comply with the CCPA, but, along with all other California businesses, they will struggle with how to comply with the Regulations without more time and further guidance from the OAG on these detailed interpretations and requirements.