EFF and a coalition of privacy advocates have filed comments with the California Attorney General seeking strong regulations to protect consumer data privacy. The draft regulations are a good step forward, but the final regulations should go further.

The California Consumer Privacy Act of 2018 (CCPA) created new ways for the state’s residents to protect themselves from corporations that invade their privacy by harvesting and monetizing their personal information. Specifically, CCPA gives each Californian the right to know exactly what pieces of personal information a company has collected about them; the right to delete that information; and the right to opt-out of the sale of that information. CCPA is a good start, but we want more privacy protection from the California Legislature.

CCPA also requires the California Attorney General to adopt regulations by July 2020 to further the law’s purposes. In March 2019, EFF submitted comments to the California Attorney General with suggestions for CCPA regulations. In October 2019, the California Attorney General published draft regulations and again invited public comment.

In the new comments, EFF and the coalition wrote:

The undersigned group of privacy and consumer-advocacy organizations thank the Office of the Attorney General for its work on the proposed California Consumer Privacy Act regulations. The draft regulations bring a measure of clarity and practical guidance to the CCPA’s provisions entitling consumers to access, delete, and opt-out of the sale of their personal information. The draft regulations overall represent a step forward for consumer privacy, but some specific draft regulations are bad for consumers and should be eliminated. Others require revision.

The coalition made dozens of suggestions. We note two here.

First, to implement CCPA’s right to opt-out of the sale of one’s personal information, the draft regulations at Section 315(c) would require online businesses to comply with user-enabled privacy controls, such as browser plugins, that signal a consumer’s choice to opt-out of such sales. EFF suggested such an approach in our March 2019 comments. The coalition comments now seek a clarification to this draft regulation: that “do not track” browser headers, which thousands of Californians have already adopted, are among the kinds of signals that online businesses must treat as an opt-out from data sale.

Second, the coalition urges the California Attorney General to issue clarifying regulations that bar misguided efforts announced by some members of the adtech industry to evade CCPA’s right to opt-out of sales. Adtech is one of the greatest threats to consumer data privacy, as explained in a new EFF report on third-party tracking. The broad dissemination of personal information throughout the adtech ecology is a form of “sale” plainly subject to CCPA’s right to opt-out. Regulations should now lay to rest the crabbed arguments to the contrary.

The comments were signed by EFF and 11 other privacy advocacy organizations: Access Humboldt, ACLU of California, CALPIRG, Center for Digital Democracy, Common Sense Media, Consumer Federation of America, Consumer Reports, Media Alliance, Oakland Privacy, and Privacy Rights Clearinghouse.

Read the comments here.