Today, EFF joined a coalition of privacy advocates in filing comments with the California Attorney General regarding its ongoing rulemaking process for the California Consumer Privacy Act (CCPA). The CCPA was passed in 2018, and took effect on January 1, 2020. Later this year, the Attorney General (AG) will finalize regulations that dictate how exactly the law will be enforced.

Last time we weighed in, we called the AG’s initial proposed regulations a “good step forward” but encouraged them to go further. Now, we are disappointed that the latest proposed regulations are, compared to the AG’s initial proposal, largely a step backwards for privacy.



To start, the modified regulations improperly reduce the scope of the CCPA by trying to carve out certain identifiers (such as IP addresses) from the definition of “personal information.” This classifies potentially sensitive information as outside the law’s reach—and denies Californians the right to access, delete, or opt out of the sale of that information.

Furthermore, the new regulations make it harder for consumers to exercise their right to opt out of the sale of their personal information. The proposed opt-out icon, which businesses will be required to display on their websites, is confusing; independent research has shown that many users don’t understand what it means. Worse, the new regulations provide that user-friendly, automatic controls like Do Not Track (DNT) cannot be used to opt out of data sale. Today, millions of users around the world use DNT to signal their clear intent to opt out of the collection, misuse, sharing, and sale of their data. Until now, few companies have chosen to honor that intent, but the CCPA gives user requests to opt-out of data sale the force of law. The AG should make sure that businesses treat well-established signals like DNT as an opt-out from sale of their data.

Our coalition letter details a number of other changes to the original draft regulations that reduce consumer protections. We urge the Attorney General to reconsider these changes and make sure CCPA does what it’s supposed to: protect Californians’ privacy.

The other seven privacy organizations that joined the coalition comments are ACLU, Campaign for a Commercial Free Childhood, Common Sense Media, Consumer Federation of America, Media Alliance, Oakland Privacy, and Privacy Rights Clearinghouse.