The landmark CCPA gives California consumers, for the first time, the ability to access, delete, and stop the sale of their personal information. Californians finally have a real opportunity to exercise their constitutional right to privacy. But tech companies have been able to avoid meaningful regulations for decades, and their behavior suggests that they’re not going to let the CCPA get in the way of their sale of consumers’ personal information.
It’s up to the AG to hold companies accountable, especially as many of them have willfully ignored the CCPA since it went into effect in January. Making matters worse, several of the changes to the draft rules proposed by the AG take a significant step back from the draft released in October. Most concerning, the updated rules exempt IP addresses from the definition of personal information—an unacceptable change that would dramatically weaken the existing statute. To protect consumers, we urge the AG to:
- Clarify that sharing for cross-context targeted advertising falls under the definition of sale;
- Tighten the service provider exemption;
- Remove the new limits on the definition of personal information, which would create a significant loophole for targeted advertising;
- Make global, browser opt-outs more user-friendly;
- Clarify that financial incentives in markets that lack competition is an unfair and usurious practice;
- Require companies to forward opt-out requests to third-party recipients of data where possible; and
- Consider a retention limit on records of deletion.
More information continues to become known about the extent to which consumers’ personal information—collected not only online, but through their phone handsets, apps, televisions, and smart devices—is bought and sold without their knowledge, and the lengths to which companies will go to avoid complying with even baseline privacy protections. The AG needs to take swift action to ensure that consumers are able to exercise their privacy rights.