If your organization has a website directed at California consumers (or US consumers generally), you should start thinking about this soon: A group has developed the technology to honor web browsers’ privacy signals, which could have implications under the California Consumer Privacy Act.
The California Online Privacy Protection Act of 2003 (CalOPPA) was the first broadly-applicable consumer privacy statue in the US. It merely required companies to have website privacy policy statements and to state clearly whether or not they would honor “Do Not Track” signals from a user’s web browser; it did not require companies to honor those signals.
The lawmakers assumed that technology would be created to honor those opt-out signals, and that companies would be pressured by market forces to honor them, but that never really happened. It has been almost impossible to honor those signals until now, and as a result, almost all US-facing websites have a privacy policy statement that says “we do not recognize browsers’ Do Not Track signals.”
California's Attorney General, which enforces CalOPPA, was not satisfied with industry's failure to develop the technology and honor Do Not Track signals. When the AG released regulations under the California Consumer Privacy Act, which became enforceable in mid-August, he included a provision that says that companies must honor browsers’ privacy signals as a valid Do Not Sell instruction…even though the technology doesn’t yet exist. The AG explained that the requirement "is forward-looking and intended to encourage innovation and the development of technological solutions to facilitate and govern the submission of requests to opt-out." Section 999.315 of the regulations says "[i]f a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer." [emphasis added]
Now, it appears a group of companies and nonprofits, including the Electronic Frontier Foundation and DuckDuckGo have developed the technology, calling it the Global Privacy Control framework. THe express intent, according to the creators is "to communicate a Do Not Sell request from a global privacy control, as per CCPA-REGULATIONS §999.315." It is already available in beta in certain browser updates or as add-on browser scripts, and consumers will begin sending those signals all over the Internet. Companies will be under tremendous pressure to adopt the technology framework and begin honoring the signals quickly.
It is not yet perfectly clear if and when the GPC would be treated as a legally binding Do-Not-Sell instruction. Here's why:
- It is not clear whether the AG had the authority to include this requirement in section 315 of the regulations. The global privacy control concept is not expressly stated in the CCPA, although the DOJ and Office of Administrative Laws obviously felt the authority was there. The delegation of authority to the AG in Section 1798.185(a)(7) is broad.
- Competing frameworks could develop. It is not clear who will decide whether a framework is "official" or "enforceable." Perhaps a formal endorsement of the California Attorney General is required. California's Attorney General has informally endorsed the GPC framework via Twitter.
- Right now the GPC framework is not a finalized standard, according to the website. It's still being tested. It is not certain when it would be finalized.
Because the CCPA's definition of "sale" is so broad, and could be interpreted to cover technologies that are ubiquitous across the web (such as third-party advertising cookies), the GPC could affect large numbers of website operators.
Key Point: Companies covered by CCPA should begin thinking now about whether and how to implement this new technical framework.