Today, EFF once again joined a coalition of privacy advocates filing comments with the California Attorney General (AG) on the latest proposed regulations for the California Consumer Privacy Act (CCPA). The CCPA was passed in June 2018 and took effect on January 1, 2020. Later this year, the AG will finalize regulations that dictate how exactly the law will be enforced.
While the first set of proposed regulations were (as we wrote at the time) a “good step forward” that could have gone further, the first revision to those regulations—published earlier this year—was largely a step backwards for privacy. Two weeks ago, the AG released a second set of revisions to the draft regulations, available here. [.pdf] With the enforcement deadline approaching, the public is running out of chances to weigh in on the rulemaking process. Some of the worst features of the regulations have been cut, but this round of modifications still falls short of a user-friendly implementation of CCPA. In fact, some new provisions added this round threaten to undermine the intent of the law.
For example, the CCPA sets aside a special set of companies, called “service providers,” which are exempt from certain parts of the law. Consumers can’t opt out of having their data sold to service providers in some interactions. In exchange, CCPA is meant to tightly restrict the ways service providers can use data they collect. However, the new draft regulations would greatly expand the ways service providers may use personal data, even allowing them to build profiles of individual people. The new regulations would also allow data brokers that collect information directly from consumers to avoid notifying them of the collection.
Other issues remain from earlier drafts. The latest draft still makes it hard for consumers to exercise their right to opt out of the sale of their personal information. Businesses may not need to treat clear signals like Do Not Track (DNT) as requests to opt out of sale.
Finally, some industry advocates have asked the AG to extend the enforcement deadline—by 6 months or more—amid the global health crisis. But the CCPA went into effect on January 1st, 2020, more than 18 months after its passage, and companies should already be complying with the law. Now, more than ever, consumers need the legal protections offered by CCPA. The AG should not extend the enforcement deadline on behalf of companies who would violate user privacy and the law.
Our coalition letter goes into more detail about these and other issues we have identified with the latest draft regulations. We urge the Attorney General to close business-friendly loopholes and make the CCPA an effective, enforceable tool for user privacy.
Read the coalition's full comments below.