Starting Jan. 1, the California Consumer Privacy Act required most companies with websites and customers in the state to implement new data collection standards — though those more stringent rules won’t be enforced until July.
That’s not enough time for businesses to get in compliance, five ad sector trade groups wrote in a letter to Becerra’s office last week. They are requesting a delay in enforcement for at least six months.
Becerra’s office published its first round of draft regulations in October; a final set is still in the works. Ad groups worry that key provisions of the law could be changed in the final regulations, according to the letter.
“It’s a complex industry. There are companies that need time to adapt,” said Clark Rector, executive vice president of government affairs at the American Advertising Federation, which was among the groups behind the letter. “It’s hard to get ready to comply when you don’t know what you’re getting ready to comply with.”
Becerra’s office declined to comment. “We will not be responding to individual input outside of the formal rule-making process,” a spokesperson said in an email.
With so many uncertainties, the attorney general’s interpretation and enforcement of the law will be crucial, experts say.
Ad trade groups have taken issue with the law’s requirements, submitting comments to Becerra’s office in December on the first round of draft regulations. They are particularly concerned about requirements that allow consumers to request a copy of all of their personal information that might have been collected by a company or request that the company delete that data entirely, Rector said.
“The draft rules imposed on businesses entirely new record-keeping obligations, notice requirements, and verification rules, among many other novel requirements,” the letter reads.
Another point of contention is that the law restricts the sale of personal data, but it does not clearly lay out what counts as selling data. “That has produced anarchy among businesses in California, with each one possibly interpreting it differently,” Eric Goldman, a Santa Clara University School of Law professor who co-directs the school’s High Tech Law Institute, previously said.
It also requires companies that sell personal data to third parties to provide a prominent opt-out button. Such buttons now appear on sites as varied as that of the retail giant Target and the Los Angeles Times. On other sites, some companies now argue they don’t need to provide an opt-out button.
The dating app Grindr, for instance, says that by agreeing to its overall privacy policy, California users are “directing” it to disclose their personal information, and that therefore it’s allowed to share data with third-party advertising companies. “Grindr does not sell your personal data,” the policy says.
The stationary bike firm Peloton offers a form for California residents who want to minimize the sharing of their personal information with third parties for marketing purposes. The company explicitly points to confusion around the law.
“What is covered as a ‘sale’ under California law is not yet clear, but we currently do not ‘sell’ your information as we understand it,” its privacy notice reads.
The trade groups behind the letter are the Association of National Advertisers, American Association of Advertising Agencies, the American Advertising Federation, the Interactive Advertising Bureau and the Network Advertising Initiative.
