Amid the final rulemaking before the California Consumer Privacy Act (CCPA) is scheduled to take effect next year, five ad industry groups have asked California Attorney General Xavier Becerra to remove a requirement that businesses honor the privacy choices internet users make through browser settings, extensions, or other controls.
The wording of their request to Becerra appears to ask for a ban on browser and operating system-based privacy intervention, such as extensions that block ads and tracking scripts.
However, the ad industry groups subsequently clarified that they only want to disallow meddling with cookies that that express privacy choices, such as those set by the digital ad industry's AdChoices link.
The CCPA, which takes effect in January, 2020, will provide Californians with greater legal privacy protections than anywhere else in the US (though still short of Europe's GDPR), putting pressure on federal lawmakers who are trying to formulate consistent privacy rules for the entire country. Meanwhile, technology and ad companies have been trying to gut the CCPA and would welcome a weaker federal standard that supersedes the California law.
The privacy rules includes a consumer right to know whether information is being collected, to request details about the information categories collected, to know what personal information is collected, to refuse to have information collected, to delete collected information, and bans any degredation of service if the user opts to retain their privacy.
Among its requirements, the law says, "If a business collects personal information from consumers online, the business shall treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request [under the law]."
In a December 6th letter obtained by MediaPost reporter Wendy Davis and provided to The Register as a courtesy, the five ad industry groups – The American Association of Advertising Agencies (4As), the Internet Advertising Bureau (IAB), The Association of National Advertisers (ANA), the American Advertising Federation (AAF), and the Network Advertising Initiative (NAI) – complain to Becerra that such proposals would harm consumer choice.
"This result obstructs consumer control over data by inhibiting consumers' ability to communicate preferences directly to particular businesses and express choices in the marketplace. The OAG should by regulation prohibit such intermediaries from interfering in this manner."
According to Davis, the ad groups have since clarified that they want "to prohibit browsers and other intermediaries from blocking opt-out cookies (like the AdChoices opt-out link), and not all cookies."
Via Twitter, NAI attorney Tony Ficarrotta said, "The intent of NAI comments to AG (public soon) is to limit carve-out to true opt-out cookies; I would personally support [a] ban on any secondary uses, and requiring [the] use of non-unique values to achieve that."
Separately, on Friday as the rulemaking comment period closed, the IAB on its own submitted a letter to Becerra about the CCPA, hoping to shape the rules being formulated to support the law. The ad group's letter requests "that the AG remove the requirement for businesses to honor browser plugins or settings."
In its letter, the IAB claims that consumer choices expressed in the form of browser privacy extensions and settings are too confusing to follow. "Given that no standard technology currently exists for such browser plugins or privacy settings, it is not clear what browser plugins or privacy signals should be honored or how they should be honored," the IAB letter says.
The Register asked the IAB for comment and a spokesperson pointed to pages 13 and 14 of its letter, which suggests Becerra adopt rules that allow information collecting businesses to ignore privacy controls "if the business includes a 'Do Not Sell My Personal Information' link and offers another method for consumers to opt-out of personal information sale by the business."
In the past, the US Federal Trade Commission has not looked kindly on ignoring browser-expressed privacy choices. In 2012, Google agreed to pay $22.5m for, among other things, circumventing the privacy controls in Apple's Safari browser.
Bad news: 'Unblockable' web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so muchREAD MORE
In a statement emailed to The Register, Mozilla stressed that privacy settings should be easy to use and said it would be irresponsible and wrong to ignore the preferences users express through their browser settings.
"Of course, that is also why organizations like the Interactive Advertising Bureau find requirements like those in CCPA so threatening, because those requirements empower people to limit what data advertisers collect about them – and empower regulators to investigate and enforce if they don’t," a Mozilla spokesperson said.
"So, the more hurdles that can be thrown in the way of setting adoptions like recognizing browser or plug-in flags, the longer such data can be traded and sold when mechanisms are limited."
Mozilla said that in the absence of standard mechanisms to express privacy preferences, it has enabled Enhanced Tracking Protection by default to help consumers regain control over those attempting to track their browsing activity online. ®