Ambiguous Rules, Unconstitutional Requirements, and Lack of Time to Comply Will Hurt Californians
June 8, 2020 - Final proposed regulations submitted by the Office of the California Attorney General (CA AG) to implement the California Consumer Privacy Act (CCPA) fail to provide businesses with needed clarity and time to comply and contain unconstitutional requirements that exceed the CA AG’s authority and could frustrate consumers, according to several leading advertising trade associations. The American Association of Advertising Agencies (4A’s), American Advertising Federation (AAF), Association of National Advertisers (ANA), Digital Advertising Alliance (DAA), and Interactive Advertising Bureau (IAB) voiced concern that unclear regulations will further harm businesses and the state economy during difficult economic times. The groups also asked the Office of Administrative Law (OAL) to reject the unconstitutional mandates added to the regulations.
The associations strongly oppose language in the final proposed regulations that goes beyond the CCPA’s intent and scope to institute a blanket requirement for businesses to honor browser signals and other controls. In creating this new mandate, the CA AG rejected requests to clarify that businesses may honor global controls or offer consumers another, equally effective method of opting out of personal information sale. This clarification would have avoided the constitutional concerns inherent in the requirement and would better enable businesses to abide by consumers’ expressed choices. It would also have prevented intermediaries from setting signals that do not align with consumer preferences and cannot be validated as a true expression of choice.
“The CCPA does not say anything about browser controls. The CA AG illegally created this new requirement which will prevent consumers from exercising their preferences,” said ANA’s Dan Jaffe. “The OAL should reject this language because the CA AG exceeded his authority and failed to pursue alternatives that would respect consumer choices and comply with the law.”
"The digital advertising industry has a long record of honoring valid consumer privacy opt-out requests and has had that commitment independently monitored and enforced for many years,” said Lou Mastria of DAA. “It is unfortunate that this proposal suggests otherwise when the CA AG could have leveraged existing widely-deployed and honored market tools, which are already referenced in CA privacy law, to achieve similar outcomes."
“We fully support the goal of creating strong and meaningful privacy protections for Californians. For seventeen months, we have asked for regulations that clear up ambiguous language in the legislation to help our members build the systems and processes to comply with the CCPA,” said Dave Grimaldi of IAB. “Unfortunately, the proposed regulations leave critical questions unanswered and subject to the ‘prosecutorial discretion’ of the Attorney General. Californians deserve clear laws that are not subject to the whims of law enforcement.”
“The CA AG dismissed substantive concerns and questions at every step of the rulemaking process yet still delayed submission of the final proposed regulations until less than a month before the planned enforcement date,” Grimaldi continued. “To make matters worse, the CA AG has asked the OAL to expedite their review which has created further uncertainty about their effective date and may further compress the timeline to comply with the newly finalized rules.”
On March 20, 2020, in the midst of the spreading COVID-19 pandemic, the associations were joined by a group of more than sixty-five trade associations, organizations, and companies that sent a letter to the Attorney General urging a delay in enforcement until January 2, 2021. Even as Governor Newsom extended state regulatory deadlines in recognition of the impact of the pandemic, the CA AG ignored this request. The associations believe the actions taken by the CA AG this week overlook the significant disruption that has impacted businesses as they work to protect employees and consumers from COVID-19. Businesses, consumers, and the public health would benefit from a reasonable forbearance of enforcement during this pandemic, they argue.
“We started with an ambiguous law that will require an estimated $80 billion in compliance costs. As these regulations were being drafted, society, the business community, and consumers have been devasted by a public health emergency and economic crisis,” said Alison Pepper of 4A’s. “The addition of vague guidance, arbitrary new requirements, and a rush to finalize and enforce new regulations will be a disaster for consumers, businesses, and the state economy.”
The regulatory impact assessment published by the CA AG estimated the initial costs for state businesses to comply with the CCPA will be $55 billion, equivalent to 1.8 percent of California Gross State Product in 2018. The report estimated that additional costs to comply with just the new regulations still to be issued at the time of the assessment could run as high $16.5 billion over the next decade. The report found that small businesses “are likely to face a disproportionately higher share of compliance costs relative to larger enterprises,” and that this “will present real challenges for small businesses in the short term.” The assessment did not consider the impact mandating adherence to browser or other global settings would have on businesses. Finally, the assessment states that, for firms operating within California, the CCPA “will provide a competitive disadvantage relative to firms that operate only outside of the state.”
“Our organizations advocate for extending strong privacy protections to all Americans and support the comprehensive framework for national legislation developed by the Privacy for America coalition,” said Clark Rector of AAF. “The new approach outlined by the coalition is more comprehensive than the CCPA, provides robust protections for consumers, clearly outlines prohibited data practices, and is backed by strong enforcement.”