Security news that informs and inspires

EFF Says Privacy Loopholes Remain in CCPA


California is expected to begin enforcing its new consumer privacy law starting July 1, but the Electronic Frontier Foundation is concerned about all the loopholes that still remain.

California’s privacy law, which took effect in January, is considered to be among the most—if not the most—comprehensive consumer privacy law currently on the books in the United States. The regulations released by the state attorney general on how to implement the law posed a “‘good step forward’ that could have gone further,” EFF staff technologist Bennett Cyphers wrote. The regulations have been modified twice—once in February and again in March—and “some of the worst features of the regulations have been cut,” Cyphers wrote.

However, the regulations in the current form “still falls short of a user-friendly implementation of CCPA,” Cyphers wrote.

The EFF joined a coalition of privacy advocates to send a letter requesting the state attorney-general “to close business-friendly loopholes and make the CCPA an effective, enforceable tool for user privacy,” Cyphers wrote. The signatories to the letter include the EFF, American Civil Liberties Union of California, Campaign for a Commercial-Free Childhood, the Center for Digital Democracy, Common Sense Media’s policy arm Common Sense Kids Action, Consumer Action, the Consumer Federation of America, Media Alliance, Oakland Privacy, and the Privacy Rights Clearinghouse.

Even after the second round of modifications, it is still hard for consumers to exercise their right to opt out of the sale of their personal information, Cyphers noted. At the moment, businesses can ignore the user’s privacy-specific preferences if they were set in the software, such as the “do not track” option in web browsers. The issue centers around the idea of a “clear signal” and whether a user asking to opt out of tracking is also asking to opt out of sale of user data.

Major web browsers have a setting which lets users choose to send “do not track” headers—which tells sites to not collect the user’s data—with all of their web traffic. The privacy coalition’s letter argued that the setting should be a treated as clear signal to the business that the person has opted out of the sale of the information, and that the person should not have to explicitly tell individual businesses to not sell his or her information.

“A business that cannot collect a person’s information cannot sell that information,” the coalition’s letter said. “The greater (do not collect) includes the lesser (do not sell).”

The regulations currently state in [Sec 315 (d) (1)]: The privacy control shall require that the consumer affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.

The privacy coalition wants to remove the the clause about the pre-selected settings and make it explicitly clear to businesses that they have to treat the request to opt out of tracking as an opt-out for sale: A business shall treat a “Do Not Track” browsing header as such a choice.

The changes introduced in the latest modifications “threat to undermine the intent of the law.”

“Many consumers choose the software they use specifically to reflect their privacy choices,” the letter said. “If a user selects a browser extension or application in order to protect their privacy, they should not also need to select a separate setting in order to enjoy one of the most important privacy protections granted by CCPA, the right to opt out of sale.”

The privacy groups also took exception to the fact that data brokers that did not collect information directly from consumers didn’t have to notify the consumers they had that information. Under the original regulations, these businesses had to try to notify the consumers of the right to opt-out of the sale of the information, but the modifications since then have removed the condition that “efforts needed to be made to notify the consumers.

“Subsequent modified draft regulations have all but eliminated notice to consumers when their information is collected and sold by data brokers and other entities, many of which consumers have no knowledge of,” the letter stated.

The latest modifications have changed requirements so that data brokers don’t have to notify consumers even if they collect information directly from consumers. “If a business collects information directly from consumers, it should provide robust notice at collection, whether it is a data broker or not,” the letter said. “There is no reason why data brokers—whose business model is particularly pernicious to privacy—who collect information directly from consumers should provide any less notice than other companies who collect information directly from consumers.”

The coalition requested the attorney general revise the regulations to: A business that is registered as a data broker with the Attorney General pursuant to Civil Code section 1798.99.80 et seq. does not need to provide a notice at collection to the consumer if the information is not collected directly from the consumer and the business has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.

EFF’s Cyphers said the changes introduced in the latest modifications “threat to undermine the intent of the law.”