Thank you for the opportunity to submit comments to the Consumer Data Protection working group. Consumer Reports offers several suggestions to help ensure the effective implementation of this consumer protection measure.
We support the Office of the Governor’s proposal to require companies to honor browser privacy signals as opt outs. California currently requires businesses to honor browser privacy signals as an opt out of sale, (§ 999.315(c)), and Colorado will require businesses to honor them in 2024. One such browser privacy signal, Global Privacy Control (GPC), is already integrated into browsers and extensions that some 40 million users rely on.
Without a requirement that businesses honor these signals, consumers would have to opt out at each business one by one, which isn’t practical. Businesses can still advertise through their own sites or contextual ads. But these signals give consumers the opportunity to opt out of tracking across the web to deliver ads on other sites, behavior over which the CDPA was intended to give consumers control.
This requirement should also be paired with language to close potential loopholes that companies have exploited in order to continue to deliver cross-context targeted advertising outside of the opt out. This can be achieved by ensuring that the definition of sale covers all transfers to third parties for a commercial purpose, and adjusting the targeted advertising definition so that it covers the targeting of advertisements to a consumer based on the consumer’s activities over time and across one or more businesses, and limiting the exemption in subsection (1) of the definition to commonly branded websites or online applications. The current language in the CDPA is ambiguous, and could allow internet giants to serve targeted ads based on their own vast data stores on other websites, in spite of the opt out.
We also recommend denying carveouts proposed by data broker RELX and the National Insurance Crime Bureau (NICB). RELX requested to amend the CDPA so that data brokers may treat deletion requests as an opt out of sale. But this would leave consumers vulnerable to data breaches of retained information. RELX’s own subsidiaries have been breached nearly 60 times. A narrower amendment could be based on CCPA regulations that state: “A business may retain a record of the request for the purpose of ensuring that the consumer's personal information remains deleted from the business’s records.” (§ 999.313(d)(3)).
Second, NICB asked for an exemption for non-profits for the purpose of fraud reporting to government entities. But there is a full exemption in the law for controllers and processors to “Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action[,]” and to “Assist another controller, processor, or third party with any of the obligations under this subsection.” Any additional exemption would be unnecessary, and harmful to consumers. At the very least, these companies should be subject to transparency requirements so that consumers know the information that is being reported about them, and to have the opportunity to correct any errors.
Thank you for your consideration.
Thank you for the opportunity to submit comments to the Consumer Data Protection working group. Consumer Reports offers several suggestions to help ensure the effective implementation of this consumer protection measure. We support the Office of the Governor’s proposal to require companies to honor browser privacy signals as opt outs. California currently requires businesses to honor browser privacy signals as an opt out of sale, (§ 999.315(c)), and Colorado will require businesses to honor them in 2024. One such browser privacy signal, Global Privacy Control (GPC), is already integrated into browsers and extensions that some 40 million users rely on. Without a requirement that businesses honor these signals, consumers would have to opt out at each business one by one, which isn’t practical. Businesses can still advertise through their own sites or contextual ads. But these signals give consumers the opportunity to opt out of tracking across the web to deliver ads on other sites, behavior over which the CDPA was intended to give consumers control. This requirement should also be paired with language to close potential loopholes that companies have exploited in order to continue to deliver cross-context targeted advertising outside of the opt out. This can be achieved by ensuring that the definition of sale covers all transfers to third parties for a commercial purpose, and adjusting the targeted advertising definition so that it covers the targeting of advertisements to a consumer based on the consumer’s activities over time and across one or more businesses, and limiting the exemption in subsection (1) of the definition to commonly branded websites or online applications. The current language in the CDPA is ambiguous, and could allow internet giants to serve targeted ads based on their own vast data stores on other websites, in spite of the opt out. We also recommend denying carveouts proposed by data broker RELX and the National Insurance Crime Bureau (NICB). RELX requested to amend the CDPA so that data brokers may treat deletion requests as an opt out of sale. But this would leave consumers vulnerable to data breaches of retained information. RELX’s own subsidiaries have been breached nearly 60 times. A narrower amendment could be based on CCPA regulations that state: “A business may retain a record of the request for the purpose of ensuring that the consumer's personal information remains deleted from the business’s records.” (§ 999.313(d)(3)). Second, NICB asked for an exemption for non-profits for the purpose of fraud reporting to government entities. But there is a full exemption in the law for controllers and processors to “Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action[,]” and to “Assist another controller, processor, or third party with any of the obligations under this subsection.” Any additional exemption would be unnecessary, and harmful to consumers. At the very least, these companies should be subject to transparency requirements so that consumers know the information that is being reported about them, and to have the opportunity to correct any errors. Thank you for your consideration.