Recently new California Attorney General Rob Bonta released a set of Frequently Asked Questions (FAQs) shaping the consumer privacy rights granted by the California Consumer Privacy Act (CCPA) in 2018 and expanded upon in the California Privacy Rights Act (CPRA) in 2020- even though the California laws make no mention of his office’s authority to do this and with a legally specified, public regulatory process set to begin in less than 18 months. Concerningly, the FAQs directly contradict the CPRA by requiring compliance with a user-enabled Global Privacy Control (GPC), rather than that being one option, and by pointing toward one browser technology that actively limits user choice in privacy control- a problem compounded when public reports indicate that the AG is already pursuing enforcement with these FAQs as guidance.
What is IAB doing? IAB first engaged on this issue at the beginning of the year, when former AG Xavier Becerra simply tweeted approval for a GPC, a confusing move well outside any formal policy channels. With AG Bonta unfortunately continuing this trend and creating further confusion among users and within the digital ecosystem, IAB sent a letter to him noting our support for consumer choice in uses of data but asking him to withdraw the FAQs and defer to the new California privacy agency being set up explicitly to effectuate these new privacy laws. With the idea of GPCs becoming more prominent in state laws (eg in Colorado’s new law and in Florida’s nearly-passed state law), we will continue to engage in these regulatory processes and, in collaboration with Tech Lab, guide policymakers toward sensible, responsible frameworks.