Last-Minute Proposed Changes Could Weaken Landmark CA Privacy Rules, Consumer Watchdog Calls on Commission to Tighten Rules in New Report Outlining Regulations

LOS ANGELES, October 25, 2022 /PRNewswire/ — As California begins to finalize groundbreaking privacy legislation this week, Consumer Watchdog is asking the agency to draft regulations to tighten the rules so users can recover their private data.

Late-breaking changes to the rules include removing the requirement to identify third-party recipients of data and allowing companies to opt out of displaying privacy choices made by consumers.

Our personal data is sold hundreds of times a day and is worth hundreds of billions of dollars, but if the regulations of a privacy law, the first in the country, are properly established, consumers will gain control unprecedented access to their personal information in just a few moments. month.

“The Privacy Commission needs to put these rules in place and these last-minute proposals would weaken otherwise strict rules in favor of California right to privacy,” said Justin Kloczkotechnology and privacy advocate for Consumer Watchdog, author of new report dawn of privacy. “Your personal data is what determines the type of loan or job you get, or the advertisements you see. It is the duty of the Privacy Commission to fully protect our rights.”

In a new report, Consumer Watchdog analyzed regulatory proposals from the law enforcement agency, the California Privacy Protection Agency. The regulation comes into force January 1, 2023. The commission will meet to finalize the regulations on October 28-29. The threat of federal preemption is also being considered, as the US Data Protection and Privacy Bill would remove California enhanced privacy rights.

Read the report here.

Just by browsing the Internet, the average American resident sees their data auctioned off 750 times one day. That’s twice the number of Europeans and more lucrative than Amazon sales. Facebook alone compensates $1,000 annually per person selling personal information. Experts say these auctions happen in nanoseconds, fueling a half a trillion dollars digital advertising market. The more specific the personal data, the more an entity is willing to pay for it.

But new privacy regulations due to the voter-approved California Privacy Rights Act of 2020 are being finalized, and they give people the ability to opt out of the sale and sharing of data with third parties, providing a shield crucial against getting personal information into the wrong hands.

Preemption will replace state progress as California who wish to improve the laws put in place at the federal level.

“As people understand that data has become a valuable extension of themselves, now they can take back what is rightfully theirs,” Kloczko said.

Here is how regulation can be improved:

  • Facilitate the opt-out: The proposed regulations state that a company may offer the consumer the option to “provide additional information” to facilitate the consumer’s request to opt out of the sale/sharing. The language could be interpreted as allowing companies to frequently request a name and email when someone unsubscribes. Unnecessary hurdles in the withdrawal process defeat the intent of the law. Consumers are likely to be fatigued if they are constantly asked to confirm their privacy choices.
  • Honor the sale/share opt-out immediately: Under the regulations, companies have 15 days to honor a person’s request to stop selling or sharing data with third parties, as well as 15 days to limit the use and disclosure of information sensitive personal. This is a massive window that threatens to overturn the intent of the entire law. Even when someone opts out, personal information will still be sold because companies are given a two-week grace period. Companies should be forced to honor someone’s opt-out request as soon as they’re able to sell your data, which privacy experts say takes just seconds. This discrepancy should be eliminated.
  • View privacy choices: The board should not remove the requirement that the consumer’s opt-out choice must be displayed. Under the council’s proposed change, a business will not be required to display on its website whether it has processed a consumer’s choice to opt out of selling/sharing personal information, leaving people in the dark as to whether they have exercised their privacy rights.
  • Identify third parties: The Privacy Council has proposed removing the requirement for companies to identify third parties that collect personal information in a notice of collection. Users must know who will have their information in order to exercise their privacy rights.

The report also highlights the most important regulations:

  • The possibility of refusing that the data be shared with third parties. Some companies have argued that the 2018 CCPA only prevents the “sale” of data, not the sharing of data that powers the business model of many social media and advertising companies.
  • Businesses must display a “Do Not Share/Sell My Information” button on their websites and a new “Limit the use of my sensitive personal information” button on their homepage. Consumers will now be able to prevent the use of sensitive data by first parties, including: health, race and ethnicity, specific location, sexual preference, union membership and religious beliefs.
  • More transparency: Companies must also provide a list of the categories of sensitive information collected, whether personal information is sold or shared, and how long the company intends to keep each category of personal information.
  • People can also use a unique unsubscribe signal that every website and business must honor. This allows users to notify websites of their privacy choices instead of opting out individually at each website.
  • Disclaimers should be fluid, which means they can’t use misleading language or pop-ups to tire users. “Dark Patterns,” or deceptive means by which companies convince users to give up their privacy, are prohibited.
  • The right to delete or correct inaccurate personal information that a company has compiled and to notify third parties of requested changes. ACPL also expands deletion requests by requiring companies to notify third parties who hold the data.
  • The use of data must be proportionate to the purpose. A business cannot use data for a reason totally unrelated to why the consumer provided it. For example, a flashlight app cannot use your geolocation to operate.
  • Actual Liability: CAPP may conduct announced or unannounced audits of entities to verify non-compliance with CAPP.

SOURCE Consumer Watchdog