California has a privacy law, but will companies comply?

Most Americans are rightfully concerned about the privacy of their personal information, after years of scandals at companies like Facebook and Google. While Congress has failed to come up with a solution, California stepped up and passed the historic California Consumer Privacy Act (CCPA) into law. Much like any piece of regulation that seeks to hold the tech industry accountable, the measure received staunch opposition from lobbyists who are now working to undermine its implementation.

The CCPA provides consumers in California with key privacy protections, such as the right to access, delete, and stop the sale of their information, and greater transparency about how their data are used. These safeguards are particularly important because the federal government has failed to pass a privacy bill.

But even though companies had ample time to prepare to comply with the new law, they are now actively looking for loopholes, and some are ignoring the CCPA altogether.

For example, the Interactive Advertising Bureau (IAB), a trade group that represents the ad tech industry, is advising companies to evade the opt-out through a provision in the CCPA meant to allow a company to perform certain limited services on its behalf. IAB, along with several other advertising trade organizations, has even asked Attorney General of California Xavier Becerra to delay enforcement for six months — which would give them even more time to avoid compliance. Google announced that it will follow IAB’s lead, and Facebook has announced that its “like” buttons, which allow the company to track users’ behavior across the web — even if they are not logged in — is outside of the consumer opt-out clause.

Too many sites make it intentionally difficult to opt out of tracking and place an unfair burden on consumers to protect their privacy. TikTok, for example, sends consumers to two additional sites to manage its third-party targeted advertising preferences, although elsewhere in its privacy policy is a claim that it does not “sell your personal information to third parties.” These approaches frustrate one of the main objectives of the CCPA — to give consumers a simple way to stop the trade of consumer data on the open market.

Regulators in California should reference the playbook of companies when Europe’s General Data Protection Regulation went into effect. As a result of a lack of strong enforcement, companies operating in Europe have been able to circumvent compliance with the new regulation, and European regulators have been slow to react.

Attorney General Becerra should take action quickly on his broad authority to issue regulations to further the privacy intent of the CCPA.

Consumer Reports, along with 11 other privacy groups, has called on the attorney general to preserve consumers’ ability to exercise their privacy preferences under the new law by clarifying that the transfer of data for advertising constitutes a sale. Although these data transfers are clearly covered by the CCPA, the attorney general should make it abundantly clear that companies are prohibited from tracking consumers across the web in spite of an opt-out.

Finally, given the lack of a private right of action covering the privacy provisions of the CCPA, Attorney General Becerra needs to honor his commitment to hold companies accountable for not making good-faith efforts to comply. Enforcement will not start until July 1, so the attorney general must act now to put companies on notice about the consequences of circumventing the law.

Californians deserve better than the cynical efforts of companies seeking to avoid honoring consumers’ constitutional rights to privacy. And as other states, such as Washington, seek to introduce their own privacy laws, Attorney General Becerra needs to set an example other states can follow and send a clear message to companies: It’s time to respect consumers’ rights to say no to invasive tracking and sale of their personal information.

For now, when drafting any privacy legislation, policymakers at the state and federal levels should keep in mind the actions of the tech industry to skirt the CCPA and ensure that any future bill keeps the industry accountable and protects the digital rights of consumers.

Maureen Mahoney is a policy analyst in Consumers Report’s San Francisco office, where she works on a number of issues related to consumer privacy. In April 2014, she authored the policy brief “Errors and Gotchas: How Credit Report Errors and Unreliable Credit Scores Hurt Consumers.” She received an M.A. and Ph.D. in History from the University of Wisconsin-Madison and completed her undergraduate work at the University of Chicago.