How a new tool that crowdsources California privacy law violation allegations creates gray areas for businesses
California is conscripting everyday people in its privacy law enforcement war.
California Attorney General Rob Bonta has been sending companies so-called “notice-to-cure” letters when they are found by his office to be out of compliance with the state’s California Consumer Privacy Act. Now his Department of Justice is crowdsourcing Californians to do the same using a new tool allowing them to create letters to send to companies via email or snail mail notifying them that they may be in violation of the law if they don’t include a homepage link for people to opt out from data collection. But rather than clarifying compliance questions for a law that already has been accused of being confusing, the tool could create a new gray area for companies to navigate.
“I think it’s an interesting tactic because it kind of puts the consumer in the attorney general’s office and helps them in the policing function,” said Jessica B. Lee, partner, chair, privacy, security and data innovations at law firm Loeb and Loeb.
The tool asks a series of questions related to details about the business in question such as “Does the business have a ‘Do Not Sell My Personal Information’ link on its website or its mobile app?” Similar to tools automating letters for political advocacy causes, it spits out a draft letter after questions are answered. One of many iterations of letter drafts created by the tool reads, “I believe that your business…is in violation of the California Consumer Privacy Act’s requirement to provide a clear and conspicuous ‘Do Not Sell My Personal Information’ link on its Internet homepage that enables consumers to opt out of the sale of their personal information.”
“it seems like it’s walking this really interesting line with outsourcing the cure notices” to everyday people, said Stacey Gray, senior counsel of Future of Privacy Forum.
Questions remain regarding due process
Simply using the tool does not make for an official consumer complaint regarding a CCPA violation, the AG’s office told Digiday. However, sending notice using a letter built with the tool could lead to enforcement action, according to Bonta. “This email may trigger the 30-day period for the business to cure their violation of the law which is a prerequisite of the attorney general, my office, bringing an enforcement action,” he said during a press conference on Monday to mark the one-year anniversary since the AG’s office began enforcing CCPA in July 2020.
When the attorney general’s office itself sends letters notifying firms they are not in compliance with CCPA, they get a 30-day grace period to work with the AG’s office to make changes to come into compliance.
The letter-generating tool raises “a number of due process concerns that don’t feel particularly well-thought-out,” said Lee. For instance, she said it’s not clear whether the 30-day clock starts ticking when someone sends a letter or if a company should wait until they get separate correspondence from the AG’s office.
She also said it is unclear whether companies receiving letters from people who use the tool would have the same ability to work directly with the AG’s office to determine an appropriate fix that they have been afforded when the office itself sends them a notice-to-cure letter. “That 30-day window opens the door to actual conversations with the attorney general’s office,” she said.
Lee also worried people might misuse the tool in a way that creates a barrage of consumer communications that companies would have to respond to even if they do not sell data. “This opens the door to potential nuisance letters going out,” said Lee.
Bonta said 75% of businesses receiving CCPA notice-to-cure letters have come into compliance within the 30-day cure period. “My belief is that the vast majority of businesses really want to comply and will comply. They want to know how and once they know how, they do,” he said.
There are some CCPA-related investigations under way of companies that did not comply within the allotted 30-days, Bonta said but declined to provide more detail.
A tool to spot dark patterns?
The tool might find a welcome user base among researchers tracking CCPA compliance, suggested Gray. Indeed, researchers like Jennifer King, privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence, have been watching for violations to recently-established CCPA-related rules that prohibit use of dark patterns in data collection notice design that obscure opt-outs. The tool gives people an option to indicate when a business features an opt-out link that is “very hard to find or confusing to find.”
For now, the tool is limited to drafting notices to businesses that do not post an easy-to-find “Do Not Sell My Personal Information” link on their sites, but the AG’s office said it “may be updated over time to include other potential CCPA violations.”
‘I was actually relieved to get fired’: Confessions of a burned out brand salesperson
To combat burnout, employers across the industry have rolled out numerous policies. Still, employees say intense workloads continue to push them to the limit.
Understanding Google’s FLoC replacement Topics, and its unanswered questions
While privacy advocates are saying this doesn't go far enough, advertisers may think this won't be targeted enough.
Why Turkey is becoming the Silicon Valley of mobile gaming
Turkey’s gaming industry is mobile-first; few, if any, Turkish game developers focus on major console titles. Unlike console developers, who can spend years fine-tuning their games, mobile game developers are able to follow a spray-and-pray strategy, cranking out scores of mobile titles until one catches on.
SponsoredHow online commerce platforms can deliver safer shopping experiences
Marni Levine, vice president, commerce operations, Meta In the wake of the pandemic, commerce underwent a rapid shift online, exponentially accelerating and forcing businesses of all sizes to adapt. Now moving into 2022, these trends will only continue as people have grown accustomed to shopping online more for all their needs. According to a PwC […]
Google readies new interest-based advertising in next phase of Privacy Sandbox experiments
Google is trialing a new proposal in its Privacy Sandbox initiative called 'Topics' which it claims will facilitate interest-based advertising long after it sunsets third-party cookies in its Chrome browser in 2023.
Member ExclusiveMarketing Briefing: ‘Bad behavior is positively rewarded’: Why brands continue to push the line on social posts
But recent posts, like Pabst Blue Ribbon’s sexually explicit tweet that got its social media manager fired as well as brands like Ruggables, Hellman’s mayonnaise and Peacock, among others, jumping into TikTok’s West Elm Caleb trend on TikTok have some in the industry questioning were the line is when it comes to standing out or going too far on social media.