Why a tweet from California’s AG about a global privacy tool has companies scrambling

By Kate Kaye

From retail brands to small publishers, a flurry of companies have been calling privacy lawyer Dominique Shelton Leipzig about a recent tweet from the California Attorney General regarding a new global privacy opt-out tool called Global Privacy Control. The successor to Do Not Track has some in the the media and ad industry scrambling to understand its implications for complying with the California Consumer Privacy Act (CCPA) and future privacy regulation.

We’re heartened to see how CCPA has spurred #DataPrivacy innovation like @globalprivctrl (GPC).

Instead of opting out of each individual website, users can enable a ‘stop selling my data switch’ on the @DuckDuckGo, @Brave, or @Mozilla browsers w/ the GPC. https://t.co/hcYc2xGY5k

— Attorney General Becerra (@AGBecerra) January 28, 2021

“I woke up to it,” Shelton Leipzig, partner and co-chair of ad tech privacy and data management practice at law firm Perkins Coie, told Digiday about the Jan. 28 tweet from Xavier Becerra, California’s AG. Becerra has been nominated by President Joe Biden to be the secretary of health and human services; a replacement for his spot overseeing the enforcement of the California’s privacy law has yet to be named.

Developed by a small group of privacy researchers and introduced in October, GPC is an opt-out tool that works like the Do Not Track method that garnered so much attention around 2013, but eventually fizzled. The idea is to make it easier for people to prevent companies from selling their personal information. Rather than having to notify each individual company or website separately, they can use the tool that enables their browsers to automatically send a signal requesting websites and ad tech intermediaries to opt-out from selling their data.

Both the CCPA and Europe’s General Data Protection Regulation give people the right to opt-out from data sales and sharing. The California law specifically calls on businesses to allow opt-outs via “user-enabled global privacy controls, such as a browser plug-in or privacy setting.”

Becerra’s implication that the tool serves as a valid opt-out request under the CCPA, which went into effect on Jan. 1, 2020, clarifies the industry’s uncertainty around how the AG’s office is thinking about technical standards for compliance, according to Shelton Leipzig. “It just accelerated the timeline,” she said.

“I think that your readers should take it very seriously that our attorney general has tweeted that the GPC standard meets the current CCPA regulations,” said Shelton Leipzig, who practices in California.

“Every company that has a website where third-party cookies are there and users can approach the website via one of these browsers that have signed up are vulnerable,” said Shelton Leipzig said. She added that companies doing business in California that do not respect the browser opt-out request will be subject to consumer complaints or compliance enforcement from the AG’s office. Several lawsuits have been filed in relation to CCPA.

It remains to be seen how widely people will adopt GPC. People who have …read more

Source:: Digiday