Chalk up a win for the good guys on data privacy. And California residents are the ultimate winners.
Back in December, 2020, the Me2B Alliance submitted a letter to the Office of the Attorney General for the State of California. The letter was in response to proposed changes to the regulations adopted by the AG’s office to implement the California Consumer Privacy Act (CCPA). Our letter noted that the Alliance has a clear preference for privacy by default , which in this instance means that “opt in” (a consumer’s clearly stated preference to share her information and receive advertising) is a more respectful default standard than requiring consumers to “opt out.” Further, as our letter pointed out, “mandating opting-out of selling data is tantamount to a default setting allowing the selling of data.” Instead, people should be presented with a clear, affirmative statement to allow the selling of data.
Proposed section 999.315(f) of the California privacy regulations would have created a uniform button to signify the consumer’s ability to opt out of having her personal information sold online. Our letter observed that the problem with this approach is that the button is a generic checkmark icon. Research amply shows that these kinds of icons are less understandable as a user interface (UI) than a simple “do not sell my data” text statement. We also pointed out other infirmities with the icon approach, which the new regulations would have mandated for all businesses in California.
On March 15th, the AG’s Office of Administrative Law (OAL) approved additional CCPA regulations promulgated by the Department of Justice. Notably, the Department withdrew its original language mandating the “Privacy Options” icon. In its place is new language making commercial use of the icons optional only. In other words, our stated concerns about the icons were well received, and ultimately adopted.
We wish to thank the Department of Justice for considering and acting upon our concerns. We believe millions of residents of California will be better served by online privacy notices that more clearly communicate their rights to control access to their personal data.