Mozilla comments on CCPA regulations

Around the globe, Mozilla has been a supporter of data privacy laws that empower people – including the California Consumer Protection Act (CCPA). For the last few weeks, we’ve been considering the draft regulations, released in October, from Attorney General Becerra. Today, we submitted comments to help California effectively and meaningfully implement CCPA.

We all know that people deserve more control over their online data. And we take care to provide people protection and control by baking privacy and the same principles we want to see in legislation into the Firefox browser.

In our comments, we discuss three important provisions:

The definition of a third party: Usually, third party interactions are defined by the context of the data collection – not whether or not the party has a direct relationship with the user. More and more, we see companies collect data from a number of contexts: first parties, as a third party on a different site, or simply buying data directly from a data broker or reseller. These definitions should be clear that data is not regulated based solely on how the entity is categorized – but rather about the context in which the data was obtained.
The potential for fraud with data requests coming through authorized agents: We’re encouraged by authentication requirements, but concerned that a set of unauthorized agents may blanket companies with fraudulent requests .The opportunity for fraud and abuse is high particularly if the business responding to such a request does not have a meaningful opportunity to pursue their own authentication other than asking the authorized agent for proof of such authorization. Additional guidance on companies’ obligations to respond to third party agents would be helpful as companies try to balance security with responsiveness to access requests.
Metrics reporting: The regulations outline a series of public facing metrics companies must release about access requests. the specific reporting breakdowns required (do not significantly increase the understanding of how CCPA rights are being exercised and complied with. Companies like Mozilla that extend the same personal data rights to any person and cannot determine that individual’s location, will have difficulty complying with the metrics reporting as outlined in the draft regulations. We do not want to ask users who send us data access requests for additional personal information in order to comply with a metrics standard.

We look forward to continuing to work with the California Attorney General’s office to help protect the data of Californians – and we will keep working across jurisdictions to enact privacy and data protection laws across the globe.

While we will all have to see how implementation and enforcement roll out, we continue to be very encouraged to see California acting where the U.S. Congress has not (although we were also happy to see several frameworks released in advance of this week’s hearing). There are many shared elements between these laws, regulations, and drafts and the privacy blueprint we released earlier this year.

Open Policy & Advocacy

Work Gets Underway on a New Federal Privacy Proposal

Mozilla Weighs in on State Comprehensive Privacy Proposals

Mozilla’s Comments to FCC: Net Neutrality Essential for Competition, Innovation, Privacy

Global Privacy Control Empowers Individuals to Limit Privacy-Invasive Tracking

Mozilla applauds CFPB for taking on the Data Broker Ecosystem

Mozilla Mornings: Choice or Illusion? Tackling Harmful Design Practices

Mozilla Asks US Supreme Court to Support Responsible Content Moderation

The Revival We Need: The FCC Takes On Net Neutrality

Mozilla Meetups – Code to Conduct in AI: Open Source, Privacy, and More

Mozilla Meetups with CDT: Talking Tech Transparency

Continuing to Protect our Users in Kazakhstan

Continuing to Protect our Users in Kazakhstan

It’s time for the G20’s first digital agenda

Mozilla provides feedback to ACM’s DSA Guidelines

Global Network Fee Proposals are Troubling. Here are Three Paths Forward.

Mozilla Mornings on addressing online harms through advertising transparency

The EU’s Current Approach to QWACs (Qualified Website Authentication Certificates) will Undermine Security on the Open Web

Mozilla files comments with the European Commission on safeguarding democracy in the digital age

Mozilla applauds CFPB for taking on the Data Broker Ecosystem

Mozilla Weighs in on Accountability Legislation: Public policies like PATA can help to keep the Internet in the public’s best interest.

Open Fibre Data Standard: Understanding the True Extent of the Internet

Mozilla Meetups: The Building Blocks of a Trusted Internet

The FTC and DOJ merger guidelines review is an opportunity to reset competition enforcement in digital markets

Mozilla submits comments to the California Privacy Protection Agency

European Parliament’s version of the CRA threatens cybersecurity and open source development

Mozilla weighs in on the EU Cyber Resilience Act

Enhancing trust and security on the internet – browsers are the first line of defence

Working in the open: Enhancing privacy and security in the DNS

The Van Buren decision is a strong step forward for public interest research online