Around the globe, Mozilla has been a supporter of data privacy laws that empower people – including the California Consumer Protection Act (CCPA). For the last few weeks, we’ve been considering the draft regulations, released in October, from Attorney General Becerra. Today, we submitted comments to help California effectively and meaningfully implement CCPA.
We all know that people deserve more control over their online data. And we take care to provide people protection and control by baking privacy and the same principles we want to see in legislation into the Firefox browser.
In our comments, we discuss three important provisions:
- The definition of a third party: Usually, third party interactions are defined by the context of the data collection – not whether or not the party has a direct relationship with the user. More and more, we see companies collect data from a number of contexts: first parties, as a third party on a different site, or simply buying data directly from a data broker or reseller. These definitions should be clear that data is not regulated based solely on how the entity is categorized – but rather about the context in which the data was obtained.
- The potential for fraud with data requests coming through authorized agents: We’re encouraged by authentication requirements, but concerned that a set of unauthorized agents may blanket companies with fraudulent requests .The opportunity for fraud and abuse is high particularly if the business responding to such a request does not have a meaningful opportunity to pursue their own authentication other than asking the authorized agent for proof of such authorization. Additional guidance on companies’ obligations to respond to third party agents would be helpful as companies try to balance security with responsiveness to access requests.
- Metrics reporting: The regulations outline a series of public facing metrics companies must release about access requests. the specific reporting breakdowns required (do not significantly increase the understanding of how CCPA rights are being exercised and complied with. Companies like Mozilla that extend the same personal data rights to any person and cannot determine that individual’s location, will have difficulty complying with the metrics reporting as outlined in the draft regulations. We do not want to ask users who send us data access requests for additional personal information in order to comply with a metrics standard.
We look forward to continuing to work with the California Attorney General’s office to help protect the data of Californians – and we will keep working across jurisdictions to enact privacy and data protection laws across the globe.
While we will all have to see how implementation and enforcement roll out, we continue to be very encouraged to see California acting where the U.S. Congress has not (although we were also happy to see several frameworks released in advance of this week’s hearing). There are many shared elements between these laws, regulations, and drafts and the privacy blueprint we released earlier this year.