Global Privacy Controls Are Subject to The California Administrative Procedure Act

The California Attorney General may have created an underground regulation when it updated the Frequently Asked Questions section of its website to establish a new standard of general application that requires businesses to honor privacy opt-out signals online. Although the regulation requiring global privacy controls was approved by the Office of Administrative Law in 2020, that regulation did not establish a technical standard, and doing so would require undergoing a rulemaking process.

Under the California Administrative Procedures Act (APA), a “regulation means every rule, regulation, order, or standard of general application adopted by any state agency to implement, interpret, or make specific the law enforced or administered by it, or to govern its procedure.” State agencies, with few exceptions, are required to adopt regulations following the procedures established within the APA. If a state agency issues, utilizes, enforces, or attempts to enforce a rule without following the APA, the rule is called an “underground regulation,” and state agencies are prohibited from enforcing underground regulations.

The attorney general’s CCPA regulations do not establish or contemplate a technical standard for global privacy opt-out signals. While the regulations ambiguously reference global privacy signals in general, there is no standard of general application established for the same. Recently, the California Attorney General issued a new technical standard of general application by making an update to its Frequently Asked Questions section on its website instead of undergoing rulemaking procedure under the APA. The Attorney General’s website endorses a third party product called Global Privacy Control (GPC) developed by a private company. User enabled global privacy controls (also called GPC signals) are third party programs that send signals out to the internet advising websites of your privacy settings. In theory, users would download a third party app or plugin to their computer and customize their preferences to be announced to the internet. As they browse online, the third party app would send signals to the websites a user visits telling them about their privacy preferences. But just like your TV remote doesn’t work on your DVR, and your cable remote doesn’t work on your Apple TV, not all remotes and not all receivers are made the same. There is a lot of diversity among products, just like there is a lot of diversity among websites, and one signal made by one company will not automatically work across the internet. This is because no technical standard exists. The Attorney General therefore created a technical standard where one did not previously exist, and simultaneously stated on its website that the privately developed GPC product “must be honored by covered businesses as a valid consumer request to stop the sale of information.” (oag.ca.gov/privacy/ccpa).

Demonstrably, the Attorney General’s establishing of a new technical standard here falls under the definition of a “regulation” under the APA because it is a standard of general application adopted by the Attorney General to implement the California Consumer Privacy Act, which noticeably makes no mention of global privacy controls or opt-out signals. But because the Attorney General created this new standard by updating the Frequently Asked Questions section of its website instead of following the notice and feedback procedures outlined in the APA, the GPC regulation could be considered an underground, and therefore unenforceable regulation under the law.

Shoeb Mohammed, Policy Advocate