Board denies petition seeking default ‘minimal functional mode’ for devices, asks staff to study concepts
Get AI-powered insights, summaries, and transcripts
Subscribe
Summary
The California Privacy Protection Agency board voted 5–0 to deny a Feb. 9 rulemaking petition that would have required devices to ship with a minimal functional mode and tiered consent, citing Administrative Procedure Act timelines. The board nevertheless asked staff to further evaluate the petition’s ideas and consider informational workshops or legislative options.
The California Privacy Protection Agency board on Feb. 27 voted to deny a rulemaking petition that asked the agency to require a ‘‘minimal functional mode’’ and a tiered consent structure for general‑purpose consumer devices, citing procedural constraints under state administrative law.
Philip Laird, the agency’s general counsel, explained staff’s recommendation to deny the petition on timing and workload grounds: the Administrative Procedure Act timelines make it technically infeasible to prepare a notice, ISOR and other required materials and meet the statutory decision deadline by March 11. Laird said such a denial is procedural and ‘‘is not a rejection of the concepts necessarily,’’ and staff can be directed to study the ideas further as resources permit.
The petition — submitted Feb. 9 and redacted to protect that the filer is a minor — sought five items including defining a minimal functional mode for consumer devices, imposing a tiered consent structure for device activation, prohibiting manufacturers from conditioning core functions on consent to nonessential practices, and making privacy‑protective defaults for minors.
Public commenters and industry groups urged caution. Dylan Hoffman of TechNet argued the petition ‘‘effectively recasts the agency as a product safety regulator without explicit legislative authority’’ and warned of technical and security trade‑offs if account linking and update functionality were decoupled. Ronak Delami of the California Chamber of Commerce raised similar concerns, saying the petition could impose state‑specific device requirements and operational burdens.
At the same time board members praised the petition’s thoughtfulness and urged staff to study its core privacy goals. Board member Hamer called the petition ‘‘very well presented’’ and said the ideas could fit under the agency’s rulemaking priority of reducing friction in the exercise of privacy rights. Board member McTaggart suggested that the concepts might also be a fit for legislative sponsorship if the board elects not to pursue an immediate regulatory path.
After public comment, Board member McTaggart moved to deny the petition due to timeline and resource constraints and to ask staff to further explore the petition’s substance and potential policy pathways. Hamer seconded the motion. The roll‑call vote was 5–0 in favor of the motion (ayes: Hamer, Liebert, McTaggart, Ozer, Chair Urban); the motion carried.
What’s next: staff will evaluate whether the petition’s concepts can be addressed within the board’s existing rulemaking priorities (reducing friction, notices, opt‑out signals, employee data and audit rules) or whether referral to the Legislature is a more appropriate route. Staff also noted related legislative activity (AB 2561 on minimal privacy settings) and recommended monitoring that bill before embarking on agency rulemaking in the area.
Public reaction was split: privacy advocates and the petitioner’s supporters emphasized the need to reduce coercive consent flows, while industry groups pressed staff to convene technical workshops to understand feasibility and avoid unintended harms.