By now, it is generally known that comprehensive privacy laws include requirements to allow consumers to opt-out of the sale of their personal information, including personal information collected through the use of online behavioral advertising cookies. For instance, the California Consumer Privacy Act of 2018 (“CCPA”) requires that covered businesses provide at least two mechanisms for allowing consumers to opt-out of the sale of their personal information including through use of a toll-free telephone number. What has received less attention until recently is the use and recognition of a global privacy signal available on web browsers or via a browser extension.
Two states at least will ultimately require recognition of the Global Privacy Control (“GPC”)—namely, California under both the CCPA and the California Privacy Rights Act (“CPRA”) regulations and Colorado pursuant to the Colorado Privacy Act (“CoPA”). The GPC is a mechanism (e.g., a browser setting) that allows consumers to opt-out of targeted advertisements and/or the sale of personal information through a pre-determined signal. These global privacy signals allow consumers to make a single opt-out request that applies to all websites able to recognize the signal rather than manually electing this option on each website individually, which is the current default in the US and the EU.
Under the CCPA, CPRA, and CoPA, a global privacy signal must be honored by covered businesses and must be treated as a valid consumer request to opt-out of the sale or sharing of the consumer’s personal information subject to certain exceptions. Meanwhile, the state of the technology surrounding GPCs is in flux. As of this writing, there is no universal solution to enabling a GPC in all web browsers. Mozilla Corp.’s Firefox browser was updated in December 2021 to include a GPC; but it remains unclear how or when other popular browsers—e.g., Edge and Chrome—will integrate a GPC. Although not all browsers have an integrated GPC, standalone browser extensions are available from various developers including, e.g., Abine and DuckDuckGo, which allow consumers to enable GPCs in browsers that are not yet equipped with GPCs.
California
Under the California Attorney General’s CCPA regulations, a business that “collects personal information from consumers online . . . shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted” under the CCPA.[1] Despite requiring covered businesses to recognize global privacy signals as a valid opt-out method under the CCPA, California regulators have not published clear guidance as to how covered businesses are expected to recognize and respond to global privacy signals. The CCPA’s implementing regulations merely explain that global privacy signals “shall clearly communicate or signal that a consumer intends to opt-out of the sale of personal information.”[2] Regarding conflicting signals between a user’s global privacy signal and a user’s stated preference through a cookie preference center, the regulations require covered entities to respect the signal over any other user-stated preferences.[3] This is of particular importance given that the first monetary settlement under the CCPA referenced alleged failure to honor the GPC. This settlement likely indicates that future enforcement will emphasize cookies, opt-outs and indeed recognition of the GPC. Businesses can and should address this issue now, if possible utilizing technology that purports to recognize such signals automatically. Beginning January 1, 2023, the CPRA goes into effect together with its own requirement to recognize a universal opt-out mechanism.
Colorado
Under CoPA (which goes into effect on July 1, 2023), controllers who process personal data for the purpose of targeted advertising or the sale of personal data “shall” allow consumers to exercise the right to opt out of processing for such purposes through a user-selected universal opt-out mechanism.[4] But, as set forth below, this provision does not take effect until 2024. In addition, a consumer still may consent to the collection and use of their personal information for the purpose of targeted advertising or the sale of personal information.[5] Where the consumer consents to such processing, the consumer’s consent “takes precedence over any choice reflected through the universal opt-out mechanism.”[6]
Before the requirement to recognize a universal opt-out mechanism becomes operative on July 1, 2024, the Colorado Attorney General’s office is expected to adopt rules detailing the technical specifications for one or more universal opt-out methods. These regulations must be finalized by July 1, 2023, and the regulations must contain certain limitations on use of the GPC.[7] Specifically, the universal opt-out mechanism:
- cannot unfairly disadvantage the controller;
- may not be a default setting and, instead, must clearly represent the consumer’s affirmative, freely given, and unambiguous choice to opt-out of the processing of personal data;
- must be consumer friendly, clearly described, and easy to use by the average consumer; and
- must be consistent with any other similar mechanisms required by law or regulation in the US.[8]
In addition, the controller:
- must be required to inform consumers of the universal opt-out mechanism; and
- must be able verify the consumer’s state residency and verify that the consumer has affirmatively opted out of the collection and use of personal information for targeted advertising or the sale of personal data.[9]
Forthcoming CoPA regulations should shed more light on operational requirements.
The emergence and adoption of global privacy signals will likely become critical to businesses’ online operations in the near future, and as recent enforcement activity makes clear, this issue is a current priority for California regulators. But, despite the growing regulatory support for global privacy signals, the feasibility of implementing, recognizing, and responding to such signals remains unclear. At present, most businesses likely will need to rely on third party providers for technical assistance. Businesses should work with IT and other technical professionals to ensure GPC technology, however nascent, can be recognized if necessary.
11 CCR 7026(a), (c). Note that a global privacy signal must be treated as a request directly from the consumers, rather than as a request from an authorized agent. Id., at (f).
[2] 11 CCR 7026(c).
[3] Id., at (c)(2). Note, however, that the covered business may notify the consumer of any conflict and ask for confirmation of the consumer’s interest in participating in any business-specific privacy setting or participation in a financial incentive program.
[4] Id., at (iv)(b).
[5] Id., at (iv)(c).
[6] Id., at (iv)(c).
[7] Id., at (iv)(a); 6-1-1313(b).
[8] CoPA 6-1-1313(2).
[9] Id.
[View source.]