Keypoint: Businesses that sell personal information under the CCPA are now required to honor Global Privacy Control signals.
In an update to its CCPA FAQs, the California Attorney General’s office has stated that businesses that sell personal information must honor Global Privacy Control (GPC) signals.
By way of background, § 1798.120 of the CCPA requires businesses to honor consumer requests to opt out of the sale of their personal information. To exercise this right, § 1798.135 requires such businesses to provide “a clear and conspicuous link on the business’s Internet homepage titled ‘Do Not Sell My Personal Information’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.” Although § 1798.135 only requires a DNSMPI link, § 1798.185(a)(4) empowers the AG’s office to promulgate regulations to “facilitate and govern the submission of” opt out requests, and § 1798.140(i) provides the AG’s office with discretion to approve additional methods of submitting requests.
Relying on this statutory authority, the AG’s office promulgated § 999.315 of the CCPA regulations (Requests to Opt-Out), requiring businesses to provide two or more methods for submitting opt out requests. These methods include the DNSMPI link as well as a “toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.”
With respect to global privacy controls, the regulations explain: “If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.”
Starting on page 47 of its Final Statement of Reasons, the AG’s office provided a lengthy explanation for why it believed it had the statutory authority to require businesses to honor user-enabled global privacy controls and how such controls would benefit consumers. However, the AG’s office recognized that this regulation was “forward-looking and intended to encourage innovation and the development of technological solutions to facilitate and govern the submission of requests to opt-out.” In other words, the AG’s office recognized that, at the time the Final Statement of Reasons was published on June 1, 2020, a viable user-enabled privacy control did not exist.
In response to the AG regulations, a coalition of various stakeholders began working on the GPC. In October 2020, then-Attorney General Becerra tweeted his support for this ongoing work. In its updated FAQs, the AG’s office has now gone one step further and stated that “the GPC is one option for consumers who want to submit requests to opt-out of the sale of their personal information via a user-enabled global privacy control. Under law, it must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”
In light of the AG’s comments, businesses that sell personal information will need to analyze how to comply with GPC signals. For reference, some cookie management tools can be leveraged to do so. See, e.g., here. The GPC also has published guidance available here.