Keypoint: The requirements for recognizing opt-out preference signals for certain types of processing vary widely depending on which state laws apply.
This is the sixth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.
In this article, we analyze how each of these laws treat opt-out preference signals. The California Consumer Privacy Act (CCPA), through its regulations, requires businesses to recognize such signals. However, the CPRA makes this an optional requirement. In contrast, Colorado will require controllers to recognize these signals as of July 1, 2024, whereas Virginia sits on the other end of the spectrum and does not require controllers to recognize them.
In the below article, we first discuss how California currently addresses this issue under the CCPA and how the CPRA will change those requirements. We then discuss Colorado’s approach.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The CCPA does not statutorily require businesses to recognize opt-out signals. Rather, § 1798.135(a) requires businesses that sell personal information to provide a clear and conspicuous link on their web page titled “Do Not Sell My Personal Information.” However, § 1798.185(a)(4) authorizes the Attorney General’s office to establish rules and procedures to “facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information pursuant to Section 1798.120” and to “govern business compliance with a consumer’s opt-out request.”
Based on this statutory authority, when the California Attorney General’s office published its first draft CCPA regulations, it introduced the concept that businesses would need to “treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request” to opt out.
The Attorney General affirmed this requirement in the final CCPA regulations. Specifically, § 999.315(c) states that if “a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.”
The Attorney General’s inclusion of the requirement in the regulations drew criticism from businesses who maintained that the office had exceeded its rulemaking authority. The office responded to these criticisms at length in its Final Statement of Reasons arguing that businesses should recognize these signals in addition to providing the “Do Not Sell My Personal Information” link. In addition, the Final Statement of Reasons explained the requirement “is forward-looking and intended to encourage innovation and the development of technological solutions to facilitate and govern the submission of requests to opt-out.”
The CCPA regulations went into effect on August 14, 2020. In July 2021, the Attorney General’s office published an updated CCPA FAQs, stating that businesses must honor Global Privacy Control (GPC) signals as a valid opt-out request. In its updated FAQs, the Attorney General stated that “the GPC is one option for consumers who want to submit requests to opt-out of the sale of their personal information via a user-enabled global privacy control. Under law, it must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”
The signal must be sent “with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations adopted” by the California Privacy Protection Agency (CPPA).
Businesses, however, may attempt to circumvent the opt-out signal by providing “a link to a web page that enables the consumer to consent to the business ignoring the opt-out preference signal with respect to that business’ sale or sharing of the consumer’s personal information or the use of the consumer’s sensitive personal information.” The consent page must allow consumers the ability to easily revoke consent. The web page link cannot degrade the consumer’s experience on the web page and must have a similar look, feel, and size relative to other links on the same web page.
As noted, the CPPA is required to develop regulations governing the opt-out signal. Specifically, §§ 1798.185(19) and (20) require the CPPA to issue regulations governing the technical specifications for the signal, how a business can seek to obtain consumer consent to circumvent the signal, and how a business must respond to the signal.
Finally, it remains to be seen how the CPPA will address the Attorney General’s current regulations and FAQs, which require businesses to honor GPC signals as valid opt out of sale requests under the CCPA. With the CPRA making the recognition of opt-out signals optional, there is a need to reconcile the two.
Colorado Privacy Act (CPA)
The CPA creates a two-step approach to opt-out signals.
From July 1, 2023 (when the CPA goes into effect) until July 1, 2024, controllers that process personal data for targeted advertising or sales may allow consumers to opt out of such processing through a user-selected universal opt-out mechanism. Effective July 1, 2024, controllers are required to allow consumers to opt out.
Similar to California, the CPA charges the Colorado Attorney General with issuing technical specifications governing the opt-out mechanism. The Attorney General is required to issue the regulations by July 1, 2023, and must address the characteristics identified in § 6-1-1313(2). The rules must satisfy several basic parameters, including that the mechanism represent a consumer’s affirmative choice rather than adopt a default setting, require controllers to inform consumers about their opt-out choices, and permit authentication of a consumer as a resident of the state.
In addition, similar to the CPRA, controllers can attempt to circumvent the opt-out mechanism by collecting consumer consent “through a web page, application, or a similar method.” The obtaining of consent is conditioned on controllers providing consumers with a proper notice and allowing consumers to easily revoke their consent.
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA does not require controllers to recognize opt-out preference signals.
Consequence of the Variations
An organization’s compliance burden on this issue will depend on the law(s) to which it is subject. Organizations subject to the CPA will need to recognize opt-out signals as of July 1, 2024. In California, the CPRA makes recognition of a GPC signal optional, notwithstanding the current position of the Attorney General that recognition of all opt-out signals is mandatory. And, in Virginia, there is no requirement at all. As a result of these different obligations, organizations may consider implementing geotargeting of IP addresses to determine when to recognize the signals or they may choose to recognize signals without regard to geography.
It also will be important for organizations to closely monitor the CPPA and the Colorado Attorney General’s rulemaking on this issue. It will likewise be important for the two agencies to closely monitor each other’s rulemaking to ensure that their regulations allow for interoperability between the laws. The creation of differing standards or requirements will potentially create unnecessary confusion and compliance costs.