close
View other resources
header image

Guide to Honoring Do Not Sell or Share Opt-Outs: Global Privacy Control Setup

The open standard that honors user-initiated opt-out preferences.

California’s Consumer Privacy Protection Act (CCPA) grants consumers the right to opt-out of the “sale” of their personal information. The Consumer Privacy Rights Act (CPRA) ballot initiative which amends and strengthens the CCPA also expands and clarifies this right. The CPRA introduces a parallel right for Californians to opt-out of having their data“shared” (transmitted actively or collected passively) by providers of “cross-context behavioral advertising”. The goal of this expansion was to close a loophole in the CCPA and its original regulations that allowed certain advertising technology and services providers to sidestep Do Not Sell notice and opt-out obligations.

Notably, the California Attorney General introduced an obligation for businesses to honor user-initiated opt-out preference signals as a frictionless addition to other regulated Do Not Sell or Share opt-out mechanisms. Analogous obligations have been introduced in Colorado and Connecticut under their respective new privacy laws, but not in VIrginia and Utah.

What is CCPA and What Are CCPA Regulations?

CCPA Section §1798.120(b) requires that a business selling personal information to third parties provide notice to consumers “that this information may be sold and that consumers have the ‘right to opt-out’ of the sale of their personal information.” Businesses must provide consumers with an easy mechanism to opt-out of such data transmissions.

  • The CCPA does not statutorily require businesses to recognize opt-out signals. Rather, §1798.135(a) requires businesses that sell personal information to provide a clear and conspicuous link on their web page titled “Do Not Sell My Personal Information.”
  • §1798.185(a)(4) authorizes the Attorney General (AG) to establish rules and procedures to “facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information pursuant to Section 1798.120” and to “govern business compliance with a consumer’s opt-out request.”
state of California illustration

As such, the AG’s CCPA Regulations and CCPA FAQs expand on this requirement and regulate both the method of notice and how requests to opt-out of data sales should be operationalized, including through a “user-enabled global privacy control, like the GPC”.

  • Section §999.306 of the CCPA Regulations requires the notice of the right to opt out to be posted on the page the consumer is directed to after clicking on the “Do Not Sell My Personal Information” link on the homepage or in the mobile application.
  • Alternatively, per section §999.315(a) a business could offer “other acceptable methods for submitting these requests… such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.”

Per the AG’s FAQ, a GPC signal “must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”

  • §999.315(c)(2) of the CCPA Regulations clarifies that if such an opt-out signal clashes with a consumer’s “existing business-specific” privacy settings or choices, the opt-out signal should override such preferences.
  • However, a business may “give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.”

Important Note:

As indicated by the California Privacy Protection Agency (CPPA) in their CPRA Regulations, existing privacy choices such as those recorded through the IAB’s CCPA Compliance Framework and tools such as the DAA’s CCPA Opt-Out Tool should be overridden by an opt-out preference signal such as GPC.

Have CCPA Regulations Been Enforced?

GPC opt-out signals have been the subject of the Attorney General’s recent enforcement sweeps, with one of the investigations resulting in the landmark public settlement with Sephora.

On the same day the Office of the Attorney General published thirteen new CCPA enforcement case examples underscoring the AG’s focus on this specific compliance area. Per these cases and the AG’s public statements, other businesses received violation notices alleging they “did not process a consumer’s request to opt-out via a user-enabled global privacy control, as required by the CCPA regulations.”

gavel icon

What is the difference between CCPA and CPRA Regulations?

The CCPA did not explicitly mention user-initiated opt-out signals. The CPRA, effective Jan 1, 2023, fills this gap.

  • §1798.135 of the CPRA provides businesses with the option of recognizing an opt-out preference signal as a way to honor consumer requests to “opt out of the sale or sharing of personal information and to limit the use of sensitive personal information.”
  • This is discretionary, but If a business elects to recognize an opt-out signal, it does not have to provide opt-out links on its internet homepage. However, the business would still need to disclose in its privacy policy that it recognizes such signals.
  • The statute further clarifies that an opt-out signal must be sent “with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations adopted” by the California Privacy Protection Agency (“CPPA”).

The CPPA’s regulations implementing the CPRA provide comprehensive guidelines for honoring user-initiated opt-out preference signals.

  • Rules confirm that OOPS should be honored in addition to other other valid opt-out mechanisms.
  • Rules also introduce the concept of “frictionless” opt-outs, and clarify how a business may resolve conflicts with previously recorded privacy choices.

How to be CCPA Compliant with a No-Code, Bannerless Solution

At DataGrail, we love no-code solutions which can be implemented very quickly by your teams so they can get back to helping your business grow. As such, we’ve identified an elegant solution to comply with GPC signals which your marketing teams can implement today with a tool they’re likely already using.

  • This solution is best for supporting Do Not Sell or Share compliance obligations in California, and analogous obligations in Virginia, Colorado and Connecticut, when browser /device-level data is “sold” or ”shared” for ad targeting and related digital uses. ¹
  • The solution can be readily paired with opt-out request intake forms that cover offline and electronic marketing data “sales” driving direct marketing, offline to online data matching, and related uses. ²

We believe it’s also the most ethical way to conduct business, as you can respect US consumers’ ‘set-it-once-and-forget-it’ privacy preferences.

¹ https://www.eff.org/issues/online-behavioral-tracking

² https://www.acxiom.com/how-we-can-help/unify-offline-and-digital-data/; https://oag.ca.gov/news/press-releases/data-privacy-day-attorney-general-bonta-putsbusinesses-operating-loyalty

³ For more information see https://moz.com/blog/an-introduction-to-google-tag-manager

continue reading