Background Context
CCPA and CCPA Regulations
- The CCPA does not statutorily require businesses to recognize opt-out signals. Rather, §1798.135(a) requires businesses that sell personal information to provide a clear and conspicuous link on their web page titled “Do Not Sell My Personal Information.”
- §1798.185(a)(4) authorizes the Attorney General (AG) to establish rules and procedures to “facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information pursuant to Section 1798.120” and to “govern business compliance with a consumer’s opt-out request.”
- Section §999.306 of the CCPA Regulations requires the notice of the right to opt out to be posted on the page the consumer is directed to after clicking on the “Do Not Sell My Personal Information” link on the homepage or in the mobile application.
- Alternatively, per section §999.315(a) a business could offer “other acceptable methods for submitting these requests… such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.”
Per the AG’s FAQ, a GPC signal “must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”
- §999.315(c)(2) of the CCPA Regulations clarifies that if such an opt-out signal clashes with a consumer’s “existing business-specific” privacy settings or choices, the opt-out signal should override such preferences.
- However, a business may “give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.”
Important Note:
As indicated by the California Privacy Protection Agency (CPPA) in their CPRA Regulations, existing privacy choices such as those recorded through the IAB’s CCPA Compliance Framework and tools such as the DAA’s CCPA Opt-Out Tool should be overridden by an opt-out preference signal such as GPC.
CCPA Enforcement Sweeps
GPC opt-out signals have been the subject of the Attorney General’s recent enforcement sweeps, with one of the investigations resulting in the landmark public settlement with Sephora.
On the same day the Office of the Attorney General published thirteen new CCPA enforcement case examples underscoring the AG’s focus on this specific compliance area. Per these cases and the AG’s public statements, other businesses received violation notices alleging they “did not process a consumer’s request to opt-out via a user-enabled global privacy control, as required by the CCPA regulations.”