close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

Background Context

CCPA and CCPA Regulations

CCPA Section §1798.120(b) requires that a business selling personal information to third parties provide notice to consumers “that this information may be sold and that consumers have the ‘right to opt-out’ of the sale of their personal information.” Businesses must provide consumers with an easy mechanism to opt-out of such data transmissions.

  • The CCPA does not statutorily require businesses to recognize opt-out signals. Rather, §1798.135(a) requires businesses that sell personal information to provide a clear and conspicuous link on their web page titled “Do Not Sell My Personal Information.”
  • §1798.185(a)(4) authorizes the Attorney General (AG) to establish rules and procedures to “facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information pursuant to Section 1798.120” and to “govern business compliance with a consumer’s opt-out request.”
state of California illustration

As such, the AG’s CCPA Regulations and CCPA FAQs expand on this requirement and regulate both the method of notice and how requests to opt-out of data sales should be operationalized, including through a “user-enabled global privacy control, like the GPC”.

  • Section §999.306 of the CCPA Regulations requires the notice of the right to opt out to be posted on the page the consumer is directed to after clicking on the “Do Not Sell My Personal Information” link on the homepage or in the mobile application.
  • Alternatively, per section §999.315(a) a business could offer “other acceptable methods for submitting these requests… such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.”

Per the AG’s FAQ, a GPC signal “must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”

  • §999.315(c)(2) of the CCPA Regulations clarifies that if such an opt-out signal clashes with a consumer’s “existing business-specific” privacy settings or choices, the opt-out signal should override such preferences.
  • However, a business may “give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.”

Important Note:

As indicated by the California Privacy Protection Agency (CPPA) in their CPRA Regulations, existing privacy choices such as those recorded through the IAB’s CCPA Compliance Framework and tools such as the DAA’s CCPA Opt-Out Tool should be overridden by an opt-out preference signal such as GPC.

CCPA Enforcement Sweeps

GPC opt-out signals have been the subject of the Attorney General’s recent enforcement sweeps, with one of the investigations resulting in the landmark public settlement with Sephora.

On the same day the Office of the Attorney General published thirteen new CCPA enforcement case examples underscoring the AG’s focus on this specific compliance area. Per these cases and the AG’s public statements, other businesses received violation notices alleging they “did not process a consumer’s request to opt-out via a user-enabled global privacy control, as required by the CCPA regulations.”

gavel icon