Gaps in website opt-out functionality under the microscope in privacy enforcement

This year, California Attorney General Rob Bonta has been active in pursuing enforcement actions under the California Consumer Privacy Act. Bonta has settled numerous cases with large, national and multi-national companies for a wide range of violations — including a USD1.5 million settlement in July, one of the largest privacy violation fines under the CCPA to date.  

Among these enforcement actions, opt-out failures have been a central focus. 

To underscore California's priority of enforcing compliance with CCPA's opt-out requirements, Bonta announced a joint investigative privacy sweep with Colorado and Connecticut in September. The initiative enforces potential non-compliance with the Global Privacy Control, which automatically communicates consumer opt-out requests to companies, directing them to stop selling or sharing their personal information to third parties. 

Numerous regulatory actions to date have found many sites that continue to sell and share visitors' personal information via back-end trackers and pixels, even when users have selected the opt-out on the website banner.

These data-sharing and selling activities often occur without an organization's awareness that it has violated data privacy laws. This is because a complex ecosystem exists behind website banners and webforms, often with automated actions that are difficult to evaluate, understand, or modify. This includes consent management platforms, tag management systems, customer data platforms and downstream third-party data sharing agreements. 

Given these complexities and the rising regulatory risk for businesses operating in California and other states with robust data privacy laws, organizations need to proactively evaluate their infrastructure and controls to ensure they are meeting opt-out requirements.  

Consent management platform and tag management system integration