Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Did you know website visitors have the option to send businesses automated privacy opt-out signals, and even more notably, that respecting these signals has become increasingly mandatory under modern privacy laws?
The concept of automating consumer privacy opt-outs from a web browser is not new. In fact, various forms of universal opt-out mechanisms have been proposed and developed over the years. These mechanisms potentially have great value to privacy-conscious consumers who appreciate a streamlined browsing experience.
Sixteen years ago, one of the first notable UOOM efforts took shape with the proposal and development of the Do Not Track browser signal. While promising at the time, the DNT initiative ultimately failed to gain widespread adoption — most notably due to a lack of enforcement mechanisms and meaningful incentives for businesses to support and respect the standard.
Regrettably, due to its limited adoption, DNT signals now serve as a highly effective tool for server-side browser fingerprinting — further diminishing the standard's value to those concerned with their personal privacy.
In recent years,and against the backdrop of emerging privacy legislation, new forms of UOOMs are gaining traction. The clearest example is the Global Privacy Control, developed in 2020 with the intention of making it easier for individuals to exercise their privacy rights online.
The GPC allows users to configure their browser — or if unsupported natively, a browser extension — to send a privacy signal to every website users visit. This signal, transmitted as an HTTP header or JavaScript variable, is meant to inform participating websites that the visitor wishes to opt-out of certain types of data processing. While websites can interpret and respond to these signals in different ways, the GPC is widely recognized as a mechanism for users to communicate a "Do Not Sell or Share" preference.
Organizations subject to state privacy laws should strategize around UOOM
In stark contrast with recent history, respecting UOOM signals is no longer optional for many businesses. This is particularly true in the U.S. where over half of state comprehensive privacy laws require, or will require, businesses to support universal opt-out mechanisms when utilized by consumers. Each of these states has, or will have, the ability to take regulatory action against organizations that do not adequately respect customer privacy preferences — particularly those declared via UOOMs.
In California, Colorado, Connecticut, Montana, Nebraska, New Hampshire and Texas, UOOM-related requirements are already in effect.Each states' UOOM requirements, excluding California and Colorado, went into effect 1 Jan.
Additionally, several states are set to enforce UOOM requirements within the next 12 months, including Delaware, Maryland, Minnesota, New Jersey and Oregon. Some of these states have already enacted their laws but have been slightly delayed in the enforcement of UOOM-related provisions.
For many businesses, it will be important to evaluate and identify what type of UOOMs should be supported so that websites and personal data-handling practices can be optimized and tested for compliance. Except for Colorado — which currently considers the GPC to be the only valid UOOM — all remaining state laws take a more agnostic approach, leaving the proverbial door open for multiple consumer UOOMs now and in the future.
Even so, there is only one UOOM — the GPC — that has been consistently referenced and acknowledged as valid by state attorneys general. For example, the attorneys general in California, Connecticut and New Jersey all reference the GPC on their websites, describing it in a non-exclusionary fashion as an "option" for consumers.
Other states don't reference the GPC or any other specific UOOM.
Considering these factors, a reasonable stance for many organizations is probably to support the GPC while monitoring emerging UOOM technologies and related guidance from individual states.
Businesses must carefully consider the types of opt-outs they will respect via UOOM signals. There are a few variations between the laws and their requirements. The California Consumer Privacy Act, as amended by the California Privacy Rights Act, remains the most in-depth and unique of the state laws with respect to UOOM requirements. California requires businesses to support automated consumer opt-out mechanisms for the sale and sharing of personal data.
The remaining state laws tend to be similar, generally requiring UOOM support for opt-outs relating to the sale of personal data and targeted advertising. Notably, one key difference between the state laws is that some require that UOOMs support profiling-related opt-outs while others exclude profiling-related rights.
Consider the response to automated opt-out requests
Organizations should carefully consider the specific ways they respond to automated opt-out requests because they may be received under a variety of conditions. One important scenario to consider involves cookies and online tracking. While UOOMs like the GPC aren't primarily intended for consumers to manage granular cookie consent preferences, they should impact the use of website tracking technologies when activated.
Each of the state laws mentioned requires businesses to support automated opt-outs for targeted advertising, so disabling targeting and marketing cookies is an important and crucial factor in responding to UOOM signals.
It is also noteworthy that automated opt-outs may need to be more thoroughly addressed. This is complicated by the fact that the specific identity of a web-browsing data subject may or may not be known at the time a UOOM-based request is received.
Imagine a scenario where an organization holds and sells personal data pertaining to the data subject, but the subject isn't authenticated or logged into a web service at the time the automated opt-out is delivered. In this instance, the automated opt-out may not be associated with the relevant personal data, and the organization may not be able to fully honor the request.
In such scenarios, it may be prudent to provide the data subject with an opportunity to provide additional identifying information, such that opt-out requests can be fully evaluated and completely fulfilled. In the inverse scenario — in which the data subject is logged into a service, with a linkable and known identity — it may be appropriate for automated opt-out requests to flow downstream without further prompting of the data subject.
A proactive approach
For those who operate a website or manage a U.S. organization's privacy compliance, it has become increasingly critical to ensure that websites, consent management platforms and other relevant systems are configured to properly respect automated visitor opt-out signals.
There is significant risk if this standard is not met. The first CCPA enforcement action involved this exact concern. In 2022, Sephora was fined $1.2 million for violating the privacy law. This enforcement was a reactionto Sephora's failure to respect Californian customers' opt-out preference signals delivered via the GPC.
In addition to meeting the requirements of U.S. state privacy laws, organizations may want to consider whether to globally honor the GPC — even where it is not yet a legal requirement. Taking a proactive approach may help build consumer trust, streamline compliance efforts and reduce regulatory risk as more jurisdictions adopt similar UOOM requirements.
Alexander Proctor, AIGP, CIPP/E, CIPP/US, CIPM, CIPT, FIP, is chief trust and privacy officer at Captain Compliance.
