The required steps for recognizing global privacy controls under the CCPA are in flux as the California Privacy Protection Agency is finalizing its regulations (and it remains uncertain if the steps will be the same in Colorado, see 21 December 2022 version of the proposed Colorado Privacy Act Rules here). Meanwhile, businesses that sell, share, or use or disclose outside of permitted purposes, have to comply with the requirements set forth in the current version of the CCPA regulations concerning the "selling" of personal information.
Compliance with currently operative law and regulations
According to the statutory wording of the CCPA, businesses may elect to either provide opt out links on their webpages or recognize opt-out preference signals.2 Nevertheless, under the currently operative regulations, businesses do not enjoy this choice: If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls as a valid opt-out of sales of their personal information for that browser or device, or, if known, the consumer.3 If companies are charged with a violation of the regulations, they may challenge this inconsistency between the statute and regulations in court.
In responding to a request to opt-out, a business may present the consumer with the choice to opt-out of sale for certain uses of personal information as long as a global option to opt-out of the sale of all personal information is more prominently presented than the other choices according to the current regulations.4 For consumers who exercise their right to opt-out of the sale or sharing of their personal information or limit the use or disclosure of their sensitive personal information, a business shall refrain from selling or sharing the consumer’s personal information or using or disclosing the consumer’s sensitive personal information and wait for at least 12 months before requesting that the consumer authorize the sale or sharing of the consumer’s personal information or the use and disclosure of the consumer’s sensitive personal information for additional purposes, or as authorized by regulations.5 That requires businesses to track opt-outs communicated via user enabled privacy controls across the business.
Draft new regulations
The CCPA provides that the California Privacy Protection Agency shall adopt regulations to further the purpose of the CCPA, including issuing regulations for opt-out preference signals.6 Any requirements and specifications defined by the agency should, among other things, state that in the case of a page or setting view that the consumer accesses to set the opt-out preference signal, the consumer should see up to three choices, including:
- Global opt out from sale and sharing of personal information, including a direction to limit the use of sensitive personal information.
- Choice to “Limit the Use of My Sensitive Personal Information.”
- Choice titled “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.”7
The 2 November 2022 version of the draft regulations includes further requirements related to user enabled privacy controls, and it is again asserted that businesses must honor opt-out signals. While complying with the currently operative law and regulations, business should also consider the following obligations under the new draft regulations:
All opt-out preference signals satisfying certain technical requirements shall be processed. The signal shall be in a format commonly used and recognized by businesses. An example would be an HTTP header field or JavaScript object.
A valid opt-out preference signal shall be treated as a request to opt-out for a browser or device, any associated consumer profile including pseudonymous profiles, and, if known, the consumer. If a consumer uses a browser with an opt-out preference signal enabled, but is not otherwise logged into her account with the business and the business can't otherwise associate her browser with a consumer profile the business maintains, the business shall stop selling and sharing personal information linked to her browser identifier for cross context behavioral advertising, but it would not be able to apply the request to opt-out of the sale/sharing of her account information because the connection between her browser and her account is not known to the business. Conversely, if she is logged in to an account with the business, the business shall honor the opt-out request also with respect to her account and any offline sale or sharing of personal information.
Recognizing opt-out preference signals is in all cases mandatory. Per the draft new regulations, California Civil Code section 1798.135, subdivisions (b)(1) and (3), provides a business the choice between (1) processing opt-out preference signals and providing the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or the Alternative Opt-out Link; or (2) processing opt-out preference signals in a frictionless manner in accordance with the regulations and not having to provide the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or the Alternative Opt-out Link. Per the draft new regulations, it does not give a business the choice between posting the above-referenced links or honoring opt-out preference signals. Even if a business posts the above-referenced links, the business must still process opt-out preference signals, though it may do so in a "non-frictionless" manner.
Businesses that process opt-out preference signals in a frictionless manner, include particular information in their privacy policy, and are able through the signal to fully effectuate a consumer's request to opt out are not required to also post a "Do Not Sell or Share My Personal Information" link. Processing an opt-out preference signal in a frictionless manner means that the business:
- Shall not (1) charge a fee or require any valuable consideration if the consumer uses an opt-out preference signal, (2) change the consumer's experience with the product or service offered by the business, or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal (but displaying if a consumer has opted out is ok)
- Shall include in its privacy policy (1) a description of the consumer's right to opt-out of the sale or sharing of their personal information by the business, (2) a statement that the business processes opt-out preference signals in a frictionless manner, (3) information on how consumers can implement opt-out preference signals in a frictionless manner, and (4) instructions for any other method by which the consumer may submit a request to opt-out of sale/sharing
- Shall allow the opt-out preference signal to fully effectuate the consumer's request to opt-out of sale/sharing
A business that sells consumers' personal information acquired from third parties or offline to marketing partners may not be able to fully effectuate an opt-out request through an opt-out preference signal. The user-enabled signal would be associated only with a consumer's browser or device. The business would not typically know whether it acquires and sells other information about the same consumer, unless the business only sells personal information that it acquires online from the particular consumer. This could be the case for businesses whose only "selling" activities pertain to online digital advertising. Even these businesses may not recognize a consumer who uses their sites with different browsers and devices and enables opt-out signals only on some of them. Most businesses could not apply opt-out requests received via user-enabled browser or device signals to selling or sharing of information they acquired offline or from third parties without additional information on the consumer and the consumer's various browsers and devices. Consumers could provide some of this information by logging into an account, but they cannot be required to do so and few probably would voluntarily provide all information a business would need to identify the consumer across devices, browsers and information acquired offline and from third parties.
Nonetheless, according to the draft new regulations, a business that only sells and shares personal information online for cross-context behavioral advertising purposes may satisfy the requirements for not posting the "Do Not Sell or Share My Personal Information" link.8 Such a business gives the consumer using an opt-out preference signal on all devices and browsers an option to fully effectuate their right to opt-out of the sale of sharing of their personal information with user-enabled preference signals.
Industry Concerns
Views on user enabled privacy controls among privacy professionals and industry stakeholders vary. Some flag that the term global privacy control is misleading consumers about what happens when they enable privacy controls.9 Businesses will be required to recognize or treat signals in different ways across US states, because definitions and opt-out rights vary, rendering operationalizing the response process even more burdensome.
Alternatives
Businesses that do not take steps to recognize user-enabled opt-out signals have to stop disclosing personal information in ways that qualify as "selling" or "sharing" of personal information. One option is to require all vendors to sign contracts that qualify them as service providers under CCPA. But, this option does not allow businesses to work with vendors for cross-context behavioral advertising purposes, because this is not a permitted business purpose for service providers under CCPA.10 Another option is to seek directions to disclose personal information from users, for example, with a pop-up banner, because this will also negate "selling" and "sharing" under CCPA.11 In its draft regulations, the California Privacy Protection Agency clarifies that banners seeking affirmative acceptance of web cookies are not suited to meet requirements to enable opt-out requests under CCPA, because cookies concern the collection of personal information and not the sale or sharing of personal information.12
1. CCPA Regulations §999.315(c) from the Cal. Attorney General and draft CCPA regulations 7026(a)(1) of the draft CCPA regulations from the California Privacy Protection Agency.
2. Per Cal. Civ. Code §1798.135(b)(3), "a business that complies with subdivision (a) is not required to comply with subdivision (b). For the purposes of clarity, a business may elect to comply with subdivision (a) or subdivision (b)". The reference to "subdivisions (a) or (b)" seem intended to refer to §1798.135(a) or §1798.135(b)
3. CCPA Regulations §999.315(c). And the draft CCPA regulations specify in §7025 that recognizing opt-out preference signals is in all cases mandatory.
4. CCPA Regulations §999.315(d).
5. Cal. Civ. Code §1798.135(c)(4).
6. Cal. Civ. Code §1798.185 (a) (19), and §1798.199.40(b).
7. Cal. Civ. Code §1798.185 (a) (19) (A). This mandated choice language is different from the language mandated to be included on opt-out links provided by a business of "Do Not Sell or Share My Personal Information" per Cal. Civ. Code §1798.135(a)(1).
8. §7027(g)(3)(B) of draft regulations.
9. See, for example, When a "Global Privacy Control" really isn't.
10. According to Cal. Civ. Code §1798.140 (ad) and (ah), disclosures of personal information to third parties qualify as "selling" or "sharing" unless certain limited exceptions apply. Under Cal. Civ. Code §1798.140(ai)(2), a service provider is not a third party. Under Cal. Civ. Code §1798.140(ag)(1), companies must use personal information only for business purposes recognized by CCPA to qualify as a “service provider” and avoid qualifying as a "third party." Under Cal. Civ. Code §1798.140(3)(6), cross-context behavioral advertising is not a "business purpose." Therefore, companies that receive personal information for purposes of cross-context behavioral advertising are not recognized as "service providers" and the businesses that provide personal information to them are typically considered to be "selling" and "sharing" personal information.
11. According to Cal. Civ. Code §1798.140 (ad)(2)(A)(i) and (ah)(2)(A).
12. Draft regulations §7026(a)(4) and 7027(b)(4).