United States: User-enabled privacy controls under CCPA regulations

In brief

Many digital advertising arrangements that companies commonly use may qualify as "selling" or "sharing for cross context behavioral advertising" personal information under the California Consumer Privacy Act (CCPA) in California and laws in a few other US states (Nevada, Virginia, Colorado, Connecticut, Utah). Businesses state in their online privacy disclosures whether they sold or shared personal information in the last 12 months and whether they will sell or share personal information. Businesses that "sell" or "share" personal information, or use or disclose consumers' sensitive personal information for non-exempt purposes have to treat user-enabled global privacy controls as a valid opt-out request.1 Internet users can configure their software and devices to send such signals automatically to all websites with a browser plug-in or privacy setting or device setting. Website operators have to implement steps on their end to recognize "global privacy controls" and other signals and satisfy requirements pertaining to opt outs.


Contents

The required steps for recognizing global privacy controls under the CCPA are in flux as the California Privacy Protection Agency is finalizing its regulations (and it remains uncertain if the steps will be the same in Colorado, see 21 December 2022 version of the proposed Colorado Privacy Act Rules here). Meanwhile, businesses that sell, share, or use or disclose outside of permitted purposes, have to comply with the requirements set forth in the current version of the CCPA regulations concerning the "selling" of personal information.

Compliance with currently operative law and regulations

According to the statutory wording of the CCPA, businesses may elect to either provide opt out links on their webpages or recognize opt-out preference signals.2 Nevertheless, under the currently operative regulations, businesses do not enjoy this choice: If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls as a valid opt-out of sales of their personal information for that browser or device, or, if known, the consumer.3 If companies are charged with a violation of the regulations, they may challenge this inconsistency between the statute and regulations in court.

In responding to a request to opt-out, a business may present the consumer with the choice to opt-out of sale for certain uses of personal information as long as a global option to opt-out of the sale of all personal information is more prominently presented than the other choices according to the current regulations.4 For consumers who exercise their right to opt-out of the sale or sharing of their personal information or limit the use or disclosure of their sensitive personal information, a business shall refrain from selling or sharing the consumer’s personal information or using or disclosing the consumer’s sensitive personal information and wait for at least 12 months before requesting that the consumer authorize the sale or sharing of the consumer’s personal information or the use and disclosure of the consumer’s sensitive personal information for additional purposes, or as authorized by regulations.5 That requires businesses to track opt-outs communicated via user enabled privacy controls across the business.

Draft new regulations

The CCPA provides that the California Privacy Protection Agency shall adopt regulations to further the purpose of the CCPA, including issuing regulations for opt-out preference signals.6 Any requirements and specifications defined by the agency should, among other things, state that in the case of a page or setting view that the consumer accesses to set the opt-out preference signal, the consumer should see up to three choices, including:

  1. Global opt out from sale and sharing of personal information, including a direction to limit the use of sensitive personal information.
  2. Choice to “Limit the Use of My Sensitive Personal Information.”
  3. Choice titled “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.”7

The 2 November 2022 version of the draft regulations includes further requirements related to user enabled privacy controls, and it is again asserted that businesses must honor opt-out signals. While complying with the currently operative law and regulations, business should also consider the following obligations under the new draft regulations:

All opt-out preference signals satisfying certain technical requirements shall be processed. The signal shall be in a format commonly used and recognized by businesses. An example would be an HTTP header field or JavaScript object. 

A valid opt-out preference signal shall be treated as a request to opt-out for a browser or device, any associated consumer profile including pseudonymous profiles, and, if known, the consumer. If a consumer uses a browser with an opt-out preference signal enabled, but is not otherwise logged into her account with the business and the business can't otherwise associate her browser with a consumer profile the business maintains, the business shall stop selling and sharing personal information linked to her browser identifier for cross context behavioral advertising, but it would not be able to apply the request to opt-out of the sale/sharing of her account information because the connection between her browser and her account is not known to the business. Conversely, if she is logged in to an account with the business, the business shall honor the opt-out request also with respect to her account and any offline sale or sharing of personal information. 

Recognizing opt-out preference signals is in all cases mandatory. Per the draft new regulations, California Civil Code section 1798.135, subdivisions (b)(1) and (3), provides a business the choice between (1) processing opt-out preference signals and providing the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or the Alternative Opt-out Link; or (2) processing opt-out preference signals in a frictionless manner in accordance with the regulations and not having to provide the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or the Alternative Opt-out Link. Per the draft new regulations, it does not give a business the choice between posting the above-referenced links or honoring opt-out preference signals. Even if a business posts the above-referenced links, the business must still process opt-out preference signals, though it may do so in a "non-frictionless" manner.

Businesses that process opt-out preference signals in a frictionless manner, include particular information in their privacy policy, and are able through the signal to fully effectuate a consumer's request to opt out are not required to also post a "Do Not Sell or Share My Personal Information" link. Processing an opt-out preference signal in a frictionless manner means that the business:

  • Shall not (1) charge a fee or require any valuable consideration if the consumer uses an opt-out preference signal, (2) change the consumer's experience with the product or service offered by the business, or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal (but displaying if a consumer has opted out is ok)
  • Shall include in its privacy policy (1) a description of the consumer's right to opt-out of the sale or sharing of their personal information by the business, (2) a statement that the business processes opt-out preference signals in a frictionless manner, (3) information on how consumers can implement opt-out preference signals in a frictionless manner, and (4) instructions for any other method by which the consumer may submit a request to opt-out of sale/sharing
  • Shall allow the opt-out preference signal to fully effectuate the consumer's request to opt-out of sale/sharing

A business that sells consumers' personal information acquired from third parties or offline to marketing partners may not be able to fully effectuate an opt-out request through an opt-out preference signal. The user-enabled signal would be associated only with a consumer's browser or device. The business would not typically know whether it acquires and sells other information about the same consumer, unless the business only sells personal information that it acquires online from the particular consumer. This could be the case for businesses whose only "selling" activities pertain to online digital advertising. Even these businesses may not recognize a consumer who uses their sites with different browsers and devices and enables opt-out signals only on some of them. Most businesses could not apply opt-out requests received via user-enabled browser or device signals to selling or sharing of information they acquired offline or from third parties without additional information on the consumer and the consumer's various browsers and devices. Consumers could provide some of this information by logging into an account, but they cannot be required to do so and few probably would voluntarily provide all information a business would need to identify the consumer across devices, browsers and information acquired offline and from third parties.

Nonetheless, according to the draft new regulations, a business that only sells and shares personal information online for cross-context behavioral advertising purposes may satisfy the requirements for not posting the "Do Not Sell or Share My Personal Information" link.8 Such a business gives the consumer using an opt-out preference signal on all devices and browsers an option to fully effectuate their right to opt-out of the sale of sharing of their personal information with user-enabled preference signals.

Industry Concerns

Views on user enabled privacy controls among privacy professionals and industry stakeholders vary. Some flag that the term global privacy control is misleading consumers about what happens when they enable privacy controls.9 Businesses will be required to recognize or treat signals in different ways across US states, because definitions and opt-out rights vary, rendering operationalizing the response process even more burdensome.

Alternatives

Businesses that do not take steps to recognize user-enabled opt-out signals have to stop disclosing personal information in ways that qualify as "selling" or "sharing" of personal information. One option is to require all vendors to sign contracts that qualify them as service providers under CCPA. But, this option does not allow businesses to work with vendors for cross-context behavioral advertising purposes, because this is not a permitted business purpose for service providers under CCPA.10 Another option is to seek directions to disclose personal information from users, for example, with a pop-up banner, because this will also negate "selling" and "sharing" under CCPA.11 In its draft regulations, the California Privacy Protection Agency clarifies that banners seeking affirmative acceptance of web cookies are not suited to meet requirements to enable opt-out requests under CCPA, because cookies concern the collection of personal information and not the sale or sharing of personal information.12 

 


1. CCPA Regulations §999.315(c) from the Cal. Attorney General and draft CCPA regulations 7026(a)(1) of the draft CCPA regulations from the California Privacy Protection Agency.

2. Per Cal. Civ. Code §1798.135(b)(3), "a business that complies with subdivision (a) is not required to comply with subdivision (b). For the purposes of clarity, a business may elect to comply with subdivision (a) or subdivision (b)". The reference to "subdivisions (a) or (b)" seem intended to refer to §1798.135(a) or §1798.135(b)

3. CCPA Regulations §999.315(c). And the draft CCPA regulations specify in §7025 that recognizing opt-out preference signals is in all cases mandatory.

4. CCPA Regulations §999.315(d).

5. Cal. Civ. Code §1798.135(c)(4).

6. Cal. Civ. Code §1798.185 (a) (19), and §1798.199.40(b).

7. Cal. Civ. Code §1798.185 (a) (19) (A). This mandated choice language is different from the language mandated to be included on opt-out links provided by a business of "Do Not Sell or Share My Personal Information" per Cal. Civ. Code §1798.135(a)(1).

8. §7027(g)(3)(B) of draft regulations.

9. See, for example, When a "Global Privacy Control"​ really isn't.

10. According to Cal. Civ. Code §1798.140 (ad) and (ah), disclosures of personal information to third parties qualify as "selling" or "sharing" unless certain limited exceptions apply. Under Cal. Civ. Code §1798.140(ai)(2), a service provider is not a third party. Under Cal. Civ. Code §1798.140(ag)(1), companies must use personal information only for business purposes recognized by CCPA to qualify as a “service provider” and avoid qualifying as a "third party." Under Cal. Civ. Code §1798.140(3)(6), cross-context behavioral advertising is not a "business purpose." Therefore, companies that receive personal information for purposes of cross-context behavioral advertising are not recognized as "service providers" and the businesses that provide personal information to them are typically considered to be "selling" and "sharing" personal information.

11. According to Cal. Civ. Code §1798.140 (ad)(2)(A)(i) and (ah)(2)(A).

12. Draft regulations §7026(a)(4) and 7027(b)(4).


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.