Three modern privacy statutes incorporate the concept that individuals should be able to broadcast a signal from their browser or device that directs an organization to cease providing their personal information to third parties for the purposes of targeted advertising.

The regulations implementing the CCPA, as amended by the CPRA, require organizations to process “opt-out preference signals.” This term is defined to include signals that are transmitted in commonly used formats where the platform or technology that transmitted the signal makes clear to consumers that the signal would opt the consumer out of the sale or sharing (for purposes of cross-context behavioral advertising) of their personal information.[1]

The Colorado Privacy Act gives organizations the option to honor “user-selected universal opt-out mechanisms” that meet that states’ technical specifications until July 1, 2024. After that date, as in California, organizations will be required to honor such signals.[2]

The Connecticut Data Privacy Act will require organizations to honor “opt-out preference signal[s]” that meet that state’s formatting requirements after Jan. 1, 2025.[3] Until that point, and similar to Colorado, honoring such signals will be optional.

Each of the above states has a slightly different conceptualization as to whether the opt-out preference signal is intended to be a replacement, or a supplement, for other methods of opting out of targeted advertising. For example, in California, even if an organization honors a user-enabled opt-out preference signal, such as the Global Privacy Control endorsed by the California Attorney General, it must continue to include a link on its homepage where a visitor can opt out of cross-context behavioral advertising unless the following criteria are met:

1. No fees. The organization does not charge a fee or require consideration for the consumer to use the opt-out preference signal.[4]

2. No change in experience. The organization does not change the consumer’s experience with regard to products or services when an opt-out preference signal is utilized. [5]

3. No pop-up or interstitials. The organization does not display a notification, pop-up, text, graphic, animation, sound, video, or any type of interstitial in response to the opt-out preference signal. [6]

4. Privacy notice disclosure. The organization must include a provision in its privacy notice describing the data subject’s right to opt-out, and explaining how they can implement the opt-out preference signal. [7]

5. Opt-out signal must be a complete opt-out. The organization must opt the data subject out of all selling or sharing for cross-context behavioral advertising, whether such activities occur online or offline. [8]

6. Organization cannot require any additional information. The organization must not require or request that the consumer provide any additional information (e.g., an email address) to be opted-out from online or sharing for cross-context behavioral advertising.[9]

7. Organization cannot require the consumer to be logged in. The organization must not require that a consumer be logged into their account in order for their preference to be applied to online and offline sharing for cross-context behavioral advertising.[10]

If the above requirements are not each met, California’s regulations will continue to require that an opt-out link be accessible via an organization’s homepage. The following chart indicates where opt-out mechanisms must be displayed under each of the modern state statutes when an organization utilizes opt-out preference signals.

Click here for a side-by-side comparison of where opt-out mechanisms must be displayed under each of the modern state statutes.

FOOTNOTES

[1] CPRA Regulation § 7025(b) (2023). Note that the referenced regulations had been adopted by the California Privacy Protection Agency as of the date of publication but had not been published in the California Register. Nonetheless they are expected to become enforceable on July 1, 2023.

[2] C.R.S. § 6-1-1306(1)(a)(IV)(A), (B) (2023).

[3] Conn. Sub. Bill No. 6 at Section 6(e)(1)(A)(ii) (2023).

[4] CPRA Regulation § 7025(g)(1) (integrating by reference Section 7025(f)(1)) (2023).

[5] CPRA Regulation § 7025(g)(1) (integrating by reference Section 7025(f)(2)) (2023).

[6] CPRA Regulation § 7025(g)(1) (integrating by reference Section 7025(f)(3)) (2023).

[7] CPRA Regulation § 7025(g)(2) (2023).

[8] CPRA Regulation § 7025(g)(3) (2023).

[9] CPRA Regulation § 7025(g)(3) (2023).

[10] CPRA Regulation § 7025(g)(3)(A) (2023).