Since the California Privacy Protection Agency (CPPA) released its draft regulations pursuant to the California Privacy Rights Act (CPRA), the biggest gripe from businesses has been the website tracking opt-out requirements. Recognition of opt-out requests from consumers could potentially cost companies some significant dollars.

The CPRA amends the California Consumer Privacy Act of 2020 and goes into effect on January 1, 2023. One of the amendments included a new consumer right to opt-out of cross-context behavioral advertising (i.e., the ability to request that a website not track the user across time or across websites). There are many ways in which a consumer can opt-out of this sharing of data. One way could be to click on an opt-out button or link on a specific website. Another way could be to download an app, use a specific browser or platform (such as Global Privacy Control (GPC)) to automatically emit opt-out signals for every website visited. However, if a consumer uses GPC but does not turn off the universal opt-out signal, and then visits a website where the consumer actively and knowingly participates in an opt-in rewards program, it remains unclear on how a business should proceed in response to that signal.

Without more clarity under the CPRA regulations on how companies should respond on a TECHNICAL LEVEL, it may be difficult to achieve full compliance with consumers’ opt-out choices. This means that the potential for a violation and subsequent liability will increase beginning in the new year.

The CPPA has not wavered on its ‘do not track’ requirement, saying that a plain reading of the CPRA indicates flexibility for site-specific opt-out links. As currently written, the draft regulations would not require businesses to add opt-out links on their websites if they in fact do process opt-out signals from external apps in a “frictionless” manner. A “frictionless” manner means that the business does not:

1.  Charge a fee for recognizing an opt-out signal

2.  Change the consumer experience with the product or service

3.  Display pop-ups, notifications, graphics, etc., in response to the signal

Businesses that should include opt-out links on their websites process external ‘do not track’ signals in a “non-frictionless” manner, which means that the signal is processed in a way that could change the user experience. Even the use of “non-frictionless” (which essentially means “with friction”) convolutes the issue and creates confusion among companies that are trying to comply before the end of the year. We will continue to watch for updates on the final regulations and further technical guidance on ‘do not track’ signals and consumer choice when it comes to the same