January 18, 2021

Volume XI, Number 18


January 18, 2021

Subscribe to Latest Legal News and Analysis

CCPA Global Privacy Control Requirements & Regulations

Are there requirements for businesses if a global privacy control conflicts with a consumer’s current privacy settings or their participation in a financial incentive program?


Where a global privacy control (“GPC”) conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business must respect the GPC, but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.[1]

[1] CCPA Regulations, § 999.315(c)(2).

Does the CCPA require businesses that develop software or online browsers to provide consumers a user-enabled privacy control?


The regulations implementing the CCPA require that in-scope businesses must provide two or more designated methods of submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” on the business’s website or mobile application.[1]

In addition to the “DNSMPI” link noted above, one of the other “acceptable methods” for submitting sale opt-out requests (along with use of a toll-free phone number, a designated email address, and forms submitted in person or via the mail) is user-enabled global privacy controls (“GPC”), such as a browser plug-in or privacy setting, device setting, or other mechanism to “clearly communicate or signal” a consumer’s request to opt-out of the sale of their personal information (“PI”).  The effect of a GPC is to provide consumers a mechanism to broadly signal an opt-out request, as opposed to going website-by-website to make individual requests.  The CCPA, and the regulations implementing the CCPA, do not, however, mandate that software developers, or developers of website browsers, include a GPC control in their products.

According to the regulations implementing the CCPA, businesses that collect personal information from consumers online must treat user-enabled GPCs as a valid opt-out request for that browser or device, or, if known, for the consumer.[2]]  The Office of the California Attorney General has indicated its view that if businesses were to have the discretion to not respond to such a mechanism, it is likely they would ignore or reject a GPC, just as many companies choose not to honor “do not track” signals when not required.[3]

[1] CCPA Regulations § 999.315(a).

[2] CCPA Regulations § 999.315(c).

[3] FSOR at 37-38.

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 311



About this Author

Of Counsel

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising technology, privacy and data governance, and FTC best practices.

Darren focuses on the California Consumer Privacy Act (CCPA), the European Union General Data Protection Regulation (GDPR)/ePrivacy, digital advertising, direct marketing, and product counseling.