States have recently taken important steps toward implementing so-called “Universal Opt-Out Mechanisms” (“UOOMs”), which will provide consumers with a method for automatically exercising privacy rights. UOOMs, sometimes referred to as opt-out preference signals, are user enabled features, typically within the user’s browser or through a browser add-on, that send a signal to each website the user visits to communicate the user’s preference to opt-out of certain target advertising (and potentially other uses of data discussed below). Several states have adopted a requirement to honor UOOMs as part of their “comprehensive” privacy law. New Jersey, which has recently enacted a comprehensive privacy law, includes an UOOMs requirement that, unique among state legislation, would extend the right to opt-out through UOOMs to include opting out of the use of automated decisionmaking technologies. Businesses may struggle to implement technical solutions for responding to UOOMs, particularly if the specifications for UOOMs vary between states. Businesses should work with their IT teams or website providers to ensure they have developed solutions to comply, if they have not done so already.
In one notable development, the Colorado Department of Law (the “Department”) recently approved Global Privacy Control (“GPC”) as the first authorized UOOMs signal recognized in Colorado. Beginning July 1, 2024, businesses subject to the Colorado Privacy Act (“CPA”) will need to treat a consumer’s privacy preferences submitted through browser signals that conform to the GPC specification as a consumer request to opt out of data sale or targeted advertising. GPC is a widely recognized signal that is incorporated into most website consent management tools and has also received the endorsement of the California Attorney General, among others. More information on GPC and how to implement it is available on the Colorado Attorney General’s website. The Department had accepted several UOOMs applications before finally approving only GPC. Other applications considered but not yet approved included OptOutCode and Opt-Out Machine. The Department will issue periodic updates to the approved list to include additional valid UOOM’s. Upon adding an UOOM to the list, controllers will then have six months to begin detecting such signals and implement compliance with that new UOOM.
The California Attorney General has also taken the position that GPC is recognized as one method for sending opt-out preference signals in California. The California Consumer Privacy Act (“CCPA”) requires that businesses recognize opt-out preference signals to allow consumers to opt-out of the “sale” or “sharing” of their personal information. The terms “sell” and “share” are commonly interpreted to include many disclosures in the context of online advertising, among others. California regulations do not clearly specify which technologies satisfy the requirements for opt-out preference signals, providing instead broad criteria that the technologies must send a signal in a “format commonly used and recognized by businesses,” like HTTP, and that the provider must make clear to consumer’s that the technology is meant to have the effect of opting the consumer out of the “sale” or “sharing” of their information. This definition creates wide room for adoption of a number of technologies. With that said, GPC has already been recognized by the California Attorney General as one method for sending an opt-out signal. In its 2022 enforcement action against Sephora, the California Attorney General actually specifically argued that Sephora had violated the CCPA by failing to respond to GPC signals. Businesses engaged in targeted advertising subject to the CCPA should, therefore, carefully review their settings for GPC signals.
One other notable development comes out of New Jersey, where the legislature approved comprehensive privacy legislation on January 8, 2024, and was signed by Governor Phil Murphy on January 26, 2024. Uniquely, the New Jersey law will require that businesses honor requests to opt-out of the sale of personal information or its use in targeted advertising, but also “profiling” in furtherance of decisions that have legal or similarly significant effects. “Profiling” is defined as a type of automated processing that uses personal information to evaluate an individual’s characteristics, such as their economic situation, health, reliability or location. Examples would include automated processing to determine eligibility for housing or “essential” goods or services. Because the opt-out in New Jersey could be broader than those in other states, businesses may need to recognize different preferences sent using the UOOMs signals depending on an individual’s state of residence or apply the New Jersey standard nationwide.
Given the technical developments needed to comply with UOOMs requirements, businesses subject to the CPA and other comprehensive state privacy laws that conduct targeted advertising, “sell” personal information or conduct other covered activities should begin the process of building compliance mechanisms now, if they have not done so already. Additionally, the business’s privacy notice should be reviewed to address its practices regarding online advertising and the sites recognition of applicable privacy signals. We expect additional states to enact comprehensive privacy legislation in 2024, many of which are likely to include provisions regarding UOOM’s. Ropes & Gray will continue to monitor developments.