Key Takeaways: Businesses that collect personal data for commercial purposes must ensure that their personal data tracking and sale practices comply with privacy regulations by recognizing universal opt-out signals where required. Colorado became the second state to require businesses to honor user-selected universal opt-outs for targeted advertising and sales under the Colorado Privacy Act as of July 1, 2024, while the California Consumer Privacy Act’s universal opt-out requirements have been in effect since January 1, 2023. At least seven additional states will add the requirement over the next two years.

What is a Universal Opt-Out Mechanism?

The term universal opt-out mechanism (“UOOM”) refers to a range of tools available on both desktop and mobile devices that enable consumers to pre-select their preference to opt-out of certain types of online data processing. These mechanisms function by sending a standardized signal to websites that recognize UOOMs to inform the website operator of the user’s preferences regarding the collection of personal information using cookies or other tracking technologies when the user accesses the website.

UOOMs work by integrating with browser settings or tools that users activate to communicate their preferences across multiple websites. The use of UOOMs simplifies the process of managing privacy settings and reduces the need for users to manually modify privacy settings or submit opt-out requests on each individual website.

As of July 1, 2024, California and Colorado require websites to honor UOOM signals, though there are several states that have enacted privacy laws that will require companies to honor browser privacy signals in the near future. Texas, Montana, New Hampshire, and Connecticut will have requirements beginning on January 1, 2025,  Delaware and Oregon beginning on January 1, 2026, and New Jersey beginning on July 15, 2025.

What does a UOOM do?

If a website user has enabled a UOOM on their browsers or devices, the UOOM will send a signal to each website the user visits. This signal generally requests that the website operator does not:  

• Track the user’s activity across the internet; 
• Collect the user’s personal data for targeted advertising purposes; or  
• Sell the user’s personal data. 

What is Global Privacy Control?

There are several UOOM tools available to consumers, such as Brave, Mozilla Firefox, and OptMeow. One of the most popular UOOMs is Global Privacy Control (“GPC”). GPC is a browser extension that automatically indicates a consumer’s opt-out preferences. GPC was recently selected as the only UOOM that meets the standards of the Colorado Privacy Act (“CPA”). Unlike Colorado, California does not maintain a list of recognized opt-out signals, and any opt-out signal must be honored. However, the California Consumer Privacy Act (“CCPA”) does specifically recognize the GPC signal as a valid way to opt out of the sharing or selling of information. A website can be set up to support GPC signals using well-known security identifiers, using the U.S. Privacy Application Programming Interface, or by setting up a consent management platform that supports GPC.

Who is Required to Acknowledge UOOM Signals?

Even if a business doesn’t “sell” personal information in the traditional sense, it may still be required to acknowledge opt-out signals. The CCPA defines “sale” as the transfer of personal information for monetary or other valuable consideration. The CCPA and CPA both require that any controller that possesses personal data for the purposes of targeted advertising (referred to as “cross context behavioral advertising” in CCPA) or the sale of personal data acknowledge a user’s UOOM signal. Controllers that use personal data to display targeted advertisements must honor a UOOM signal.

If a business receives a UOOM signal, it must stop selling or sharing personal information associated with: 

• The browser or device that sent the signal;
• Any profile or pseudonymous identifier associated with the browser or device; and 
• The consumer, if known, including when logged into an account with the business.

What Disclosures Are Required?

Both the CPA and the CCPA require businesses to clearly and conspicuously disclose the use of personal data as well as provide a method for consumers to exercise the right to opt-out of the processing of their personal data. Beyond this, the CCPA also requires businesses to provide a clear and conspicuous method to limit the processing of sensitive personal data, or, in lieu of both methods, a business can offer a clearly labeled link to allow consumers to opt-out out of or limit the processing of personal information.

Are UOOM Requirements Being Enforced?

The CCPA enforcement against Sephora serves as an example of the importance of complying with UOOM requirements. On August 24, 2022, Sephora agreed to pay $1.2 million in fines to the State of California in a settlement to resolve allegations that Sephora sold customer’s personal information in violation of CCPA. The company failed to not only disclose its sale of personal information, but also did not honor or process the opt-out requests made through the GPC. Sephora was given notice by the California Attorney General of its potential violation and was provided with a 30-day cure period before Sephora would face legal liability and Sephora failed to cure its violations during the 30-day period.

The enforcement against Doordash offers another example of the importance of complying with state privacy laws. On February 1, 2023, California Attorney General, Rob Bonta announced a settlement with DoorDash. An investigation by the California Department of Justice found that DoorDash sold its California customers’ personal information without providing notice or an opportunity to opt out of that sale. As part of the settlement, DoorDash agreed to pay a $375,000 penalty and comply with strong injunctive terms, including the development of a compliance program and annual reporting to the California Attorney General.

Koley Jessen is committed to staying informed about developments related to state privacy laws and will offer guidance as new information emerges. If you are unsure about your business's compliance needs or the steps required to adhere to state privacy laws, please contact one of the specialists in Koley Jessen's Data Privacy and Security Practice Area for assistance.

^{*Special thanks to summer associate Ellie Johnson for her contributions to this article.}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}