Most businesses are aware of historical restrictions or limitations on selling personal information to third parties for monetary consideration. Perhaps less familiar are recent state laws giving consumers the right to tell businesses not to sell or share their personal information for certain purposes.
One such provision is the requirement to honor an “opt-out signal” as a simple way for a consumer to decline the sharing of personal information for the purpose targeted advertising.
While both “targeted advertising” and an “opt-out signal” are technical and take place in the background of web browsing, the requirements to honor these mechanisms are real, and businesses must understand and comply with them.
Background
Several state privacy laws, including the California Consumer Privacy Act (CCPA), give consumers the right to require that a business limit the sale or sharing of their personal information for “cross-context behavioral advertising” or “targeted advertising.”
One such way to make that request is to contact the business. Another is to let the consumer use or equip (via a plug-in) a web browser with an opt-out signal. Using an opt-out signal allows an automatic exercise of the consumer’s right to opt out of sale/sharing by interacting with a business online) as opposed to the submission of individual requests to businesses.
States beginning to require businesses to honor opt-out signals
The CCPA requires any business that sells or shares personal information to a third party for “cross-context behavioral advertising” to process an “opt-out preference signal” as a valid request to opt-out of sale/sharing.
Likewise, the Colorado Privacy Act (“CPA”) requires all businesses that process personal data for “targeted advertising” to allow consumers to opt out of that processing by means of a “user-selected universal opt-out mechanism” or UOOM.
Recently enacted state privacy laws will soon require businesses to recognize opt-out signals: Connecticut (effective July 1, 2025), Delaware (effective Jan. 1, 2025), Montana (effective Jan. 1, 2025), Oregon (effective Jan. 1, 2026), and Texas (effective Jan. 1, 2026).
How will opt-out mechanisms be enforced and implemented?
The CPA includes a process through which consumers and businesses can learn the UUOMs that will be enforced in Colorado. Consistent with CPA Rule 5.07, the Colorado Attorney General has designated Global Privacy Control as an acceptable UUOM.
In California, Gov. Gavin Newsome recently vetoed a bill that would have required all browsers to include opt-out preference signals for use by consumers.
Stay tuned
Legislative and regulatory activity in Colorado and California show the implementation requirements applicable to opt-out mechanisms are dynamic and a work-in-progress. Businesses must keep pace with these technical legal standards as they evolve.