Giving consumers choices to control the collection, use, and disclosure of their personal information has been a key feature of privacy law and guidance for decades. However, in the United States, until the advent of the General Data Protection Regulation (GDPR), which brought many U.S. companies under EU jurisdiction for the first time, and the California Consumer Privacy Act (CCPA), consumer choice was limited to controlling only particular types of data, such as certain health and financial information. The CCPA and GDPR apply to a very broad range of personal information and have ushered in a new era of consumer choice.
To operationalize that choice, the CCPA Regulations and the California Privacy Rights Act (CPRA) ballot initiative would require businesses to honor signals sent from a user's browser, app, or other platform indicating the user's intent to exercise his or her opt-out rights. While this sounds like a win-win in theory—consumers can exercise a global opt-out and businesses can rely on a unified signal rather than building their own opt-out mechanisms— numerous details must be worked out in practice. Businesses should prepare and watch this space closely, as they may need to move quickly to engineer or purchase solutions to respond to these preference signals.
What Do the CCPA Regulations and CPRA Require?
The CCPA requires businesses to offer consumers the ability to opt out of the sale of their personal information. The California Attorney General proposes to build on this right by proposing in the CCPA Regulations that businesses "shall treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer's choice to opt-out of the sale of their personal information as a valid request submitted pursuant to [the rules governing opt-out right] for that browser or device or, if known, for the consumer."
The CPRA takes a slightly different approach. It would not require a business to honor a global opt-out signal but, instead, would give businesses a choice whether to build their own opt-out mechanism or "allow consumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer's consent by a platform, technology, or mechanism."
Neither the CCPA Regulations nor the CPRA provide technical or procedural specifications for how this global opt-out mechanism would work. (The CPRA assigns this task to the California Privacy Protection Agency, a regulatory agency that it would create.)
Are the CCPA or CPRA Global Opt-out Choice and Do Not Track One and the Same?
No, because "sale" or "sharing" and "track" do not necessarily mean the same thing. Do Not Track (DNT) is a technical mechanism that was developed at the World Wide Web Consortium (W3C) through a standards-setting process.
DNT is a signal, sent from an individual's browser to a website via standard web protocols, requesting that a website refrain from tracking an individual's online activities. If a consumer activates DNT, a signal is transmitted, but websites are not required to honor that signal. Consequently, companies interpret a DNT request differently. (W3C was working on a companion standard to address DNT signal interpretation, but that work has been discontinued.)
Some companies that honor DNT may refrain from delivering targeted or personalized ads, some may limit the ways they collect information, and others will not change their practices at all. While in the past many browsers automatically turned on DNT for users, almost all the commonly used browsers now require an individual to modify their settings in order to send out a DNT request.
In contrast, the CCPA Regulations and CPRA refer to a global opt-out signal that is narrower in scope than was originally contemplated for DNT. The CCPA Regulations, for instance, describe a mechanism that would provide a global opt-out of the "sale" of personal information. That mechanism is limited by the scope of the CCPA, which applies to businesses collecting the personal information of California residents.
Furthermore, it would apply only in the context of a sale of personal information. We do not yet have clarity under the CCPA, however, regarding which tracking activities (e.g., tracking for analytics, tracking to serve targeted ads, etc.) would be considered "sales."
The global opt-out mechanism that the CPRA contemplates is also different. The CPRA would require businesses to honor a global opt-out signal for "sale" and "sharing" (defined as the disclosure of personal information to a third party for the purpose of cross-context behavioral advertising), as well as for limiting the business's use of "sensitive personal information." The CPRA would give businesses the ability to choose whether to honor that signal or offer their own opt-out mechanisms. Thus, the scope and effect of the CPRA's opt-out is different from DNT and potentially broader than the CCPA Regulations.
What Should Businesses Do to Prepare?
It is likely too early to start making changes related to consumers' browser signals in response to the CCPA Regulations and CPRA requirements. First, although the Regulations have been filed and likely will be finalized in substantially the same form, there is no universally accepted technical mechanism to effectuate a global opt-out signal. While website publishers could, in theory, use DNT signals for this purpose by opting the user out of the sale of their personal information, key questions remain unanswered.
For example, how would a business know that the user intended to set the DNT signal or intended it to be something other than just DNT? If there is no clear consensus on how a business should respond to a request to opt-out of sale in the context of common online data collection activities such as analytics or targeted advertising, should the business opt the user out of any disclosure that could be considered a sale of personal information?
Also, because the CCPA applies to all personal information, how would a global signal be accepted in the context of services such as cable television delivered through set-top boxes, or other specialized, internet-enabled devices? These and other questions need to be answered before businesses invest heavily in a global opt-out mechanism.
Nonetheless, the CCPA Regulations and CPRA intend to give users more choice using standardized, universal opt-out signals. Businesses would be well served to investigate what engineering resources are required to detect, accept, and respond to such signals and whether it might be necessary to engage with third parties that have the relevant expertise. Also, when businesses evaluate their CCPA compliance strategies, they should think about what procedures they need to respond to such signals and how broadly the opt-out should be applied to disclosures of personal information.
The concept of a user-managed, global anti-tracking mechanism is not new. Prior to the CCPA and CPRA, businesses had flexibility to accept or reject such signals. Now, however, the conversation has been rekindled as regulators look for new ways to empower consumers to control their personal information; and going forward, the question for businesses may not be whether they should respond, but how they must respond.