Santa (and the CPPA) Know If You’ve Been Naughty or Nice With Your Consumer Data

 |  Share

On Oct. 17, 2022, the California Privacy Protection Agency (the “CPPA”) released a revised draft of regulations to enforce the soon-to-be-effective California Privacy Rights Act (the “CPRA”). The revised regulations include revisions to sections regarding collection of personal data, restrictions on the use of personal data, privacy notice requirements and opt-out preference signals. The revisions were the topic of a two-day board meeting held in late October, during which the CPPA Board extended the comment period for an additional 15 days and directed the CPPA to further modify the draft.

Despite the CPRA’s effective date of Jan. 1, 2023 quickly approaching, some requirements introduced by the draft regulations remain unclear. One such area concerns consumer opt-out preference signals and how businesses covered under the CPRA will need to acknowledge and process them. Section 7025 of the CPRA explains that opt-out preference signals are intended to provide consumers with a simple means to automatically opt out of the sharing or sale of their personal information across all businesses they interact with online.

The current draft of the regulations requires covered businesses that sell or share personal information to process opt-out preference signals as a valid request to opt-out of the sales and/or sharing of personal information. The protection afforded to consumers sending an opt-out preference signal under this draft is strong — covered businesses cannot require consumers to provide any additional information beyond what is necessary to send an opt-out preference signal (and are required to comply as much as possible with provided information), and an opt-out preference signal takes priority in the event of a conflict with a consumer’s specific privacy settings with the business. Additionally, in the event a consumer does send an opt-out preference signal (or opts out of the sale/sharing of their personal data by another valid means), the business cannot request the consumer to consent to the sale or sharing of their personal data for at least 12 months. Lastly, businesses must process opt-out preference signals “frictionless”, meaning they cannot charge consumers any fees for using an opt-out preference signal, change the consumer’s experience for having opted out, or display any notification in response to an opt-out preference signal.

Notably, the latest draft does clarify that this requirement is not applicable to businesses that do not sell or share personal information. But, as we have seen in recent actions by the California Attorney General, the “sale” of personal information is construed broadly under the CPRA — many businesses utilize third-party service providers in ways that the State of California considers selling or sharing of personal information, including analyzing consumer data for online behavior and trends.

While the regulations provide strong guidelines for acknowledging and processing opt-out preference signals, they are less clear on how businesses should identify them. Under the current draft, covered businesses are required to process an opt-out preference signal that (1) is “in a format commonly used and recognized by businesses”, including in a HTTP header field or JavaScript object; or (2) clearly informs a consumer that the opt-out preference signal “is meant to have an effect of opting the consumer out of the sale and sharing of their personal information”. The vague definition of a valid opt-out preference signal forces businesses into an awkward position — how does a business identify an opt-out signal without knowing what one looks like?

Despite the lack of clarity, the private sector has stepped up hoping to fill the gap. There is growing support for a technical specification named Global Privacy Control (“GPC”). GPC automatically sends opt-out signals to websites GPC users visit. Reportedly, the GPC specification has been adopted by several organizations and is now integrated as a feature into web browsers like Mozilla and Firefox. Several web browser extensions are available, which can be integrated into other web browsers that do not have native universal opt-out capabilities. California’s Attorney General has stated that he is “encouraged to see the technology community developing a global privacy control in furtherance of the [California Consumer Protection Act] and consumer privacy rights.”

And while the California Consumer Protection Act and the CPRA have pushed California’s data privacy laws front and center, other states are also adopting similar universal opt-out mechanism requirements. For example, the Colorado Privacy Act (“CPA”) also requires businesses to recognize universal opt-out mechanisms, though with some caveats that may limit the GPC. [Note: the CPA’s universal out-out mechanism requirements will be delayed in effect — the CPA becomes effective on July 1, 2023, but universal opt-out mechanism requirements will become effective in 2024]. It is also worth noting that the American Data Privacy Protection Act (“ADPPA”), proposed legislation that would enact federal data privacy laws in the United States, also includes “unified opt-out mechanism” requirements. Under the latest ADPPA draft, the Federal Trade Commission will establish at least one “acceptable privacy protection, centralized mechanism” for individuals to exercise opt outs through a single interface, including “global privacy signals such as browser or device privacy settings.” Although the ADPPA was blocked from moving to before the full U.S. House of Representatives, the Committee on Energy and Commerce is likely taking cues from California to prepare a draft with stronger consumer protections.

However, despite the growing push for global opt-out signals, the uncertainty for California’s opt-out preference signals may not be resolved by the time the CPRA becomes effective. In its last action on Oct. 29, the CPPA Board highlighted certain aspects of the latest regulations to further revise. Though opt-out preference signal requirements will be further expanded upon in the next draft, the identification of global opt outs is not expected to be clarified. As of now, the CPPA’s next board meeting has not been scheduled.

In the meantime, businesses that sell or share the personal information of consumers should take the time to become familiar with GPC and other opt-out signal initiatives or applications that develop in the near future. Quickly identifying a potential global opt-out signal may help businesses stay compliant and avoid penalties under the CPRA and other data privacy laws.


This DarrowEverett Insight should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This Insight is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. We are working diligently to remain well informed and up to date on information and advisements as they become available. As such, please reach out to us if you need help addressing any of the issues discussed in this Insight, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.

Unless expressly provided, this Insight does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.