California, Colorado, and Connecticut have passed legislation that will require companies to respect these universal opt-out requests. Different jurisdictions refer to these signals using different terminology, including global privacy controls and global opt-outs. Organizations affected by the legislation in the states that have enacted these measures must develop systems that receive universal opt-out requests when users access the organization’s applications or websites from the regulated jurisdictions. Each state has different criteria regarding which organizations must comply with these requirements. It is critical that organizations understand if they are “selling” or “sharing” users’ personal information, legal terms that may not be as straightforward as they appear to be at first glance.
What if the universal opt-out signal conflicts with permission affirmatively given by the user on the company’s website? For example, what if a website receives a universal opt-out preference signal from John User, but John clicks to agree via the website’s pop-up and opt-ins to the sharing of his personal information? This is another area where the privacy framework differs state by state. For example, in California, the universal opt-out preference signal controls. “If a global privacy control [universal opt-out signal] conflicts with a businesses’ other controls, then the global control wins out. In that case, the business may notify the customer of the conflict and ask for the customer’s preferred setting.” Conversely, users in Connecticut and Colorado may override the universal preference signal by affirmatively clicking to accept the website’s privacy policies. In other jurisdictions where there are no universal opt-out signal compliance requirements, websites may ignore the universal signal. In Florida, HB 9 on consumer data privacy would have required that websites enable a user to opt-out of the sale or sharing of personal information but would not have gone so far as to require compliance with universal opt-outs. Regardless, the Florida data privacy bill died in the Judiciary.
Colorado and Connecticut legislation will require websites to respect these universal opt-out requests beginning in July 2024 and January 2025 respectively. California’s Privacy Protection Agency has not yet finalized the rulemaking process, but it has signaled that regulations will require compliance with universal opt-out signals as soon as January 2023. Private right of action will not be available for violations of these requirements. However, organizations that fail to comply with these requirements may face significant liability in the form of administrative action or enforcement brought by state attorney generals. In Connecticut, entities may face penalties up to $5,000 per willful violation under the Connecticut Unfair Trade Practices Act. In California, administrative fines for intentional violations may be up to $7,500 per violation. In Colorado, “[a] violation of the CPA would be classified as a deceptive trade practice and could result in a $20,000 fine per violation, with no cap on the total fine imposed.”