Universal Opt-Out Signals for User Privacy Preferences

ALLAN LEMOS—A universal opt-out request is a signal that is sent by a third-party platform on behalf of the internet user that communicates the user’s choice to opt-out of the sale and sharing of their personal information. Essentially, these signals are a way for users to communicate privacy preferences to a host of websites by using a specific search engine or browser plug-in rather than having to manually indicate the user’s preferences on each website the user visits. Recent legislation will require that websites comply with privacy preferences received through incoming signals from universal opt-out mechanisms, like DuckDuckGo. Upon receiving this signal, the website cannot sell or share the user’s personal information, at least not without some affirmative action from the user granting permission to the respective website. Such legislation significantly increases the utility and effectiveness of consumer use of third-party platforms like DuckDuckGo, as companies are now required to comply with these automated preference signals. DuckDuckGo is a Google Chrome browser extension that allows users to express a privacy preference through global privacy controls. Universal opt-out signals allow users to take control of their data without having to click through a maze of privacy policy pop-ups on every website they visit. Additionally, the compliance cost for technology companies that sell or share information is not prohibitively high, because global privacy control compliance requires “adding just a few lines of code to their website.

CaliforniaColorado, and Connecticut have passed legislation that will require companies to respect these universal opt-out requests. Different jurisdictions refer to these signals using different terminology, including global privacy controls and global opt-outs. Organizations affected by the legislation in the states that have enacted these measures must develop systems that receive universal opt-out requests when users access the organization’s applications or websites from the regulated jurisdictions. Each state has different criteria regarding which organizations must comply with these requirements. It is critical that organizations understand if they are “selling” or “sharing” users’ personal information, legal terms that may not be as straightforward as they appear to be at first glance. 

What if the universal opt-out signal conflicts with permission affirmatively given by the user on the company’s website? For example, what if a website receives a universal opt-out preference signal from John User, but John clicks to agree via the website’s pop-up and opt-ins to the sharing of his personal information? This is another area where the privacy framework differs state by state. For example, in California, the universal opt-out preference signal controls. “If a global privacy control [universal opt-out signal] conflicts with a businesses’ other controls, then the global control wins out. In that case, the business may notify the customer of the conflict and ask for the customer’s preferred setting.”  Conversely, users in Connecticut and Colorado may override the universal preference signal by affirmatively clicking to accept the website’s privacy policies. In other jurisdictions where there are no universal opt-out signal compliance requirements, websites may ignore the universal signal. In Florida, HB 9 on consumer data privacy would have required that websites enable a user to opt-out of the sale or sharing of personal information but would not have gone so far as to require compliance with universal opt-outs. Regardless, the Florida data privacy bill died in the Judiciary. 

Colorado and Connecticut legislation will require websites to respect these universal opt-out requests beginning in July 2024 and January 2025 respectively. California’s Privacy Protection Agency has not yet finalized the rulemaking process, but it has signaled that regulations will require compliance with universal opt-out signals as soon as January 2023. Private right of action will not be available for violations of these requirements. However, organizations that fail to comply with these requirements may face significant liability in the form of administrative action or enforcement brought by state attorney generals. In Connecticut, entities may face penalties up to $5,000 per willful violation under the Connecticut Unfair Trade Practices Act. In California, administrative fines for intentional violations may be up to $7,500 per violation. In Colorado, “[a] violation of the CPA would be classified as a deceptive trade practice and could result in a $20,000 fine per violation, with no cap on the total fine imposed.”