[co-author: Stephanie Kozol]*
Key point: The investigative sweep is part of a growing multistate approach to privacy enforcement actions.
On September 9, the California Privacy Protection Agency (CPPA) announced that it has initiated a joint regulatory sweep in collaboration with attorneys general (AG) from California, Colorado, and Connecticut. The sweep will target businesses’ compliance with legal requirements associated with recognition of opt-out preference signals (OOPS) and universal opt-out mechanisms (UOOMs) that consumers can use to exercise their right to opt out of online tracking technologies (i.e., targeted advertising, sales, or sharing).
UOOMs and OOPS
UOOMs refer to a range of tools that simplify the process for a consumer to exercise their privacy preferences across multiple online platforms, services, and browsers by sending a standardized signal to the website through the consumer’s browser. States recognize different tools and occasionally use different terms to describe these UOOMs (e.g., global opt-outs, standardized opt-outs, privacy preference tools, etc.). California and Colorado explicitly require companies to recognize and honor signals from one of the most popular tools, the Global Privacy Control (GPC). Connecticut, on the other hand, requires companies to honor consumer privacy preferences through any UOOM tool, so long as the mechanism is similar to other UOOM tools required by any other state or federal regulatory framework.
The GPC technical specifications were developed in 2020. GPC functions as a ‘stop selling or sharing my data switch’ that is the technological equivalent to a do-not-call list for telemarketers. When individuals use certain browsers like DuckDuckGo, or browser extensions, like Privacy Badger, they send the GPC signal to all websites they visit. By default, businesses are then required to opt the user out of online sales/shares/targeted advertising. This is in lieu of users having to exercise their opt-out rights at every website they visit.
The Regulatory Framework
The California Consumer Privacy Act (CCPA) was the first privacy law to require websites to honor consumer privacy preferences communicated to the company through UOOM signals. By 2021, the California AG’s office — then the primary CCPA enforcement authority — updated its CCPA FAQs to state that businesses must recognize the GPC signal as an OOPS. Then, in August 2022, the California AG brought the first CCPA enforcement action against Sephora for alleged violations of the CCPA’s “Do Not Sell” provision by ignoring GPC signals and failing to offer any opt-out mechanisms.
In June 2023, the Colorado AG’s office followed California’s lead and engaged in a stakeholder process to identify UOOMs acceptable under the requirements of the Colorado Privacy Act (CPA) and determined that GPC was the only recognized UOOM.
Colorado became the second state to require companies to honor UOOM opt-outs in July 2024. The Connecticut AG’s office followed suit, updating its Connecticut Data Privacy Act (CTDPA) FAQs to state that controllers must recognize GPC as a valid UOOM under that state’s law.
Twelve of the 19 state consumer data privacy laws now require covered entities to recognize UOOMs, although the requirement in some state laws — like Oregon and Delaware — is not yet in effect. Regulators recognize that these mechanisms are an important tool for consumers to exercise privacy rights and increasingly require companies to honor them.
The Investigative Sweep
As is relevant to this investigative sweep, the CCPA’s regulations require businesses to recognize opt-out preference signals from consumer browsers and treat them as requests to opt out of the sale or sharing of personal information. Similarly, the CPA mandates that businesses processing personal data for “targeted advertising” must allow consumers to opt out via a “user-selected universal opt-out mechanism.” The CTDPA aligns with the CPA’s requirements.
The joint sweep by California, Colorado, and Connecticut is intended to ensure companies are honoring GPC. Regulators from those states have already issued letters to companies that are not in compliance, and noncompliance may result in significant financial exposure. Further, as we discussed in our recent article, changes to the CCPA’s regulations will soon require companies to affirmatively disclose to users that the website recognizes the user’s GPC signal.
The announcement of this joint sweep is part of a trend by state regulators collaborating to address privacy issues arising from the use of digital technologies. Although California regulators have been at the forefront of regulating privacy issues, other states, including Colorado and Connecticut, are joining in by collaborating on the sharing of information, technology, knowledge, and resources to regulate how companies collect, process, and share consumer information. This trend is also highlighted by the AGs from seven states who formed a collaborative privacy enforcement group last April, the “Consortium of Privacy Regulators.” The consortium includes California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon. This initiative is aimed at addressing existing and anticipated gaps in federal privacy enforcement and is evidence of continuing collaboration among and between state AGs who seek to protect the privacy of their constituents.
*Senior Government Relations Manager
