The Rise of UOOMs
October 26, 2023
Privacy Plus+
Privacy, Technology and Perspective
The Rise of UOOMs: Universal Opt-Out Mechanisms under State Privacy Laws and their Deadlines for Compliance. This week, let’s focus on Universal Opt-Out Mechanisms (UOOMs) and highlight several related state privacy laws.
Background
What is an UOOM? Generally, an UOOM is a tool that can be used online to opt out of the sale of personal information or online tracking. UOOMs are designed to work automatically by transmitting universal opt-out signals that use binary options to allow users to opt out at the browser level. Hence, they are often directly embedded in browsers or extensions, and work by signaling to websites that the user has chosen to block trackers or otherwise opt out of the sale/sharing of their personal information.
Example: The Global Privacy Control is an example of an UOOM. You can learn more about the GPC and download it, if desired, by visiting the following website:
https://globalprivacycontrol.org/
Note that effective use of the GPC requires a browser (e.g. DuckDuckGo, Firefox, or Brave) or an extension (e.g. the Electronic Frontier Foundation's Privacy Badger) to support the signal.
States Requiring UOOMs
As of this writing, some states (including California, Colorado, and Connecticut) have already enacted privacy laws that implicate UOOMs, either by directly referencing them or by alluding to mechanical solutions that can be used to respond to consumers who exercise their opt-out rights.
California:
Originally, the California Consumer Privacy Act (CCPA) did not expressly acknowledge UOOMs. However, in August of 2022, when Sephora became the first company to face allegations that it violated the CCPA, it entered into a settlement that included a $1.2 million fine, and mandates that obliged Sephora to “provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control.” A link to the California Attorney General’s announcement of the settlement with Sephora follows:
Since then, the CCPA has been amended by the California Consumer Privacy Rights Act (CPRA). On January 1, 2023, the amended statute took effect, and it includes an amended Section 1798.135, which provides that businesses that respect opt-out signals, like the GPC, no longer need to have a "Do Not Sell My Personal Information" link on their homepage.
A link to the CCPA, as amended, follows:
https://cppa.ca.gov/regulations/pdf/cppa_act.pdf
More information about the mechanics of the opt-out in California can be found in Section 7025 of the CCPA Regulations.
It also bears mentioning that the Attorney General has developed a stylized “CCPA Opt-Out Icon,” which is available for download by clicking on the following link:
https://www.oag.ca.gov/privacy/ccpa/icons-download
Summary: In California, the use of UOOMs is optional. California has issued regulations describing the mechanics of UOOMs. And the Sephora settlement, the California Attorney General favorably referenced the use of the Global Privacy Control.
Colorado:
On July 1, 2023, the Colorado Privacy Act (CPA) took effect. A link to the text of the CPA follows:
https://coag.gov/app/uploads/2022/01/SB-21-190-CPA_Final.pdf
Like other state privacy laws, Section 6-1-1306 of the CPA provides consumers with certain privacy rights, including the right to opt out of the processing of their personal data for purposes of (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Effective July 1, 2024, businesses covered by the CPA that process personal data for the purposes of targeted advertising or the sale of personal data must allow consumers to use a user-selected “universal opt-out mechanism” when exercising their right to opt out of the processing of their personal data for the purposes of targeted advertising or sale.
The CPA Final Rules provide more detail about the technical specifications of UOOMs, and defines them as “mechanisms that clearly communicate a Consumer's affirmative, freely given, and unambiguous choice to opt out of the Processing of Personal Data for purposes of Targeted Advertising or the Sale of Personal Data…which meets [certain] technical specifications...” A link to the Rules follows:
https://coag.gov/app/uploads/2023/03/FINAL-CLEAN-2023.03.15-Official-CPA-Rules.pdf
You can review CPA’s UOOM technical specifications by clicking on the following link:
As of this writing, the Colorado Department of Law is accepting applications for UOOMs to be considered for inclusion in its “public list of Universal Opt-Out Mechanisms that have been recognized to meet the standards” of the CPA. That list is expected to be released by January 1, 2024.
Summary: In Colorado, controllers must recognize UOOMs by July 1, 2024. Expect to see a published list of approved UOOMs on January 1, 2024.
Connecticut:
On July 1, 2023, the Connecticut Data Privacy Act (CTDPA) (a/k/a An Act Concerning Personal Data Privacy and Online Monitoring) took effect. A link to the CTDPA follows:
https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF
Like the CPA, under the CTDPA, consumers have the right to opt out of the processing of their personal data for purposes of (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Under Section 6 of the CTDPA, “controllers” are required to provide “clear and conspicuous” links on their website to allow consumers to opt out of this processing. Starting on January 1, 2025, controllers must also recognize universal “opt-out preference signal(s)” denoting a consumer's decision to opt out of targeted advertising and sales.
The Office of the Attorney General of Connecticut has released “guidance” advising Connecticut consumers of their privacy rights, including the right to opt-out. However, that guidance is silent regarding UOOMs, so it remains unclear which “opt-out preference signal(s)” will suffice. You can read the guidance by clicking on the following link:
Summary: In Connecticut, controllers must recognize UOOMs by January 1, 2025. However, the precise details regarding the implementation of specific UOOMs remain uncertain.
Compare: Texas
Like Colorado, Section 541.051 of the Texas Data Privacy and Security Act (TDPSA) provides consumers with certain privacy rights, including the right to opt out of the processing of their personal data for purposes of (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
However, the law does not specify UOOMs as a method for submitting an opt-out request, rather it seems to copy from the original CCPA, which required two or more methods for enabling consumers to submit requests.
Summary: In Texas, UOOMs aren’t required, but they are arguably optional as a method for enabling consumers to submit their requests when the TDPSA takes effect on January 1, 2025.
Our Thoughts:
We think that the future of data privacy will be driven by privacy-enhancing technologies. UOOMs, like the GPC, will likely become a cornerstone of data privacy compliance, at least in the short term.
Thus, in California, and soon in Colorado and Connecticut, website owners will need to consider the integration of UOOMs into their websites, understanding both the technical specifications and the capacity of the site to reliably detect and respect preference signals sent by UOOMs. Typically, this involves checking for the presence of a specific HTTP header or a JavaScript API property. Once detected, the website must then be able to process and honor the signal.
Proper mechanics and documentation are crucial. Technical integration may be straightforward if the business controls its own website, and trickier for those who rely on platform providers. Regardless, applying the “opt-out” command across the entirety of a business’s data fields and business processes (including the necessary exceptions, for fraud prevention, self-protection, etc.) may require far more substantive business change than may be expected. So if you haven’t started working on integrating UOOMs, now may be the prudent time.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.