Universal Opt-Out Mechanisms in U.S. Consumer Privacy Laws
On January 16, 2024, New Jersey Governor Phil Murphy signed S332 (Sixth Reprint) into law, making New Jersey the 14th state with a consumer privacy law on the deck. Like other states, S332 (Also known as the New Jersey Disclosure and Accountability Transparency Act [NJ DaTA]) applies to controllers and processors who conduct business in the state or produce products or services that are targeted to residents of the state and meet certain processing thresholds. Non-profits, government entities and certain other regulated entities and data are exempt, and persons acting in a business-to-business or employment context are not “consumers” and therefore also exempt from the law’s coverage.
Many of the Act’s provisions and exemptions are similar to other U.S. states, but one distinct requirement sets it apart – the mandate to honor Universal Opt-Out Mechanisms (UOOMs). In this article, we will explore the significance of UOOMs, focusing on the states that have incorporated them into their statutory requirements, namely California, Colorado, Connecticut, Delaware, Montana, Oregon, Texas, and the recent addition, New Jersey. New Jersey’s UOOM requirement takes effect eighteen months from the Act’s effective date, January 15, 2025.
Understanding UOOMs
Only a handful of states have incorporated UOOMs into required statutes. These states recognize the importance of providing consumers with a universal means to opt out of certain data processing activities. Universal Opt-Out Mechanisms, as the name suggests, provide consumers with a standardized and streamlined process to opt out of certain data processing activities conducted by businesses. These mechanisms are designed to offer individuals a convenient and accessible means to exercise their right to privacy and control over their personal information.
The primary objective of UOOMs is to simplify the often intricate web of privacy settings and consent options that consumers encounter. By implementing a UOOM requirement, legislators aim to create a more transparent and user-friendly experience for individuals seeking to manage their privacy preferences across various online platforms and services.
While “Universal Opt-Out Mechanisms” is a specific term used to describe standardized opt-out processes in privacy laws, different states in the U.S. may use alternative terms or refer to similar concepts in their legislation. Here are some alternative names or related terms that may be used to describe similar mechanisms in U.S. privacy laws:
- Global Privacy Controls (GPC)
- Opt-Out Preferences Signals
- Global Opt-Outs
- Standardized Opt-Outs
- Consumer Choice Mechanisms
- Privacy Preference Tools
- Data Consent Platforms
- Opt-Out Frameworks
- User Privacy Controls
California Opt-Out Preference Signals
Before the amendments from the California Privacy Rights Act (CPRA), the CCPA did not require businesses to recognize opt-out preference signals. The regulations simply stated that companies must honor GPC as a valid opt-out request. The CPRA addressed GPC and expanded the regulations. Under the current regulations with these amendments, even where a business posts a “Do Not Sell My Personal Information” link, it must also process opt-out preference signals.
Colorado recognizes GPCs as UOOMs
On December 29, 2023, the Colorado AG announced that the Global Privacy Control (GPC) will become the first UOOM (and currently the only UOOMs) the AG considers valid under the Colorado Privacy Act (CPA). By July 1, 2024, companies will be required to honor these mechanisms. To help consumers and controllers understand which UOOMs meet such specifications, the CPA required the AG to publish and maintain a public shortlist of UOOMs that controllers must detect and process.
Connecticut delayed UOOM Compliance
Connecticut’s UOOM requirements went into effect on July 1, 2023, but allow companies to delay compliance until January 1, 2025. By that date, companies will need to allow consumers to opt out of targeted advertising or sales of their data via the mechanism. Interestingly, the statute says that the mechanism should be as consistent as possible with any other similar platform, technology or mechanism required by any federal or state law or regulation.
Texas Universal Opt-Out Signals
The Texas Data Privacy and Security Act (TDPSA) describes requirements for controllers and consumers regarding the use of UOOMs. Specifically, the law designates another person to serve as the consumer’s authorized agent and act on their behalf. This encompasses UOOMs like GPC or the upcoming Google Privacy Sandbox. These provisions go into effect on January 1, 2025, six months after the rest of the law goes into effect.
Delaware Opt-Out Preference Signals
The Delaware Online Privacy and Protection Act (DOPPA) goes into effect on January 1, 2025, but companies must comply with UOOM regulations no later than January 1, 2026. Companies doing business in Delaware must allow consumers to opt out of the selling or processing of their personal data for the purposes of targeted advertising through an opt-out preference signal.
Montana Opt-Out Preference Signals
The Montana Consumer Data Privacy Act (MCDPA) mandates that by January 1, 2025, consumers must be able to “opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data through an opt-out preference signal sent with the consumer’s consent”. The MCDPA goes into effect on October 1, 2024. With only two months to comply with UOOM regulations, companies must prepare months in advance.
Oregon Universal Opt-Out Signals
Starting January 1, 2026, a year and a half after the law goes into effect on July 1, 2024, The Oregon Consumer Privacy Act (OCPA) requires controllers to honor universal opt-out signals from consumers. The act mandates that “The consumer may designate an authorized agent by means of an internet link, browser setting, browser extension, global device setting or other technology that enables the consumer to opt out of the controller’s processing of the consumer’s personal data.”
Utah and Virginia
Currently these states do not have any obligation to honor UOOMs or signals. That said, presumably both laws could be amended to add such a requirement in the future.
Implementing The Right UOOM and Opt-Out Preference Recognition Tools for Your Company
Implementing the right Opt-Out tools plays a crucial role in managing and honoring individuals’ preferences regarding the use of their personal information. By integrating effective Opt-Out tools, like Clarip’s Do Not Sell/Share Opt-Out Automation, businesses can empower consumers to easily opt out of data collection, marketing communications, and other privacy-related activities. This not only demonstrates a commitment to respecting user privacy but also enhances the company’s reputation. Implementing robust UOOM tools ensures that the organization adheres to legal requirements, avoiding potential legal consequences associated with mishandling sensitive information.
Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations, including the “Do Not Sell/Do Not Share My Personal Information” solution. Allow customers to submit, revoke and update granular consent with Clarip’s Universal Consent Management. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
Related Articles:
Data Privacy and the Future of Digital Marketing
2023 US Privacy Law Tracker
Understanding US Data Privacy Law Fines
Evolution of digital consent and preferences
What Is GPC (Global Privacy Control), And why does it matter?