Global Privacy Control Endorsed by California AG – Next Steps
In late January, California’s Attorney General (AG) tweeted about the use of the new Global Privacy Control (GPC), informing California consumers that on certain browsers they can use GPC as a “stop selling my data switch” to exercise their right to opt out of the sale of their personal information (PI) in one step – rather than on an individual site basis. As the GPC is not yet a finalized standard, it remains uncertain as to when the AG’s office will begin enforcing the GPC, but the tweet provides some insight into how the OAG views this issue.
Opt-Out of Sale Methods
The California Consumer Privacy Act’s (CCPA) broad definition of “sell” includes the sharing of PI for any exchange of value, which arguably encompasses the sharing of information with third parties in relation to on-site advertising cookies and similar tracking technologies. Title 11, Cal. Code Regs § 999.315(a) (CCPA regulation § 999.315(a)), establishes that a business must provide two or more designated methods for submitting requests to opt out of sales.
In addition to the required “Do Not Sell My Personal Information” (DNSMPI) link, the rule provides that other possible opt-out methods include an opt-out web form, a designated toll-free phone number or email address, and “user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their [PI].” Section 999.315(c) goes further in stating that if a business collects PI from a California resident online, “the business shall treat user-enabled privacy controls” as a valid opt-out of sale request.