OOPS, California did it again: What are Opt-Out Preference Signals?
Posted: February 8, 2024
The California Privacy Protection Agency (CPPA) has released guidance on Opt-Out Preference Signals (OOPS), also known as Universal Opt-Out Mechanisms (UOOMs).
This isn’t the first time California law has recognized OOPS. But this time, the rules are more demanding.
Processing user preferences via OOPS is a crucial part of California Consumer Privacy Act (CCPA) compliance. In fact, when the California Attorney General settled with Sephora in 2022, the company’s failure to respond to OOPS was specifically cited as a CCPA violation.
Here’s everything you need to know about OOPS under the CCPA.
What are OOPS?
OOPS are signals, sent from a person’s browser, indicating that person’s preferences around how their personal information is processed by a website or online service. A person can choose to transmit an OOPS via their device, browser, or a browser extension.
California has a long history with OOPS. Under the state’s proto-privacy law, the California Online Privacy Protection Act (CalOPPA), website operators must disclose how they respond to signals sent by an early OOPS, the Do Not Track (DNT) protocol.
However, CalOPPA only requires businesses to state whether they process DNT signals. The CCPA requires businesses to actually detect and respond to such signals.
To further complicate things, DNT itself might not be covered by the CCPA. But other OOPS are.
Which OOPS are valid under the CCPA?
The CCPA doesn’t provide a list of valid OOPS. Nor does the law empower state authorities to decide (unlike in other states, such as Colorado).
Instead, the CCPA describes what kinds of OOPS are valid. A business must respond to an OOPS if:
- It is in a commonly used and widely recognized format, such as an HTTP header field or JavaScript object.
- It clarifies to the user that it will opt them out of the sale and sharing of their personal information.
The CPPA gives one example of such an OOPS: the Global Privacy Control (GPC). The Colorado Attorney General also recognizes this OOPS as a valid signal under the Colorado Privacy Act.
But other OOPS are likely to count, too. And for now, it’s down to each individual business to decide which ones.
What do you need to do when you detect an OOPS?
Businesses should interpret an OOPS as a request by the consumer to opt out of:
- The sale of their personal information, and
- The sharing of their personal information for cross-context behavioral advertising.
These terms take specific definitions under the CCPA. But essentially, you should not set third-party cookies on a user’s device if they are transmitting a valid OOPS.
Once you receive a valid OOPS, you must not sell or share personal information associated with:
- The user’s browser or device,
- A profile associated with the device (for example, a pseudonym assigned to that device or browser), and
- The consumer, if you know who they are (for example, if they’re logged into an account on your website).
You have a maximum of 15 days to stop selling or sharing the user’s personal information. You don’t need to authenticate a request to opt out of these activities.
Download our ‘Cookie Consent Rate Optimization Checklist’
Implementing effective cookie banners are critical for building customer trust whilst ensuring compliance for all relevant legislations, avoiding fines and other consequences. Achieve more opt-ins than opt-outs with our guide that covers 20 cookie banner optimization points, including:
- Clear messaging
- Compliance with GDPR, CCPA, and more
- A/B testing
- Accessibility
What about financial incentive programs?
The CCPA allows businesses to conduct “financial incentive programs” or loyalty schemes. In other words, you may sell or share a consumer’s personal information and provide the consumer with a cut of the profits under certain conditions.
If a consumer is part of a financial incentive program but has an OOPS enabled on their device or browser, don’t automatically remove them from the program.
Instead, you can send a prompt asking the consumer if they want to withdraw from the financial incentive program.
- If the consumer confirms that they meant to transmit an OOPS and they understand that this will withdraw them from the financial incentive program, you must comply with the consumer’s preferences.
- If the consumer says they want to continue in the program, you can ignore the OOPS.
- If the consumer does not respond, you can ignore the OOPS.
- If you fail to send the consumer a prompt, you must respect their OOPS and withdraw them from the program.
What’s all this ‘frictionless manner’ stuff?
One of the more complicated parts of the CCPA’s OOPS requirements relates to processing OOPS in a “frictionless manner.”
If you process OOPS in a frictionless manner, you don’t need to include a “Do Not Sell or Share My Personal Information” link on your website.
To meet the “frictionless manner” requirements, the CPPA says you must not:
- Charge a fee or require anything of value if the consumer uses an OOPS.
- Provide a different experience, product, or service for consumers using OOPS.
- Display any “notification, pop-up, text, graphic, animation, sound, video,” or intermediary content in response to an OOPS (except for a notification showing the consumer’s opt-out status).
Additionally, the CPPA says that a business must include the following information in its privacy policy:
- An explanation of the consumer’s right to opt out of the sale and sharing of their personal information.
- A disclosure that you process OOPS in a frictionless manner.
- An explanation of how to opt out, including via OOPS.
Essentially, there’s an exception from the “Do Not Sell” link rules for businesses that make it easy to use OOPS.
How to respond to OOPS
The way you respond to OOPS depends on your website or app. You may need to configure your website to respond to the GPC and other valid signals.
If you use a reputable Consent Management Platform like Cassie, it will do the hard work for you, enabling you to process a range of OOPS in compliance with the CCPA’s selling and sharing rules.
