NEW: 2024 Gartner Market Guide for Consent and Preference Management
Access now
Back to main menu

Universal Opt-Out Mechanisms: Why it's time to pay attention

Posted: February 1, 2024

Thirteen US states have enacted comprehensive privacy laws, many of which require businesses to allow consumers to opt out of certain data-processing activities via a “Universal Opt-Out Mechanism” (UOOM) 

UOOM rules are already in effect in California, and one company has already settled with the state’s Attorney General for failing to configure its website to respond to UOOMs. 

Here’s some guidance on what UOOMs are, how to comply with the rules around them, and why the legal requirements around UOOMs might be the most significant change brought about by the wave of recent US state privacy laws. 

 

What’s a UOOM? 

A UOOM is a signal sent by a person’s device or browser that tells a website operator how to treat personal information collected from that person’s browser or device. 

If a user has enabled a UOOM in their browser or device, the UOOM will send a signal to each website they visit. This signal generally requests that the website operator does not:  

  • Track the user’s activity across the internet, 
  • Collect the user’s personal data for targeted advertising purposes, or  
  • Sell the user’s personal data. 

An early example of a UOOM is the Do Not Track (DNT) protocol. DNT is integrated into several popular web browsers, but the protocol never achieved widespread recognition. 

A more recent UOOM called Global Privacy Control (GPC) has been more successful, and it was recently selected as the “official” UOOM that must be processed by businesses subject to the Colorado Privacy Act (CPA). 

A UOOM is also known as an Opt-Out Preference Signal (OOPS). In fact, OOPS is the acronym recently adopted by the California Privacy Protection Agency (CPPA), but we’ll stick to UOOM for this article. 

 

UOOMs state-by-state 

Now let’s consider how UOOM requirements manifest across the US states with comprehensive privacy laws. 

Not all 13 relevant states include a UOOM requirement in their privacy laws, so our list omits Indiana, Iowa, Tennessee, Utah, and Virginia. 

 

California 

The California Consumer Privacy Act (CCPA) arguably has the most complicated UOOM requirements of any US state privacy law. 

California consumers can use a UOOM to opt out of: 

  • The “sale” of their personal information, and 
  • The “sharing” of their personal information for the purposes of “cross-context behavioral advertising”. 

Both these activities are defined in the CCPA. 

Neither the CPPA (California’s recently formed privacy regulator) nor the law itself specifies which UOOMs must be processed by CCPA-covered businesses. According to recent guidance from the CPPA, a business must respond to any UOOM that: 

  • Uses a commonly-used and recognized format, such as an HTTP header field or JavaScript object, and 
  • Clearly informs consumers that enabling the UOOM will opt them out of the sale or sharing of their personal information. 

This certainly includes the Global Privacy Control (GPC), as Attorney General Bonta penalized the French cosmetics retailer Sephora for failing to respond to GPC signals in his 2022 settlement with the company. 

If a business receives a UOOM signal, it must stop selling or sharing personal information associated with: 

  • The browser or device that sent the signal, 
  • Any profile or pseudonymous identifier associated with the browser or device, and 
  • The consumer, if known, including when logged into an account with the business. 

There are two further conditions relating to UOOMs in California: 

  • Businesses operating a “financial incentive program” must inform consumers that using a UOOM will withdraw them from the program and ask the consumer whether this is what they intended. 
  • Businesses that respond to a UOOM in a “frictionless manner” do not need to comply with the CCPA’s rules on “Do Not Sell Or Share My Personal Information” links.  

The CPPA set out a definition of a “frictionless manner” in its recent regulations, but these are not yet enforceable.

cookie consent rate optimization

Download our ‘Cookie consent rate optimization checklist’

Cookie banners are crucial for building customer trust whilst maintaining complete compliance with all relevant legislations. Learn to enhance your banner optimization and achieve more opt-ins with our checklist guide that covers 20 points, including:

  • Clear messaging
  • Privacy law compliance
  • Strategic placement
  • A/B testing
  • Accessibility
Download now

Colorado 

The Colorado Privacy Act (CPA) required the Colorado Attorney General to designate a list of UOOMs that controllers covered by the law must recognize. 

Having initially proposed a shortlist of three UOOMs, the Attorney General settled on one: Global Privacy Control (GPC). 

From 1 July 2024, controllers must treat a valid GPC signal received from a Colorado consumer as a request to opt out of: 

  • Targeted advertising 
  • The sale of personal information 

Note that controllers may request that the consumer consents to these types of data processing, and the consumer’s consent will override the opt-out request made via GPC. The consent request must describe:  

  • Which types of personal data will be processed,  
  • The purposes for which they will be processed, and  
  • How the consumer can revoke consent. 

The controller must also provide a mechanism to enable the consumer to withdraw consent as easily as it was given. 

 

Connecticut 

The Connecticut Data Privacy Act (CTDPA) also requires controllers to recognize UOOM signals but does not specify which UOOMs are valid opt-out requests. This section of the law applies from 1 January, 2025. 

Like in Colorado, controllers covered by the CTDPA must treat a UOOM signal from a Connecticut consumer as a request to opt out of: 

  • Targeted advertising 
  • The sale of personal information 

While the CTDPA doesn’t let the state’s Attorney General choose which UOOM signals are to be treated as valid, the law does specify the qualities of a valid UOOM.  

A controller must only recognize a UOOM signal if the UOOM: 

  • Doesn’t unfairly disadvantage another controller, 
  • Doesn’t make use of a default setting but instead requires the consumer to make an affirmative, freely given, and unambiguous choice to opt out, 
  • Is consumer-friendly and easy to use by the average consumer, 
  • Is as consistent as possible with any other similar platform, technology, or mechanism required by law or regulations, 
  • Enables the controller to accurately determine whether the consumer is a Connecticut resident that has made a legitimate request to opt out. 

As such, GPC almost certainly represents a valid UOOM under the CTDPA. Other widely-recognized UOOM might also meet the above description, but this assessment falls to each controller covered by the law. 

 

Delaware, Montana, Oregon 

Delaware, Montana, and Oregon’s privacy laws all include UOOM provisions, and they’re practically identical to Connecticut’s (above). 

Here’s when the UOOM requirements take effect in each state: 

  • Delaware, Oregon: 1 January, 2026 
  • Montana: 1 January, 2025 

 

New Jersey 

The New Jersey Data Privacy Act (NJDPA) includes a similar UOOM provision to Connecticut, Delaware, Montana, and Oregon. 

However, as in Colorado, the law allows the New Jersey Attorney General to make regulations specifying which UOOMs are valid under the law. 

There’s no specific date by which the Attorney General must pass these regulations. But once the regulations are adopted, we’ll know what’s expected of controllers covered by the NJDPA. 

 

Texas 

The Texas Data Privacy and Security Act’s (TDPSA) UOOM requirements are a little different from those in other states. 

Texas largely follows the UOOM model adopted by Connecticut, Delaware, Montana, and Oregon.  

However, the TDPSA states that the controller does not have to comply with a request received by a UOOM if it “does not process similar or identical requests (it) receives from consumers for the purpose of complying with similar or identical laws or regulations of another state.” 

This somewhat confusing provision appears to allow TDPSA-covered controllers to ignore UOOM signals unless they are also required to process them under another state law. So:  

  • If you’re only covered by the TDPSA and not by any other UOOM law, you won’t need to respond to UOOMs. 
  • If you’re covered by both the TDPSA and any other UOOM law, you must respond to UOOM signals originating from Texas consumers from 1 January 2025. 

 

How to configure your website to respond to UOOMs 

Because there are many UOOMs with different technical specifications, there’s no “one way” to ensure your website responds to all of them. 

If you use a reputable Consent Management Platform (CMP), like Cassie to manage cookies, the provider should be able to assist you in configuring the CMP to process UOOM signals. 

Global Privacy Control (GPC) also provides an implementation guide to help you figure out how to process GPC signals. 

You might also like to read:

the right to delete personal data

The ‘right to delete’ personal data in the US

The ‘right to delete’ personal data in the US

Many US states have passed privacy laws but are businesses ready for data deletion requests? This article looks at the "right to delete" data

Read blog
The AI trade off research report

The AI trade off: US research report

The AI trade off: US research report

This report dives into the complex relationship between AI conveniences and data privacy among consumers in the United States.

Read report