close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Privacy

Navigating Privacy: Understanding Consent and Universal Opt-Out Methods

Alicia diVittorio, March 5, 2024

At DataGrail’s recent webinar, 12 Data Privacy Laws: Everything You Need to Know, our panel of privacy experts looked at 15 privacy laws passed across U.S. states in the past few years.

That’s right—15 laws, not 12. Things are changing so fast that the name of the webinar (12 Data Privacy Laws) had to be changed at the last moment. And these laws look very different from any privacy laws we’ve seen in the U.S. before.

So understandably, the audience had a lot of great questions. Here are the answers to some of the questions the panel didn’t have time for, focusing on consent and Universal Opt-Out Mechanisms (UOOMs).

Consent Under U.S. State Privacy Laws

Question: How does consent work under the new wave of US state privacy laws?

Let’s break this one down into two answers: What “consent” means, and what you need consent for.

What does ‘consent’ mean?

Modern U.S. privacy laws draw heavily from the EU’s General Data Protection Regulation (GDPR), including the definition of “consent”.

While there’s some variation between states, the “consent” definition generally looks something like this, from the Virginia Consumer Data Protection Act (VCDPA):

“Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

Many states also specify what consent isn’t. For example, Washington’s My Health My Data Act (MHMDA) says that the following things are not consent:

  • Accepting a broad “terms and conditions” or similar agreement,
  • Hovering over, pausing, or muting a piece of content, and
  • Using deceptive designs (also known as “dark patterns”).

In other words, “consent” means “consent”—an explicit, informed, opt-in agreement that clearly indicates a consumer’s wishes. In states like Virginia, Wash

What do you need to get consent for?

Despite the strongly worded definition of consent in each state privacy law, you might not need to get consent very often.

Most states operate on an “opt-out” basis for most data collection and processing activities. In states such as California, Virginia, Colorado, and Connecticut (and more), businesses must allow consumers to opt out of:

  • The sale of personal information,
  • Targeted advertising, and
  • Certain forms of “profiling” with serious effects.

So, for example, businesses can usually sell consumers’ non-sensitive personal information without consent. But you must facilitate consumers’ requests to opt out of these activities.

However, in the states that followed Virginia’s lead, businesses must obtain consent before collecting, selling, or otherwise processing “sensitive data.” The definition of “sensitive data” varies slightly from state to state, but normally includes data about ethnic origin, sex life, precise location, and other highly personal information.

And there are some other consent requirements in most states, too. For example,

  • If a consumer opts out of, for example, targeted advertising, and you want to opt them back in, you’ll need consent.
  • If you want to use a consumer’s personal information for purposes unrelated to the purposes for which you collected it, you’ll need consent.

Universal Opt-Out Mechanisms

Question: Do states that require the recognition of global opt-out signals consider compliance with that signal to equate to compliance with a user’s request to opt-out of the sale of their personal information in total? This is confusing for consumers who think that if they use these signals that their information will not be sold. Technically that is not necessarily true. Especially if you have an unauthenticated user.

This person asks about Universal Opt-Out Mechanisms (UOOMs), also known as Opt-Out Preference Signals (OOPS) or global opt-outs, such as the Global Privacy Control (GPC). It’s a great question that covers several tricky issues in this complex area. So let’s break our answer down again.

What’s a UOOM?

A UOOM comes from a consumer’s device or browser and tells a website how to treat that consumer’s personal information. The UOOM is normally sent via an HTTP header request or Javascript.

Many states require (or will soon require) businesses to actively detect UOOMs and treat any signals received from valid UOOMs as requests under “the right to opt out”.

The best current example of a UOOM is Global Privacy Control (GPC). California already recognizes GPC as a valid UOOM. From July 2024, businesses covered by the Colorado Privacy Act will also need to respect GPC signals.

Along with California and Colorado, the following states also have UOOM requirements kicking in soon:

  • Connecticut (from January 1, 2025)
  • Delaware (January 1, 2026)
  • Oregon: (January 1, 2026)
  • Montana: (January 1, 2025)
  • New Jersey (likely around June 2025)
  • Texas (January 1, 2025—but only if you’re also covered by the UOOM requirements under another law)

👉While there’s not yet any list of valid UOOMs across any of the above states, GPC is likely to be considered valid, possibly along with other UOOMs.

What do you have to do in response to a UOOM?

If you’re covered by a comprehensive privacy law, and you detect that a consumer from the relevant state is using a valid UOOM, you must take the following actions in respect of that consumer:

  • Do not sell their personal information
  • Do not share their personal information for targeted advertising (“cross-contextual behavioral advertising” in California)

Our question above suggests that using a UOOM doesn’t necessarily prevent a business from selling that consumer’s personal information, particularly if the business has not authenticated the request.

So, let’s briefly tackle the issue of authenticating opt-out requests.

Do you need to authenticate an opt-out request?

When it comes to certain consumer privacy rights, such as the right to access or delete personal information, it’s important to authenticate requests—to make sure that the person making the request is actually the consumer they claim to be.

But, in fact, state privacy laws generally don’t require businesses to authenticate requests to opt out of the sale of personal information or targeted advertising.

Here’s an example from the Delaware Personal Data Privacy Act (DPDPA):

A controller shall not be required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent, and that such controller shall not comply with such request.

In other words, you don’t have to authenticate an opt-out request. You can assume that the consumer is who they appear to be.

But if you believe, in good faith, that an opt-out request is fraudulent, you can deny the request—as long as you document your decision and explain it to the consumer.

As such, businesses across the U.S. should start taking UOOMs seriously.

👉Work with your Consent Management Platform (CMP) to ensure that you can detect valid signals from the relevant states, and make sure you follow through on consumers’ requests not to sell their personal information or target them with ads.

subscribe to GrailMail

Like what you see?

Get data privacy updates sent straight to your inbox.