As more US states pass comprehensive privacy laws with technological advances in mind, a recent trend emerging is a requirement that controllers’ websites comply with universal opt-out mechanisms. Here’s a breakdown of everything you need to know about implementing the specific law requirements.
What is a universal opt-out mechanism (UOOM)?
The term universal opt-out mechanism refers to a range of tools through which a consumer can pre-select online opting out of certain processing of their personal information online. This would automatically opt the consumer out of accepting certain types of cookies, for example, so that by the time they reach a particular website, the website already knows not to collect any cookies unless the individual switches their consent.
While the controller may permit their website to respond to UOOM signals, there is also an impetus on the consumer or website visitor to set up and enable the mechanism.
Global Privacy Control, or GPC, is just one example of a UOOM, and it can be enabled through browsers like Brave and Duck Duck Go Privacy Browser, or extensions such as OptMeowt, Privacy Badger, or lockrMail. The GPC is probably the most well-known mechanism, and it is currently the only one considered valid by the Colorado Attorney General.
What are the legal requirements regarding UOOMs?
Depending on the applicable laws, the controller may be required to:
- Inform the consumer through the privacy notice about whether the website is able to respect UOOMs
- Provide certain data subject rights through UOOMs on the website
The controller is also prohibited from unfairly discriminating against consumers or other controllers through the mechanism.
What states require websites to respond to UOOM signals?
California, Colorado, Connecticut, Delaware, Oregon, Montana, New Hampshire, and New Jersey require a controller’s website to work with universal opt-out mechanisms.
What data subject rights must be made available using the UOOM?
All the mentioned state laws require the controller’s website to comply with universal opt-out signals on a consumer’s browser, accepting opt outs of processing for targeted advertising and sale of personal information. New Jersey also requires that the website accept opt outs of processing for purposes of profiling through the UOOM.
When will these requirements go into effect?
The effective dates for each applicable state law are listed below in order of effective date. Keep in mind that the scope of each state law also establishes whether the UOOM requirement applies to an organization.
| State Law | UOOM Requirement Effective Date |
|---|---|
| California | July 1, 2023* |
| Colorado | July 1, 2024 |
| Montana | January 1, 2025 |
| New Hampshire | January 1, 2025 |
| Connecticut | January 1, 2025 |
| New Jersey | July 15, 2025 |
| Delaware | January 1, 2026 |
| Oregon | January 1, 2026 |
*Per the California 3rd District Court of Appeals decision on February 9, 2024.
How do I set up a website to accept UOOM signals?
The following descriptions offer a simple answer and a complicated answer.
The simplest answer may be to seek a vendor to provide the implementation of accepting universal opt-out mechanism signals. There are many capable privacy management solutions that offer this option including but not limited to OneTrust, Securiti, Ketch, Osano, Clarip, CookieYes, or DataGrail. There may be an associated cost unless you have already engaged one of these or another similar privacy management tool. It may also provide relief in terms of your organization’s resources being spent on these activities.
The highlights of the more complicated path involve drafting the required code, inserting it into the website, and establishing a pathway to send, receive, and fulfill the opt-out signals from the browser to the website to display the correct selections. Achieving this internally requires time and effort as well as identifying the individuals in the company who can engineer the code and insert it into the website.
Either way, you will also need to work with the website design team to launch the updates and the marketing team to prepare them for the result of additional optouts.
If you have any other questions relating to universal opt-out mechanisms or consent management tools, feel free to reach out to Privacy Ref at info@privacyref.com.