State Attorneys General Remind Consumers of Their Right to Opt-Out of the Sale or Sharing of Personal Information.
By Mallory Acheson, Daniel C. Lumm, Jack Pringle – Nelson Mullins
Introduction
Most businesses are aware of historical restrictions or limitations on selling personal information to third parties for monetary consideration.
Perhaps less familiar are recent state laws giving consumers the right to tell businesses not to sell or share their personal information for certain purposes.
One such provision is the requirement to honor a Global Privacy Control (GPC) (also known as an “opt-out signalâ€) as a simple, browser-based way for a consumer to decline the sharing of personal information for the purpose of targeted advertising.
While both “targeted advertising†and a GPC are technical and take place in the background of web browsing, the requirements to honor these mechanisms are real, and businesses must understand and comply with them.
Background
Several state privacy laws, including the California Consumer Privacy Act (CCPA), give consumers the right to require that a business limit the sale or sharing of their personal information for “cross-context behavioral advertising†or “targeted advertising.â€
One such way to make that request is to contact the business.
Another is to let the consumer use or equip (via a plug-in) a web browser with a GPC.
Using a GPC allows an automatic exercise of the consumer’s right to opt-out of sale/sharing (by interacting with a business online), as opposed to the submission of individual requests.
Getting the Word Out
On January 29, 2025, California Attorney General Rob Bonta issued a press release to “remind Californians of their right to opt-out and take back control of their personal data.†Bonta specifically mentioned the GPC as “the easiest way to limit the number of third parties that have access to our personal information and online behavioral data.â€
Likewise, the Colorado Privacy Act (CPA) requires all businesses that process personal data for “targeted advertising†to allow consumers to opt-out of that processing by means of a “user-selected universal opt-out mechanism†or UOOM.
The CPA includes a process through which consumers and businesses can learn the UUOMs that will be enforced in Colorado. Consistent with CPA Rule 5.07, the Colorado Attorney General has designated Global Privacy Control as an acceptable UUOM.
Recently enacted state privacy laws require or will soon require businesses to recognize opt-out signals:
- Connecticut (January 1, 2025)
- New Hampshire (January 1, 2025)
- Montana (January 1, 2025)
- Nebraska (January 1, 2025)
- New Jersey (July 15, 2025)
- Minnesota (July 31, 2025)
- Maryland (October 1, 2025)
- Delaware (January 1, 2026)
- Oregon (January 1, 2026) and
- Texas (January 1, 2026).
In fact, Connecticut Attorney General William Tong cited the recently enacted Connecticut Data Privacy and Online Monitoring Act in the press release mentioned above: “In Connecticut, you can now opt out of tracking across all sites by selecting a single option.â€
On the Horizon
Last week, California Assemblymember Josh Lowenthal introduced Assembly Bill (AB) 566, which would require web browsers and mobile operating systems to provide built-in settings for consumers to send opt-out preference signals by default. The bill is sponsored by the California Privacy Protection Agency (CPPA).
Currently, the CCPA recognizes opt-out signals as a valid mechanism for consumers to stop the sale and sharing of their personal information, but implementation remains inconsistent across platforms. While some browsers support these signals, not all industry players have adopted them universally. AB 566 would mandate broader compliance, including for mobile operating systems, potentially setting a new precedent in privacy regulation.
Stay Tuned
Implementation requirements applicable to opt-out mechanisms are dynamic and a work in progress. Businesses must keep pace with these technical legal standards as they evolve.
