Are there requirements for businesses if a global privacy control conflicts with a consumer’s current privacy settings or their participation in a financial incentive program?
Yes.
Where a global privacy control (“GPC”) conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business must respect the GPC, but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.[1]
[1] CCPA Regulations, § 999.315(c)(2).
Does the CCPA require businesses that develop software or online browsers to provide consumers a user-enabled privacy control?
No.
The regulations implementing the CCPA require that in-scope businesses must provide two or more designated methods of submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” on the business’s website or mobile application.[1]
In addition to the “DNSMPI” link noted above, one of the other “acceptable methods” for submitting sale opt-out requests (along with use of a toll-free phone number, a designated email address, and forms submitted in person or via the mail) is user-enabled global privacy controls (“GPC”), such as a browser plug-in or privacy setting, device setting, or other mechanism to “clearly communicate or signal” a consumer’s request to opt-out of the sale of their personal information (“PI”). The effect of a GPC is to provide consumers a mechanism to broadly signal an opt-out request, as opposed to going website-by-website to make individual requests. The CCPA, and the regulations implementing the CCPA, do not, however, mandate that software developers, or developers of website browsers, include a GPC control in their products.
According to the regulations implementing the CCPA, businesses that collect personal information from consumers online must treat user-enabled GPCs as a valid opt-out request for that browser or device, or, if known, for the consumer.[2]] The Office of the California Attorney General has indicated its view that if businesses were to have the discretion to not respond to such a mechanism, it is likely they would ignore or reject a GPC, just as many companies choose not to honor “do not track” signals when not required.[3]
[1] CCPA Regulations § 999.315(a).
[2] CCPA Regulations § 999.315(c).
[3] FSOR at 37-38.