OAG Addresses GPC Opt Outs and Business Groups Respond

By Andrew Scott and Sheri Porath Rockwell

Disclaimer: This article reflects the thoughts and opinion of the authors and not their law firms and/or employers.

Section 999.315, subsection a, of the CCPA provides that businesses are required to provide consumers with two or more methods for submitting opt-out requests (for example, Do Not Sell My PI link; toll free phone number; designated email address; in person form; mail in form; user-enabled global privacy controls, such as browser plug-ins or privacy settings; device settings; or a mechanism that communicates or signal’s the consumer’s opt out choice).  The Section also provides that user-enabled global privacy controls shall be considered a request directly from the consumer, not through an authorized agent.  The OAG stated in the Final Statement of Reasons that the idea of this control was “forward looking,” and was “intended to encourage innovation and the development of technological solutions to facilitate and govern the submission of requests to opt-out.” 

The OAG has taken note and appears to be endorsing one group’s efforts to develop such a control, a non-profit organization aptly named “globalprivacycontrol.com.” The OAG recently updated its FAQs to include information about that organization’s control (GPC). The OAG also included in its summary of enforcement actions one that mentioned a business’s failure to observe a global privacy control (although it was not clear if the business had represented it would observe the control). Additionally, it has been reported that the OAG sent letters to 10 to 20 companies stating they are required to observe the GPC. 

The current version of the GPC allows a consumer to request to opt out of sales of their personal information if they visit sites that observe the control and if they do so using the browser that has it enabled. Currently, the control is available only on some of the smaller browsers (e.g., Duck Duck Go, Brave) and on a relatively small number of websites.  The developer’s website indicates the control is still in development.  

Businesses groups are expressing concern about the OAG’s recent actions regarding the GPC.  On July 28, 2021, a coalition of trade associations and industry groups sent the OAG a letter critical of the new FAQs and related enforcement letters, requesting that the OAG reconsider its approach to user-enabled controls.  The letter maintains any attempt to make the GPC mandatory conflicts with the text of the California Privacy Rights Act (CPRA), which requires regulations be issued about the control and that such a control be optional.  Additionally, the letter states any OAG guidance on the topic should be developed through a deliberative process that considers stakeholder input.