The regulations implementing the CCPA require that in-scope businesses must provide two or more designated methods of submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” on the business’s website or mobile application.[1]

In addition to the “DNSMPI” link noted above, one of the other “acceptable methods” for submitting sale opt-out requests (along with use of a toll-free phone number, a designated email address, and forms submitted in person or via the mail) is user-enabled global privacy controls (“GPC”), such as a browser plug-in or privacy setting, device setting, or other mechanism to “clearly communicate or signal” a consumer’s request to opt-out of the sale of their personal information (“PI”).  The effect of a GPC is to provide consumers a mechanism to broadly signal an opt-out request, as opposed to going website-by-website to make individual requests.  The CCPA, and the regulations implementing the CCPA, do not, however, mandate that software developers, or developers of website browsers, include a GPC control in their products.

According to the regulations implementing the CCPA, businesses that collect personal information from consumers online must treat user-enabled GPCs as a valid opt-out request for that browser or device, or, if known, for the consumer.[2]]  The Office of the California Attorney General has indicated its view that if businesses were to have the discretion to not respond to such a mechanism, it is likely they would ignore or reject a GPC, just as many companies choose not to honor “do not track” signals when not required.[3]

[1] CCPA Regulations § 999.315(a).

[2] CCPA Regulations § 999.315(c).

[3] FSOR at 37-38.