Honoring opt-out signals and cookie consent preferences have a few more moving pieces than one might assume. Opt-out preferences from users can come from cookie banners, universal opt-out signals, or via subject access requests, and even though the sources or means of these requests are different, their requirements are the same. Regulations mandate that these signals are honored regardless of their source and should be done without requiring additional information wherever possible. This means that there needs to be an integration of these sources for the company to be fully compliant.

Further, fully honoring a consumer’s request means ensuring that the third-party entities in play, such as those that perform analytical activities and their processes, are also compliant with the regulations and adhere to the consumers’ requests.

As we go about building and improving our privacy programs to accommodate and strengthen cookie consent management and opt-out signals, we want to ensure that there is a full understanding of the process and the requirements of the different regulations and implement technology accordingly.

This article is the first in a two-part series. Here we will cover the challenges faced by companies when it comes to implementing opt-out mechanisms and their requirements. In the following part, we will discuss the different solutions to these challenges.

Usually, the biggest area of concern when it comes to privacy is the applicable regulations. Let’s look at the cookie regulations for Europe and the United States more closely: -

1. Europe – ePrivacy Directive

The ePrivacy Directive is more popularly known as the EU Cookie Law or the EU Cookie Directive. This law mainly has to do with the use of cookies, their requirements, data retention, and targeted advertising and hence has a narrower scope when compared to the GDPR. Under this law, a website with visitors from the EU must: -

• Refrain from dropping cookies on the user’s browsers without first obtaining consent for the same from them.

• Provide users with the ability to give their consent should they choose to do so.

• Provide users with accurate information about the trackers and cookies used on the website.

• Provide a means by which users can withdraw their consent or opt-out. The means to opt-out should be simple as the means to opt-in.

2. United States

At the moment, the US does not have a nationwide comprehensive regulation for cookie consent and opt-in rights. State laws like the CCPA, CPA, and VCDPA do not mandate a cookie banner. However, they require some form of opt-out of targeted advertising or DNS (Do not Sell) to be presented on websites.

It is important to note that after the lawsuit against beauty retailer Sephora, wherein Sephora failed to inform users that their personal data was being sold and failed to process users’ opt-out requests, it became clear that CA requires GPC signals to be honored. Colorado’s provisions for universal opt-out will be put forth in December.

Under the CCPA, requests to opt-out need not be verified, i.e., additional information is not required to process an opt-out request. In other words, opt-out requests for known users can be honored immediately, whereas, for unknown users, additional information can be obtained if necessary. However, this should be done only if it aids the users’ opt-out request.

Further, coming to opt-out signals, such as in the case of GPC, a similar approach is to be followed. Additional information beyond what is required to honor the signal should not be asked of the user.

7025 (c) (2) The business shall not require a consumer to provide additional information beyond what is necessary to send the signal. However, a business may provide the consumer with an option to provide additional information if it will help facilitate the consumer’s request to opt-out of sale/sharing. For example, a business may give the consumer the option to provide information that identifies the consumer so that the request to opt-out of sale/sharing can apply to offline sale or sharing of personal information. Any information provided by the consumer shall not be used, disclosed, or retained for any purpose other than processing the request to opt-out of sale/sharing.

Taking the requirements of the regulations into account, there are different options available for users to exercise their opt-out preferences, which are: -

1. Banners

Through this banner, website visitors are informed that data is collected via cookies, and further information on the same is provided, such as the categories of information collected and their purpose. Here, users can choose to accept or reject the collection. They can also set their preferences, i.e., choose which categories of cookies they accept/reject. Different categories are placed for different reasons; functional, marketing, etc. The CCPA and the CPA have both laid out terms and examples for websites to follow while configuring their cookie banners to avoid dark patterns. A guide to the same can be found here.

2. Opt-Out Form

Users can fill out forms through which they can opt out of the collection of their data. These forms are usually available along with the company’s privacy policy and are treated similarly to DSA requests. These forms are usually used to verify the user and then process their opt-out request.

3. Global Privacy Control/Do Not Track

GPC and DNT are universal opt-out tools that transmit an opt-out signal. These tools are enabled at a browser level for all or specific websites. Websites that support GPC then register the request and refrain from the collection and sale of that user’s data.

While cookie banners and GPC signals can appear to have similar functionality, there is a big difference between the two, which is the way that they impact user experience. Cookie banners can be configured to either opt-in or opt out. When it’s an opt-in banner, the data is not collected till the user makes a choice, and when the user does not choose, it is assumed that they are opted out; data is not collected in this case, similar to GPC. However, GPC signals are preferred as users are not made to constantly express their consent at every website that they visit (consent fatigue). They can make an option once and have it apply to all sites.

User experience also differs depending on the categorization of the visitors on our websites: -

1. Authenticated (known) visitors

These are the kind of users visiting the website whom you can identify. They might be associated with an email or a username that is in your database. Typically, they are logged into your service or have an existing account with you. Or you may have employed an identity management tool that has helped you identify the user. When these users set their cookie preferences via your cookie banner or transmit a GPC signal, they should be fully opted out as their identity is known.

2. Unauthenticated (unknown) visitors

An unauthenticated (unknown) user is someone browsing your website. They are not logged in as they may or may not have an account with you and could be window shopping. Cookies and scripts are dropped on the user to track and retarget them. Marketing wants to learn about products they like to increase their time spent and interaction with those products. The aim of Marketing is to convert them into known users – where they eventually provide more information about themselves. When these users set their cookie preferences via a cookie banner or transmit a GPC signal, it might not be possible to opt them out fully. They may still see the consent banner when they use a different browser or device.

Understanding the requirements of the regulations, your privacy program should allow for an integration between the universal opt-out signals, the cookie preferences set on the cookie banners, and the opt-out DSA requests that consumers make. These three should not be treated as different requirements but rather as different sources to fulfill the same end goal.

For example, as is required by the CCPA, wherever possible, users should not have to provide additional information for an opt-out request, especially if they are known, visitors. And the preferences set by these users should be recognized across browsers and devices. However, there are several gaps in the current implementation of the opt-out process. Most companies use cookie banners as a mechanism to meet the Do-Not-Sell of opt-out of Targeted Advertising requirements under the various state privacy laws. Cookie banners by themselves may not meet the requirements of these US state privacy laws. Gaps can be either due to poor configuration of these banners or lack of technical capability within these tools to meet requirements. We will discuss the technical limitation, implementation challenges, and practical solutions associated with the implementation of these technologies in our next article.