For businesses that collect or process personal data, compliance with privacy regulations is no longer optional—it’s an operational necessity.
As more US states enforce privacy laws that require honoring universal opt-out signals, businesses must prepare to respect consumer privacy preferences or face legal and financial consequences.
Businesses must be proactive in respecting users’ preferences, especially when it comes to targeted advertising and the sale of personal data. Universal opt-out signals, or UOOMs, have become a regulatory standard in many states, like California and Colorado, where laws mandate that businesses recognize and respond to these signals. Failing to do so could lead to fines, legal battles, and a damaged reputation.
As of 2023, California’s CCPA, following the latest amendments introduced by the CPRA, has required businesses to honor UOOMs, along with Colorado’s CPA joining in July 2024. Similar requirements apply under other states’ privacy legislation, with at least seven others expected to mandate similar requirements by 2026.
A UOOM allows users to set privacy preferences, such as refusing targeted advertising and the sale of personal data, across multiple websites. When enabled, a UOOM sends a signal to websites indicating that a user does not want their data tracked or collected for certain purposes. This mechanism simplifies users’ privacy management and allows businesses to efficiently handle compliance by respecting these signals.
For businesses, honoring UOOM signals means, among others, not tracking users for targeted advertising, not collecting personal data, and not selling or sharing their information when such signals are received. Key states, including California and Colorado, have started enforcing this requirement, and the regulatory landscape will only continue to grow.
To comply, businesses must recognize and act on UOOM signals by:
Recognized tools, such as the Global Privacy Control (GPC), facilitate UOOM compliance. Businesses can integrate with GPC by adopting consent management platforms or using technical protocols like the U.S. Privacy API. Colorado’s CPA, in particular, mandates GPC compliance for businesses, underscoring the importance of this tool as a baseline for UOOM adherence.
Both the CCPA and CPA require businesses engaged in targeted advertising or data sales to honor UOOM signals. Under these laws, data “sale” is defined broadly to include not only traditional sales but also any data exchange for monetary or other valuable consideration. Businesses, for example, must ensure they halt the sharing of:
Additionally, businesses are required to make clear disclosures about their data practices and provide a simple method for users to opt out. California, for example, requires an option to limit the use of sensitive data, which businesses must display in a visible, easily accessible link on their websites.
This trend highlights the importance of having a solid privacy compliance strategy in place to manage opt-out requirements across multiple jurisdictions and protect consumer data effectively.
Recent enforcement actions underscore the importance of UOOM compliance. In August 2022, Sephora was fined $1.2 million for not honoring GPC signals or clearly disclosing its data practices, despite receiving a 30-day notice to comply.
These cases highlight the financial and reputational risks for businesses that fail to comply with UOOM requirements. As more states implement privacy laws, establishing protocols to respect universal opt-out signals is essential to avoid costly penalties and uphold consumer trust.
It’s time for businesses to be proactive in meeting UOOM requirements.
Luckily, seeking a straightforward way to meet these UOOM requirements can be made easy with iubenda’s tools that simplify privacy compliance. By integrating iubenda’s services, businesses can efficiently:
