The Calfornia Consumer Privacy Act (CCPA) provides people the right to direct a business to not sell or share information about them, and to honor opt-out signals from their browser conveying that demand.
There have already been several actions this year by the California Privacy Protection Agency to enforce this right not to be tracked, including the recent $1.35 million fine and on the rural lifestyle Tractor Supply Company. These companies have also been ordered "to recognize and give full effect to" opt-out signals in future.
Most browsers support such signals, either DNT:1 (Do-Not-Track) or the more recent Sec-Gpc (Global Privacy Control), and browser extensions are easily available that add the functionality. The DNT:1 signal itself was undermined in 2013 by an amendment to the Californian Online Privacy Protection Act (CalOPPA) that simply allowed companies to report that they did not respect the signal, effectively making it unenforcable in California, but now a new simpler signal GPC has been defined which can be, and is now being, enforced.
These signals make it much easier for people to opt-out of being tracked online, as they can set their browser to send them to all the sites they visit.The CCPA regulation includes provisions encouraging a "frictionless" response where website would respect the user's preference while refraining from bombarding them with annoying pop-ups or banners..
But it is often missed that these signals also make the job of enforcement much easier. Regulators can now rapidly identify companies that fail to respect opt-outs using a standard desktop browser.
They can visit a site with Sec-Gpc request header enabled in their browser, and use standard browser inspection tools to collect incontrovertible evidence if the opt-out (detectable by the site and all its third-parties) is not being respected.while online activity data about the consumer is clearly being shared
A single screen shot of data being shared together with proof that the opt-out signal was sent. (Sec-Gpc in this case). If any "consent" indication cookies had been created they would also be visible here.
Click the play button to see a video on how to do this, The filter in the Network Tab is looking for Google Advertising hosts, change it to look for other tracking third-party hosts.
Companies can defend an action - suggesting they may have received a "consent" indication contradictory to Sec-Gpc, e.g. encoded in a local storage item, but regulators can avoid this by ensuring storage is deleted before visiting the site. It would be useful for legislators to also define a complementory (to GPC) "consent" signal similar to DNT:0 which could simply be a well-known name for a cookie whose existence signifies consent.There should also be a provision forbidding creating such a cookie or signal without first obtaining valid informed consent.
Baycloud Systems have been helping companies comply with privacy laws since 2010. We are the experience and working technology to implement all the CPPA required orders, and we:
- have a fully functional website scanner that rapidly audits "digital properties and maintain a full and current inventory of tracking technologies".
- provide tried-and-tested technology to "configure the digital property to recognize and give full effect to consumer requests submitted via an opt-out preference signal", such as GPC.
- ensure full compliance by managing first-party cookies and other storage used for tracking, fully controlling whether any or particular third-party content is present, and automatically adding legal information and consent filtering to selected third-party content such as YouTube videos.
- honour "opt-out preference signals in a frictionless manner or include a “Do Not Sell or Share My Personal Information” link that directs consumers to a method that effectuates a consumer’s request to opt-out of all selling and sharing conducted by Tractor Supply consistent with the CCPA"
- have a fully ePrivacy and GDPR compliant solution for websites directed at European residents, and can switch the compliance mode automatically on URL path or source IP determined user location.