State Enforcement Driving Demand for Universal Opt-Out Compliance Tools
Increased attention on consumers’ universal opt-out rights means more demand for multi-state and automated compliance systems, privacy professionals said Thursday during a Privado webinar.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Nik Fuller, CEO of FLLR Consulting, noted that the concept of Global Privacy Control (GPC) has gotten a lot of attention since California Attorney General Rob Bonta (D) acted against Sephora under the California Consumer Protection Act (CCPA) in 2022. Bonta’s lawsuit alleged the cosmetics retailer failed to process “user requests to opt out of sale via user-enabled global privacy controls” in violation of the California Consumer Privacy Act. The company agreed to pay $1.2 million to settle the complaint.
Fuller noted Connecticut has also been “aggressive” in this space. Attorney General William Tong (D) in December 2024 highlighted the Connecticut Data Privacy Act’s “critical requirement” for data controllers to honor global opt-out preferences.
Greenberg Traurig privacy attorney Darren Abernethy discussed how GPC is becoming a more widespread focus across the country. States now enforcing GPC rights include Colorado, Montana, Texas, Nebraska, New Jersey, Minnesota, New Hampshire and Virginia, he noted. Requirements in Delaware and Oregon are set to take effect in January 2026.
A Consent Management Platform (CMP) can be used to automate GPC compliance, said Fuller. Companies can identify authenticated users and submit Data Subject Access Requests (DSAR) on their behalf. DSARs allow consumers to know how their data is used and shared and to request correction or deletion. The DSAR forms often provide a standard process for handling opt-out requests, which can help simplify the workflow, he said. The data can then be passed on to the Customer Data Platform, a system companies use to establish individual profiles on consumers, he added.
Fuller asked if there’s a baseline setting, so companies can comply across all states. Abernethy said it depends on the company’s risk tolerance and reach. Some companies don’t think enough people know about this issue outside the privacy community to have an “appreciable impact” on marketing, so they “afford” universal opt-out to every consumer to “be done with it,” said Abernethy. Other companies only want to comply with what’s necessary, he said: “It's a mix. Your mileage may vary. Whatever you decide as a business, you want to make sure the technical systems are following through with what you think they’re doing.”
“It’s definitely kind of split,” said Fuller. “A lot of it depends on: How does the business make money?” The more a company relies on consumer-facing advertising for revenue, the less likely it is to immediately provide blanket, universal opt-out for consumers, he said. Abernethy added that the increased push for GPC is much more of a “threat” to content creators like news publishers, who rely heavily on online ad revenue.