Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
CPPA considers Requirement for all Browsers to Offer Opt-Out Preference Signals
A memorandum from the California Privacy Protection Agency (CPPA) staff proposes that the CPPA Board support legislation to require all browsers, platforms and devices to include an opt-out preference signal feature, enabling users to opt out of the sale / sharing of their personal information across all websites that the user visits.
Consideration of the proposal is included as an agenda item for the Board’s December 8 meeting.
If approved according to the staff’s request, the Board would direct the staff to find an author, work with them to develop legislation based on the proposal, and sponsor and support the legislation.
Currently, businesses are required to honor opt-out preference signals enabled via participating browsers and browser plug-ins, but the choice for a browser to offer users the option to enable an opt-out preference signal is entirely voluntary.
Browsers Firefox, DuckDuckGo and Brave currently offer the feature, and it is also available through a number of browser plug-ins.
Learn more about opt-out preference signals, such as Global Privacy Control:
noyb Alleges Meta Subscription Model Violates GDPR
Privacy advocacy group noyb filed a complaint with the Austrian Data Protection Authority, alleging that Meta’s new ad-free subscription model on Facebook and Instagram, offered to users as an alternative to consenting to personalized ads, violates GDPR by not obtaining consent that is “freely given”.
noyb alleges that the subscription fee of up to €251.88 / year for access to both platforms is out of proportion with Meta’s estimated €62,88 / year annual revenue per user in Europe.
Meta’s subscription model was offered shortly after the European Data Protection Board issued a binding decision banning Meta’s targeted advertising practices.
Meta is not the first company in Europe to offer paid subscriptions as alternatives to consent, and multiple data protection authorities have blessed the model, although within the parameters of certain guidance.
The Danish DPA announced in February 2023 general guidelines allowing for “cookie walls” as long as certain criteria are met, including:
- users must be given a reasonable alternative to the processing of their personal data (e.g., access to the content for a reasonable monetary fee);
- any data processed after a user provides consent (as an alternative to payment) must be a necessary part of the non-monetary alternative, or else separate consent must be obtained (e.g., if the non-monetary alternative is processing of personal data for marketing purposes, the company must obtain separate consent for any other purposes); and
- if the user chooses to make monetary payment, no personal data should be processed other than as necessary to provide the service requested, unless separate consent is provided.
Similarly, the French DPA (the CNIL) issued “Cookie Wall Evaluation Criteria” in May 2022 advising that websites conditioning access to a service on the acceptance of cookies or other tracer’s on the user’s terminal device should provide a fair alternative at a reasonable price, that the cookie walls should be limited to the purposes that allow for fair remuneration, and that the selection of the paid alternative should result in appropriate limitation of unnecessary tracers.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.