Blog

CPPA might require all browsers to offer opt-out preference signals

Julie Rubash, General Counsel and Chief Privacy Officer
December 4, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

CPPA considers Requirement for all Browsers to Offer Opt-Out Preference Signals

memorandum from the California Privacy Protection Agency (CPPA) staff proposes that the CPPA Board support legislation to require all browsers, platforms and devices to include an opt-out preference signal feature, enabling users to opt out of the sale / sharing of their personal information across all websites that the user visits.

TAKEAWAY

Consideration of the proposal is included as an agenda item for the Board’s December 8 meeting.

If approved according to the staff’s request, the Board would direct the staff to find an author, work with them to develop legislation based on the proposal, and sponsor and support the legislation.

Currently, businesses are required to honor opt-out preference signals enabled via participating browsers and browser plug-ins, but the choice for a browser to offer users the option to enable an opt-out preference signal is entirely voluntary.

Browsers Firefox, DuckDuckGo and Brave currently offer the feature, and it is also available through a number of browser plug-ins.    

Learn more about opt-out preference signals, such as Global Privacy Control:

Firefox 120 to Ease Ability to Set Global Privacy Control

What is Global Privacy Control? Frequently Asked Questions

Global Privacy Control and the Sourcepoint CMP

EUROPE

noyb Alleges Meta Subscription Model Violates GDPR

Privacy advocacy group noyb filed a complaint with the Austrian Data Protection Authority, alleging that Meta’s new ad-free subscription model on Facebook and Instagram, offered to users as an alternative to consenting to personalized ads, violates GDPR by not obtaining consent that is “freely given”. 

noyb alleges that the subscription fee of up to €251.88 / year for access to both platforms is out of proportion with Meta’s estimated €62,88 / year annual revenue per user in Europe.

TAKEAWAY

Meta’s subscription model was offered shortly after the European Data Protection Board issued a binding decision banning Meta’s targeted advertising practices.

Meta is not the first company in Europe to offer paid subscriptions as alternatives to consent, and multiple data protection authorities have blessed the model, although within the parameters of certain guidance.

The Danish DPA announced in February 2023 general guidelines allowing for “cookie walls” as long as certain criteria are met, including:

  1. users must be given a reasonable alternative to the processing of their personal data (e.g., access to the content for a reasonable monetary fee);
  2. any data processed after a user provides consent (as an alternative to payment) must be a necessary part of the non-monetary alternative, or else separate consent must be obtained (e.g., if the non-monetary alternative is processing of personal data for marketing purposes, the company must obtain separate consent for any other purposes); and
  3. if the user chooses to make monetary payment, no personal data should be processed other than as necessary to provide the service requested, unless separate consent is provided.

Similarly, the French DPA (the CNIL) issued “Cookie Wall Evaluation Criteria” in May 2022 advising that websites conditioning access to a service on the acceptance of cookies or other tracer’s on the user’s terminal device should provide a fair alternative at a reasonable price, that the cookie walls should be limited to the purposes that allow for fair remuneration, and that the selection of the paid alternative should result in appropriate limitation of unnecessary tracers.

Read more:

Danish DPA allows cookie walls, within limits

CNIL publishers Cookie Wall Evaluation Criteria

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

FTC and Sensitive Location Data; New Pen Register Class Actions

December 9, 2024

FTC takes action against the sale of sensitive data...

California CPPA Issues Notice of Proposed Rulemaking

November 25, 2024

News out of California this week. The CPPA moved...

Mitigating risk under the Video Privacy Protection Act (VPPA)

November 23, 2024

Because VPPA is just one of many tools being...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]