OptOutCode Widens, Without Conflicts, Privacy Protections for Global Privacy Control Users

Beginning July 1, 2024, organizations that fall within the Colorado Privacy Act (CPA) and Texas Data Protection Act, must allow individuals to opt-out of the sale of their personal data or use of their personal data for targeted advertising using a Universal Opt-Out Mechanism (UOOM). The Colorado Department of Law (the “Department”) accepted applications for UOOMs and recently published its shortlist of potential UOOMs for consideration. The shortlist includes three UOOMs: OptOutCode, the Global Privacy Control (“GPC”), and Opt-Out Machine. Kelsey Fayer and Gregory Szewczyk point out that “GPC essentially operates as a do not track signal for website browsing”, OptOutCode “applies across a multitude of Internet of Things scenarios”, while “Opt-Out Machine is email-based for more traditional data sales and data broker activities.” In order to make the final list, OptOutCode and Opt-Out Machine must demonstrate their ability to be as consistent as possible and not conflicting with GPC.  CPA, 6-1-1313(2)(e).

OptOutCode is consistent with GPC for two main reasons:

1. Complementary. GPC is a browser-level privacy signal designed to allow internet users to notify businesses of their preference to not have their data sold or shared, or used for cross-context behavioral advertising. Whereas, OptOutCode is compatible with smartphones, laptops, tablets, routers, apps, and IoTs. The average American spends 6 hours and 58 minutes online daily. Browsing social media accounts and streaming videos accounts for more than five hours of that time. Those online activities can be performed on browsers (where GPC acts as a protection for consumers), but also on apps, for which GPC has not been applied yet. In fact, it is common for companies with online properties to encourage and nudge consumers to stop consuming content from their browsers and instead to use their app (where no UOOM historically was effective). Consequently, current GPC users can easily expand the level of protection to their personal data by using both UOOMs simultaneously as they continue to enjoy their daily online habits. Additionally, all other individuals who have not chosen a preferred method, can use OptOutCode to protect their data across both browsers and apps.

2. Compatibility. Individuals can activate GPC by toggling a browser privacy setting or installing an extension for their browser. The browser or extension will automatically send a signal to each website the user visits broadcasting that individual’s preference not to have their data sold or shared, or used for targeted advertising. 

OptOutCode requires individuals to rename their device to include a “0$S” prefix, an operation that can be performed rapidly (i.e. less than 30 seconds if performed manually on iOS or Android smartphone users [link to tutorials] and semi-instantly with a soon-to-be-released SDK). For example, an iPhone user could opt-out of the sale or sharing of their personal data and targeted advertising by changing their phone’s name from “My Phone” to “0$S My Phone”. OptOutCode’s signal does not conflict with GPC’s signal and can easily and equally rapidly be turned off by deleting the prefix from their device’s name.

No conflict between OptOutCode and GPC in any scenario

As we outlined in our original Colorado UOOM submission, since consumers have the right to freely give or revoke consent, a conflict between OptOutCode and Global Privacy Control is, by design, impossible, even within a web browser setting. Specifically, there are four possible scenarios depending on whether a user sets GPC and/or OptOutCode on or off. The matrix below illustrates how those four scenarios should be interpreted

 Global Privacy Control OFFGlobal Privacy Control ON

OptOutCode OFF

[1] Consumer is not expressing an opt out automatically. That consumer can still opt out manually on each website they visit by making their choices on the cookie banners.[2] This is equivalent to the scenario that exists today for current users of GPC. There is no conflict when users browse the web as the GPC signal is read by websites who respect their opt-out wish. Outside of web properties, consumers would not have a UOOM in place that protects them.

OptOutCode ON

[3] Upon launching the web browser on a device that has OptOutCode on (e.g. on a consumer’s smartphone), the browser app can detect the name of the device, parse the first three letters, and determine that OptOutCode is on. The browser must now relay that opt-out setting to the websites the consumer visits. This could be done in two main ways:

  1. If the browser is compatible with GPC but GPC is turned off or a necessary plugin is not installed, it should turn on GPC or prompt the user to download one or a choice of plugins that would activate GPC. If the consumer refuses, when prompted, to turn on GPC, it should be interpreted as an active choice of that consumer wanting to be tracked, hence setting the OptOutCode default off, until the next browser session or forever if the consumer asserts that unequivocal choice with a clear opt-in message.
  2. If the browser is not compatible with GPC, the developer of the browser should either make the browser compatible with GPC or develop an alternative mechanism to ensure that the consumer’s desire to opt-out is respected by the online properties visited while using the browser.
[4] Consumers have set both UOOMs on. There is no conflict as the consumer is consistently expressing their desire to opt out from certain data processing. Web browsers, and all the websites a consumer visits, would be aware of the consumer’s desire to opt-out and respect that choice accordingly.

GLOBAL PRIVACY CONTROL OFF & OptOutCode OFF

[1] Consumer is not expressing an opt out automatically. That consumer can still opt out manually on each website they visit by making their choices on the cookie banners.

GLOBAL PRIVACY CONTROL ON & OptOutCode OFF

[2] This is equivalent to the scenario that exists today for current users of GPC. There is no conflict when users browse the web as the GPC signal is read by websites who respect their opt-out wish. Outside of web properties, consumers would not have a UOOM in place that protects them.

GLOBAL PRIVACY CONTROL OFF & OptOutCode ON

[3] Upon launching the web browser on a device that has OptOutCode on (e.g. on a consumer’s smartphone), the browser app can detect the name of the device, parse the first three letters, and determine that OptOutCode is on. The browser must now relay that opt-out setting to the websites the consumer visits. This could be done in two main ways:

  1. If the browser is compatible with GPC but GPC is turned off or a necessary plugin is not installed, it should turn on GPC or prompt the user to download one or a choice of plugins that would activate GPC. If the consumer refuses, when prompted, to turn on GPC, it should be interpreted as an active choice of that consumer wanting to be tracked, hence setting the OptOutCode default off, until the next browser session or forever if the consumer asserts that unequivocal choice with a clear opt-in message.
  2. If the browser is not compatible with GPC, the developer of the browser should either make the browser compatible with GPC or develop an alternative mechanism to ensure that the consumer’s desire to opt-out is respected by the online properties visited while using the browser.

GLOBAL PRIVACY CONTROL ON & OptOutCode ON

[4] Consumers have set both UOOMs on. There is no conflict as the consumer is consistently expressing their desire to opt out from certain data processing. Web browsers, and all the websites a consumer visits, would be aware of the consumer’s desire to opt-out and respect that choice accordingly.

It is obvious from scenario [3] that OptOutCode, if approved by Colorado and other states that allow for Universal Opt Out Mechanisms, may make it easier for consumers to set and turn on GPC on their browsers, hence resulting in a greater adoption of GPC.

Scenario [2] suggests that there is also an opportunity, for the many consumers who elected to use GPC already, to greatly expand the protections available to them by learning about and starting to use OptOutCode. For this reason Privacy4Cars developed a mini website banner that detects if GPC is on or not.

If not, it encourages users to learn about and turn on GPC so they can enjoy a more private browsing experience.

If GPC is already on, it encourages them to learn about and turn OptOutCOde on to stretch that safety net wider, also outside of browsing online.

It is our how that privacy-forward organizations, whether from the business, nonprofit, r government world, will adopt these banners to drive awareness and improve privacy protections. The code to enable these banners is pasted below.

It is our how that clarifying how OptOutCOde does not conflict with GPC, but rather complements it, enhances it, and drive its adoption, will result in encouraging the various states with UOOM provisions to accept OptOutCOde as a valid mechanism.

Step 1: Add following line of code inside your website’s <head> tag:

<script src="https://storage.googleapis.com/privacy4cars/static/script/gpc/optoutcode-banner.js"></script>
Copy text

Note: Please make sure to allow any external scripting permissions that might be required on your website to allow the above line of code to work.

Step  2: Add the following line of code in your website’s <body> or <main> tag where you want the banner to appear:

<div class="optoutcode-banner-container"></div>Copy text

Note: Please do not place the above line of code as/in any nested elements to ensure proper visibility.