Anyone with a predilection for breakfast food, tube-shaped instruments and respectful data collection practices is gonna have a great Jan. 28.
Because Jan. 28 is National Blueberry Pancake Day, National Kazoo Day and, of course, Data Privacy Day, an annual holiday of sorts to raise awareness about the importance of data protection, privacy and cybersecurity.
To commemorate the latter, my gift to you is an update on something I think is about to get a lot more attention: universal opt-out mechanisms (UOOMs).
DNT rides again (sort of)
A universal opt-out mechanism is a digital tool that sends a signal at the browser level telling websites not to collect and/or sell a user’s personal data for targeted advertising and not to track their activity across the internet.
If that sounds familiar, it’s because the concept is pretty much the same as Do Not Track, the ill-fated 2012-2013 initiative that attempted to create a web standard for opting out of online tracking.
DNT never took off for multiple reasons: pushback from the online advertising industry, the lack of accepted standards for what “Do Not Track” meant and the absence of legal enforcement. Honoring the signal was voluntary.
“Do Not Track was largely ignored because servers didn’t know how to interpret it and had no obligation to try,” says Julie Rubash, general counsel and chief privacy officer at data privacy software company Sourcepoint.
But that’s not the case today with UOOMs. Twelve state privacy laws include a legal mandate to honor universal opt-out signals.
California’s and Colorado’s provisions have been on the books since 2024. Connecticut, Montana, Nebraska, New Hampshire and Texas took effect on Jan. 1. Maryland, Minnesota and New Jersey are coming up later this year. And Delaware and Oregon’s UOOM requirements begin on Jan. 1, 2026.
The state of UOOMs
As of today, there is only one universal opt-out mechanism that’s been officially recognized by regulators, and that’s the Global Privacy Control (GPC).
Back in early 2021, when Xavier Becerra was still the attorney general of California (and Twitter was still a relevant platform), he tweeted that businesses are required to treat a user-enabled global privacy control “as a legally valid consumer request” to opt out of the sale of data.
And later, in 2023, Colorado also gave its blessing to the GPC.
But it’s important to note that there are other UOOM tools on the market, and it’s possible that regulators in California, Colorado and other states will eventually endorse them, too.
“They could theoretically announce the recognition of additional UOOMs at any time,” Rubash says.
Colorado selected the GPC, for example, but it was also considering two other UOOMs: OptOutCode, which sends opt-out signals via mobile and IoT devices, and Opt-Out Machine, which sends opt-out requests via email to data brokers.
The Colorado attorney general’s office said it plans to periodically review new UOOM applications and possibly update its list of acceptable tools.
Analyzing opt-outs
The basic purpose of the GPC and UOOMs is to make it as easy as possible for people to exercise their privacy rights.
But as more of these mechanisms crop up and regulators authorize them, the more complicated it could get for publishers to comply with the regulations and manage their data collection.
As Scott Messer, a publisher consultant and founder of Messer Media, put it in an op-ed for AdExchanger late last year, the proliferation of UOOMs “is going to upend the entire flow of data collection – not only how consent is granted, but also where it is granted.”
And there are still a lot of unanswered questions. For instance, do GPC signals override privacy settings at the site level? And how will offering GPC as an option at the browser level impact opt-out rates?
Overall, GPC should be seen as a positive development, according to Don Marti, VP of ecosystem innovation at Raptive, which operates a large publisher ad network. Raptive helped test and troubleshoot GPC and was one of the founding members of the Global Privacy Control project.
“It’s straightforward once you have the underlying opt-out working,” Marti says. “Companies and partners already have to do the right thing with manual opt-outs by users, and a universal opt-out basically says to do the same thing.”
We GPC you
Meanwhile, regulators are watching.
In 2023, Sephora became the first company to receive a fine under the California Privacy Protection Act for not processing opt-out requests made through GPC. It paid $1.2 million to settle the allegations.
Early last year, DoorDash was fined $375,000 for sharing data through a marketing co-op without giving people notice or the opportunity to opt out.
In June, mobile gaming publisher Tilting Point was fined under the CCPA and COPPA for failing to get parental consent before collecting and sharing personal data.
And, earlier this month, the Texas attorney general charged Allstate and its data subsidiary Arity with collecting information from more than 45 million Americans without their consent and selling it to other insurance companies.
That may not seem like a lot of enforcement activity. There have only been a small handful of public cases so far that specifically address a failure to recognize opt-outs, but that doesn’t mean regulators haven’t been active behind the scenes.
“There has been significant nonpublic enforcement in this area,” Rubash says, “with many businesses being the subject of regulator investigations over their opt-out processes, including recognition of GPC.”
In short, are you down with GPC? Because you really should be.
No one wants to get a letter from the CPPA about UOOMs for violating the CCPA and not honoring the GPC.* And they say ad tech is bad for acronyms. 😂
*Translation for humans: No one wants to get a letter for the California Privacy Protection Agency about universal opt-out mechanisms for violating the California Consumer Privacy Act and not honoring the Global Privacy Control.
🙏 Thanks for reading! And happy early Data Privacy Day to all who celebrate, including this little party animal. As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
Updated 1/27/25: A previous version of this story mistakenly said that there are 15 (rather than 12) state laws with UOOM requirements.
