Are there requirements for businesses if a global privacy control conflicts with a consumer’s current privacy settings or their participation in a financial incentive program?
Where a global privacy control (“GPC”) conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business must respect the GPC, but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.
 CCPA Regulations, § 999.315(c)(2).
Does the CCPA require businesses that develop software or online browsers to provide consumers a user-enabled privacy control?
The regulations implementing the CCPA require that in-scope businesses must provide two or more designated methods of submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” on the business’s website or mobile application.
In addition to the “DNSMPI” link noted above, one of the other “acceptable methods” for submitting sale opt-out requests (along with use of a toll-free phone number, a designated email address, and forms submitted in person or via the mail) is user-enabled global privacy controls (“GPC”), such as a browser plug-in or privacy setting, device setting, or other mechanism to “clearly communicate or signal” a consumer’s request to opt-out of the sale of their personal information (“PI”). The effect of a GPC is to provide consumers a mechanism to broadly signal an opt-out request, as opposed to going website-by-website to make individual requests. The CCPA, and the regulations implementing the CCPA, do not, however, mandate that software developers, or developers of website browsers, include a GPC control in their products.
According to the regulations implementing the CCPA, businesses that collect personal information from consumers online must treat user-enabled GPCs as a valid opt-out request for that browser or device, or, if known, for the consumer.] The Office of the California Attorney General has indicated its view that if businesses were to have the discretion to not respond to such a mechanism, it is likely they would ignore or reject a GPC, just as many companies choose not to honor “do not track” signals when not required.
 CCPA Regulations § 999.315(a).
 CCPA Regulations § 999.315(c).
 FSOR at 37-38.
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 311