Survey of Current Universal Opt-Out Mechanisms
With contributions from Aaron Massey, FPF Senior Policy Analyst and Technologist, Keir Lamont, Director, and Tariq Yusuf, FPF Policy Intern
Several technologies can help individuals configure their devices to automatically opt out of web services’ requests to sell or share personal information for targeted advertising. Seven state privacy laws require that organizations honor opt-out requests. This blog post discusses the legal landscape governing Universal Opt-Out Mechanisms (UOOMs), as well as the key differences between the leading UOOMs in terms of setup, default settings, and whether those settings can be configured. We then offer guidance to policymakers to consider clarity and consistency in establishing, interpreting, and enforcing UOOM mandates.
The legal environment behind Universal Opt-Out Mechanisms
Online advertising continues to evolve, specifically in reaction to new regulatory requirements as an increasing number of international jurisdictions and U.S. states have enacted comprehensive privacy laws. As of October 2024, twelve states grant individuals the right to opt out of businesses selling their personal information or processing that data for targeted advertising. Of these twelve state privacy laws, seven include provisions that make it easier for individuals to opt out of certain uses of personal data. This includes the kind of personal and pseudonymized information that is routinely shared with websites, such as browser information or information sent via cookies.
Historically, a significant practical hurdle existed in the implementation of opt-out rights: users wishing to exercise the right to opt out of the use of this information for targeted advertising must locate and manually click opt-out links that businesses provide on their web pages, and they generally must do so for every site they visit. To make opting out easier, seven state’s privacy laws (California, Colorado, Connecticut, Delaware, Montana, Oregon, and Texas) require businesses to honor individuals’ opt-out preferences transmitted through Universal Opt-Out Mechanisms (UOOMs) as valid means to opt out of targeted advertising and data sales. UOOMs refer to a range of desktop and mobile tools designed to provide consumers with the ability to configure their devices to automatically opt out of the sale or sharing of their personal information with internet-based entities with whom they interact. These tools transmit consumers’ opt out preferences by using technical specifications, chief among these the Global Privacy Control (GPC).
California became the first state to establish the force of law for opt-out signals as valid opt-outs through an Attorney General rulemaking process in August, 2020. Specifically, businesses who do not honor the Global Privacy Control on their websites may risk being found in noncompliance with the California Consumer Privacy Act (CCPA), which was the central topic in the recent enforcement action against Sephora, an online retailer. In the complaint, state authorities alleged that Sephora’s website was not configured to detect or process any GPC signals and, as a result, failed to honor users’ opt-out preferences by not opting them out of sales of their data.
Survey of UOOM Tools Available to Consumers
The California Attorney General references the Global Privacy Control as the leading opt-out specification that meets CCPA standards. As of this writing, eight UOOMs are endorsed by the creators of the GPC specification:
- Brave (a mobile and desktop browser)
- Disconnect (a browser extension and smartphone app)
- DuckDuckGo Privacy Browser (a mobile and desktop browser)
- DuckDuckGo Privacy Essentials (a browser extension)
- IronVest (a security suite with GPC functionality)
- Mozilla Firefox (a mobile and desktop browser)
- OptMeowt (a browser extension)
- Privacy Badger (a browser extension)
Although other UOOMs exist (and more are likely to emerge), we focus exclusively on the tools endorsed by the creators of the Global Privacy Control specification. In 2023, the FPF team downloaded and installed each tool and evaluated each tool’s installation process, whether GPC signals were sent without additional configuration, and whether those settings could be adjusted (see Figure 1 below).
|Installation||GPC Signals Sent without Additional Configuration||Can the Configuration Be Adjusted?|
|IronVest||Requires account sign-up||❌ No||Yes; GPC can be enabled only on a per-site basis, not globally.|
|Brave Browser||No steps required after installation||✅ Yes||No; GPC cannot be disabled, either globally or per-site, even when other protections in the “Shields” feature are turned off.|
|Disconnect||No steps required after installation||❌ No||Yes; GPC can be enabled globally but not on a per-site basis using a checkbox in the main browser plugin window.|
|DuckDuckGo Privacy Browser||No steps required after installation||✅ Yes||Yes; GPC can be disabled globally but not on a per-site basis.|
|DuckDuckGo Privacy Essentials||No steps required after installation||✅ Yes||Yes; GPC can be disabled both globally or on a per-site basis by disabling “Site Privacy Protection.”|
|Firefox||Requires technical configuration||❌ No||Yes, GPC can be disabled globally in the browser’s technical configuration but not on a per-site basis.|
|OptMeowt||No steps required after installation||✅ Yes||Yes; GPC can be disabled both globally or on a per-site basis by disabling the “Do Not Sell” feature.|
|Privacy Badger||No steps required after installation||✅ Yes||Yes; GPC can be disabled both globally or on a per-site basis by disabling the “Do Not Sell” feature.|
Our survey allows us to make four key observations about the state of these UOOMs.
- Current GPC implementations are largely limited to browser plugins for desktop environments. Google Chrome, Microsoft Edge, and Safari do not natively support the GPC signal. Mozilla Firefox supports sending the GPC signal, but configuring was the most challenging setup of all the tools we tested. Brave and DuckDuckGo are the only browsers that natively support the GPC. In addition, Brave and DuckDuckGo are the only desktop and mobile browsers with GPC enabled by default.
- GPC tools significantly differ from one another in user experiences for both installation and use. The installation process for six of the tools was direct and, therefore suitable to a broad range of consumer knowledge. Two of the tools, IronVest and Firefox, require additional steps to enable GPC. Ironvest requires the creation of an account upon downloading the tool, and through that account offers not only GPC but also a subscription-based suite of further online security services like password managers and email maskers. By contrast, Firefox does not require an account, but it requires users complete more steps to enable the GPC that require technical knowledge or experience. Specifically, users must access the about:config settings page in Firefox, which warns the user to “Proceed with Caution” and requires users to know how to find the GPC configuration options. Users with limited experience configuring about:config settings on this browser may struggle to enable the GPC signal on Firefox. Following FPF’s study on September 25, 2023, Mozilla enabled a graphical UI setting for GPC in Firefox Nightly. Firefox Nightly provides tech savvy users with more experimental builds of Firefox. Features typically migrate from Nightly to the more broadly available Firefox browser over time.
- GPC tools differ significantly in their default settings after installation, potentially creating consumer confusion in switching from one service to another. Three of the tools leave the GPC off by default following final installation; four of them enable the GPC by default. Firefox, for example, does not enable GPC by default, and it requires the most work to enable, whereas Brave enables GPC by default without notifying users or allowing them to disable it. Many tools include other privacy features in addition to GPC, such as Privacy Badger’s ability to block surreptitious tracking mechanisms like supercookies. These tools were not examined in this report, though they may create divergent user experiences that can cause consumers to draw different conclusions as to each tool’s utility and effectiveness. Users installing a privacy-focused browser extension or using a privacy-focused browser may be unaware that in certain cases privacy features are disabled by default and require additional configuration after installation.
- Finally, we observe that these tools significantly differ in configuration options for when and where to send the GPC signal. The tools collectively deploy two types of configuration: globally sending the GPC to every site and/or selectively sending the GPC on a per-site basis. None of the tools have pre-configured profiles or “allow / deny” lists for when to send the GPC, and about half of the tools allow users to set the GPC both as a global setting and on a per-site basis. IronVest only allows sending the GPC on a per-site basis, while Brave only enables the GPC on a global basis. However, given that most state laws that require compliance with a UOOM also require affirmative consent to opt back in following an opt-out, it is unclear whether disabling the GPC signal for a site after visiting it will have legal effect.
Next Steps & Policy Considerations
In 2023 alone, six states passed comprehensive privacy laws. In the years ahead, we expect that more states will be added to this list, and many are likely to include provisions regarding UOOMs. Policymakers must ensure that all UOOM requirements offer adequate clarity and consistency.
One place where greater detail from policymakers would provide benefit to organizations seeking to comply with legal requirements is in guidance not only for covered businesses, but also for vendors of consumer-facing privacy tools. Specifically, guidance would be useful regarding how a UOOM must be configured or implemented to give assurance that the GPC signals being sent are a legally valid expression of individual intent. For example, a minor detail such as whether a tool contains a “per-site” toggle for the GPC may be significant in one state, but not another.
Similarly, the question of “default settings” and their legal significance requires greater clarity in many jurisdictions. For example, to be considered a valid exercise of individuals’ opt-out rights under Colorado law, a valid GPC signal occurs when individuals provide “affirmative, freely given, and unambiguous choice.” This requirement creates an engineering ambiguity for publishers and websites over the validity of GPC signals they receive. For example, users installing a browser extension that requires a separate, affirmative user configuration prior to sending the GPC signal will unambiguously be a valid expression of individual choice. On the other hand, an individual using a browser marketed with a variety of privacy preserving features, including the GPC, may be sending a GPC signal that does not meet the law’s standards for defaults if those features are enabled by default and they do not provide notice to users. The user may have wanted a privacy feature other than GPC and not been aware that the GPC signal would be sent. On the other hand, another user may both be seeking and appreciate a default-on GPC and not want it to be legally ignored because they didn’t affirmatively enable it. Publishers and websites do not have an engineering mechanism to differentiate between these scenarios, incentivizing them to use nonstandard techniques, like fingerprinting, for the purposes of discerning which GPC signals are valid.
New states implementing comprehensive privacy laws also increase the odds that specific privacy rights may fracture across jurisdictions in ways that are either cohesive or irreconcilable. The current GPC specification does not support conveying users’ jurisdictions, so it is unclear how organizations must differentiate between signals originating from one jurisdiction or another. The result could be that entities must choose which state to risk running afoul of the law in such that they may follow the requirements of a conflicting jurisdiction.
As user-facing privacy tools are developed and updated, responsible businesses will likely err on the side of over-inclusion by treating all GPC signals as valid UOOMs. However, increased user adoption and the expansion of the GPC into new sectors (such as connected TVs or vehicles) could change expectations and put more pressure on different kinds of advertising activities. In the absence of uniform federal standards that would create guidance for such mechanisms, most businesses will aim to streamline compliance across states, providing a significant opportunity for policymakers to shape the direction of consumer privacy in the coming years. Policymakers must be aware of these developments and strive for clarity and consistency in order to best inform organizations, empower individuals, and set societal expectations and standards that can be applied in future cases.