Consumers have more ways to opt out than ever before.
And in many areas of the world, they have a legal right for businesses to recognize their opt-out preferences (OOPS) – sometimes also referred to as Universal opt-out Mechanisms (UooMs).
State privacy laws have been enacted to protect individuals from the unwanted sharing and selling of their personal data.
However, a recent Consumer Reports investigation reveals a concerning trend: many companies are ignoring opt-out requests, not only putting consumer privacy at risk but also gambling with substantial fines.
This area of data privacy legislation can be particularly complex to navigate, with multiple jurisdictions presenting conflicting terminology as well as the proliferation of how people interact online – from different locations and on multiple devices, for example.
So, are you one of the brands unknowingly – or knowingly – ignoring them?
- First things first – acronyms
- What did Consumer Reports investigate?
- What does the law say about OOPS?
- Some of the more complicated aspects of legislation…
- Challenges with managing opt out signals
- The risk of non-compliance with OOPs
- Using a Consent and Preference Management Platform to manage Opt-Out Preference Signals
- Cross-Device Consent enables compliance at scale
First things first – acronyms
There are some variants in terminology when it comes to this topic, here are the ones we reference throughout this article:
- UooM (Universal Opt-Out Mechanism): A signal sent by a person’s device or browser that requests websites not to track, collect, or sell the user’s personal data.
- OOPS (Opt-Out Preference Signal): An interchangeable term for UooM, used specifically in the California Consumer Privacy Act (CCPA).
- GPC (Global Privacy Control): A type of UooM signal that is a browser setting indicating a consumer’s opt-out preference, automatically requesting websites not to sell or share their data.
What did Consumer Reports investigate?
Consumer Reports investigated the compliance of companies with opt-out provisions under state privacy laws, which are designed to protect consumer data from being sold or used for targeted advertising.
The report used a combination of VPNs, new Chrome accounts, and privacy-friendly browser add-ons to test compliance. Testers visited retailer and publisher websites to simulate consumer browsing and observed the presence of retargeted ads.
Despite sending opt-out requests to 40 well-known retailers, the report found that 12 of them – 30% – continued to serve retargeted ads, indicating a significant compliance gap.
There are some things to note, of course – the testing had limitations in verifying that targeted ads were a direct result of websites sharing their data, though it was highly likely.
Wall Street Journal also requested comments from the brands that were suggested to be failing to comply, of which most stated that they do recognize opt out signals and preferences as per the law requires.
What does the law say about OOPS?
Several state privacy laws in the United States mandate the recognition and honoring of opt-out preference signals, also known as GPC or UOOMs.
- California Consumer Privacy Act (CCPA) (from 2018)
- Colorado Privacy Act (CPA) (from July 2025)
- Connecticut Data Privacy Act (CTDPA) (from Jan 2025)
- Texas Data Privacy and Security Act (TDPSA) (from Jan 2025)
- Montana Consumer Data Privacy Act (MCDPA) (from Jan 2025)
- Delaware Personal Data Privacy Act (DPDPA) (from Jan 2026)
- Oregon Consumer Privacy (OCPA) (from Jan 2026)
Some of the more complicated aspects of legislation…
California and Colorado both specifically mention GPC, where California also includes “any valid” OOPS signal.
As a minimum, California and Colorado require that the signal is honored for the device and browser (for an unknown website visitor/user). They expect that, should a user log into the website and become “known”, this signal should then be honored on their other devices and browser (if logged in) regardless of the GPC setting on their other devices. (Set once always honored)
However, the CCPA does specifically allow that you can ask again, after a minimum of 12 months. Additionally, you can ask for clarification if the GPC signal conflicts with something the user has already requested from the business.
As per the CCPA: “Where the GPC signal conflicts with the existing privacy settings a consumer has with the business, the business shall respect the GPC signal but may notify the consumer of the conflict and give the consumer an opportunity to confirm the business-specific privacy setting or participation in the financial incentive program”.
Outside of that, it is also part of the requirements that once a UooM/OOPS is detected and honored, it will remain in place until a direct opt-in is given. So once someone opts out, just because in the future they use a browser without the opt-out signal, they cannot be opted back in.
To add further complexity, CCPA requires a minimum of two UooM mechanisms. This means that the GPC alone isn’t enough: you need alternative opt-out options, for example:
- An “opt-out” of all link on website
- An unsubscribe email address
Should a user opt-out via one of these methods, when a user is “known” on a website, their opt-out should be honored even without a GPC signal.
Challenges with managing opt out signals
- Managing 100% of consent choices across multiple user devices, combined with varying global and state legislation around DNS, is more complicated than ever.
- Regulatory bodies expect laws to apply consistently across all environments, reflecting consumer expectations. For example, if a user opts out on their TV, they should be opted out on all other devices as well.
- Technology is advancing faster than privacy management can keep up. As devices increasingly communicate with each other, brands need to manage consent across all environments effectively.
The risk of non-compliance with OOPs
We have a saying at Syrenis when it comes to consent – “Ask me once, don’t ask me again” – which is particularly valid when discussing opt-out preferences. By failing to oblige, you’re not only risking fines but you’re betraying user trust.
Enforcement of this particular issue is also on the rise. A notable example is Sephora, which was fined $5m for failing to meet the “Do Not Sell” requirements under the CCPA.
Using a Consent and Preference Management Platform to manage Opt-Out Preference Signals
Utilizing a Consent and Preference Management (CPM) platform offers businesses a centralized and efficient solution to manage opt-out preference signals effectively.
By leveraging such a platform, businesses can streamline the process of receiving, interpreting, and responding to opt-out signals from consumers across various channels and touchpoints.
Platforms like Cassie provide advanced functionalities, including the ability to capture and record user preferences accurately, ensuring compliance with regulatory requirements such as the California Consumer Privacy Act (CCPA).
Cassie can honor OOPS and GPC signals in just one click so that your website automatically accepts the visitor’s preferences.
Cassie can also display a fully-customizable opt-out banner to inform users that you are honoring their preferences.
Cross-Device Consent enables compliance at scale
Cassie’s unique Cross-Device Consent functionality enables total compliance by automatically honoring user preferences across multiple devices once the user is authenticated (known by logging in).
Cassie automatically reads consent signals for anonymous users per device and then once the user is authenticated/known, their opt-in or opt-out preference will be unified across all logged-in devices.
This results in…
- 100% of consent honored globally across all devices by creating a single source of truth for known user consent, so their preferences are honored everywhere
- Meeting compliance requirements and protects brands from fines
- Enables brands to adapt and comply with global legislation – through geographical ruling settings
