Home · Synthesis · cl-us-state-privacy-uoom-gpc

Universal Opt-Out Mechanism (UOOM) / Global Privacy Control honour across US states

CCPA CPA CTDPA MODPA OCPA TDPSA USP-Other

Primary statement

Universal Opt-Out Mechanism honour required by CO (Jul 2024) + CT (Jul 2024) + OR (Jul 2024) + TX (Jul 2024 — opt-in by Jan 2025). California per Reg 7025. UOOM is the browser/device-level signal that consumers express opt-out preferences via Global Privacy Control (GPC). Businesses must honour the signal without separate consumer action.

Audit-fatigue payoff

A single UOOM-honour implementation — GPC detection + automated opt-out application + per-state addendum — satisfies UOOM requirements across all 7 contributing frameworks. CCPA Reg 7025 (in California) is the audit-defensible reference.

Strictness matrix

Scope

Scope: businesses selling/sharing PI or using SPI beyond § 7027 baseline must honour UOOM signals. California Reg 7025 specifies GPC as the recognised signal. Ceiling source: ccpa:CCPA.1798.135 Rationale: CCPA 1798.135 + Reg 7025 set the broadest scope.

Threshold

Threshold: Colorado was the first state to mandate UOOM honour (Jul 2024). CT/OR/TX followed. Honour the signal — automatic opt-out without separate consumer action. Ceiling source: cpa:CO.6-1-1306 Rationale: CO 6-1-1306 mandated UOOM first; sets the regulatory threshold.

Method

Method: GPC signal detection in browser/device + automated linkage to opt-out preferences + per-state recognition of UOOM mechanisms + interaction with CCPA right to opt out + interaction with sensitive data opt-in (state-dependent). Ceiling source: ccpa:CCPA.1798.135 Rationale: CCPA 1798.135 + Reg 7025 specify GPC as canonical UOOM.

Frequency

GPC signal honour: real-time on every page load. UOOM implementation review: annual + on new state enactment. Ceiling source: ccpa:CCPA.1798.135 Rationale: Real-time honour is the binary operational floor.

Evidence

Evidence: GPC detection implementation + opt-out application logs + per-state addendum library + sample browser sessions traced to opt-out application. Ceiling source: ccpa:CCPA.1798.135 Rationale: CCPA 1798.135 evidence with sample traces is uniquely strict.

Auditor test pattern

Step 1: Inspect GPC detection implementation. Step 2: Test from a GPC-enabled browser; verify opt-out automatically applied. Step 3: Inspect per-state addendum library. Step 4: Verify UOOM is honoured without separate consumer action.

Common findings

Common findings: (1) GPC detection absent; (2) GPC detected but opt-out not auto-applied; (3) Per-state UOOM differences ignored; (4) Implementation effective for CA but not CO/CT/OR/TX.