Skip to main content

Validating State Privacy Law Opt-Out Signals

State privacy laws, such as the California Consumer Privacy Act (CCPA), require companies to implement opt-out solutions and honor applicable privacy requests. But if you have implemented an opt-out, how do you know it actually works?

Is it configured properly? How do you validate that your opt-outs work as intended? Even more fundamentally, what are the technical criteria you need to apply to make that determination?

Implementing opt-outs is easy. Implementing them to do what you want, however, is hard.

This is because most websites and mobile apps contain an abundance of SDKs and JavaScript libraries for a wide range of purposes: targeted/cross-context behavioral advertising, analytics, joint-promotions, graphics, authentication, social sharing, the list goes on. Knowing what is in-scope for opt-outs involves a careful analysis of the law, together with a basic understanding of the technology – specifically, what data is shared with whom and for what purpose.

Implementing opt-outs is almost impossible to do correctly the first time. Opt-out buttons or forms may visually display an opted-out state to users, but the backend technology driving the opt-out is entirely different from the frontend technology users experience. This requires deep, targeted assessment.

To make things even more difficult, the only way to know whether your opt-out works is to either use specially-instrumented devices or network traffic analysis and perform before-and-after tests. In our view, none of the automated “cookie-scanning” solutions and similar tools available on the market even comes close to performing reliable validation/testing of opt-outs.

The time to test and validate your opt-outs is now.

Regulators are taking notice and not only relying on a business’s public-facing disclosures (e.g., privacy policy and opt-out pages), but also focusing on whether or not the opt-outs work as intended. If it turns out that your opt-out doesn’t function as intended, you will need time to allow your developers, engineers and third-party service providers to remediate and deploy.

We test and validate opt-outs using Norton Rose Fulbright’s in-house technical testing tool, NT Analyzer. NT Analyzer is a practical tool suite that relies on network traffic analysis for managing privacy compliance for  mobile apps, websites and IoT. The tool detects and tracks the full range of data, including personally identifiable information, that is collected and shared.

Businesses can only determine the effectiveness of their opt-outs by analyzing the full-range of transmitted data.

Request a demo of the tool here to talk mobile and website testing, state privacy law compliance or video privacy.


Special thanks to Rahul Kapoor for his assistance on this post.

Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Daniel Rosenzweig

Daniel B. Rosenzweig is a lawyer in Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group in the New York office. Daniel is part of the core team that oversees NT Analyzer to help clients navigate the complex data protection and privacy landscape.

More posts by Daniel Rosenzweig