Colorado introduces universal opt-out for personal data sales and targeted advertising
Beginning on July 1, 2024, organizations that fall under the Colorado Privacy Act, CPA, must allow consumers the opportunity to opt-out of the sale of their personal data or use of such data for targeted advertising. Consumers can communicate their preferences to such organizations via a system known as a Universal Opt-Out Mechanism, or UOOM. Rule 5.02(b) of the Colorado Privacy Act describes the purpose of universal opt-out mechanisms are “to provide Consumers with a simple and easy-to-use method by which Consumers can automatically exercise their opt-out rights with all Controllers they interact with without having to make individualized requests with each Controller.”
While not yet implemented, Colorado’s UOOM looks and functions in a similar fashion to a legislative proposal recently introduced by the California Privacy Protection Agency or CPPA. In December 2023, the CPPA unanimously voted to approve a legislative proposal that would require internet browsers to send consumers an opt-out preference signal. Like Colorado’s approach via UOOMs, California’s opt-out preference signal allows consumers to share their choice to opt out of the sale or sharing of personal information when they interact with organizations online. Currently, seven states mandate businesses to respect browser privacy signals for opting out of personal data sales, including Colorado, California, Connecticut, Delaware, Montana, Oregon, and Texas.
Unlike the CPPA’s legislative proposal, which would require internet browsers themselves to incorporate opt-out preference signals, Colorado will implement their UOOM via a third-party vendor. On January 1, 2024, the Colorado Attorney General released a list of UOOMs the Colorado Department of Law that meets the requirements of the CPA. So far, the only UOOM considered valid under the CPA is Global Privacy Control, an organization that provides a browser extension that allows users to automatically share their privacy preferences to all websites they visit. Global Privacy Control describes their product as “a robot that selects the Do Not Sell preference on a site on behalf of a user.”
The CPA’s UOOM requirements emphasize consumers’ rights in deciding if and when to share their personal data online. For instance, 4 CCR 904-3 Part 5 establishes that “a Universal Opt-Out Mechanism may not be the default setting for a tool that comes pre-installed with a device, such as a browser or operating system.” The rational being that the CPA emphasizes the consumer’s role in affirmatively and freely choosing to decide to use a UOOM. To opt-in, Colorado resident’s must make a decision “to adopt a tool that does not come pre-installed with a devise, such as a browser or operating system, but is marketed as a tool that will exercise a user’s rights to opt out of the Processing of Personal Data using a Universal Opt-Out Mechanism.” While organizations that fall under the CPA do not need to honor consumer opt-outs until July 1, 2024, Colorado’s approach to facilitate such opt-outs via UOOMs, along with California’s similar proposal to require internet browsers to send an opt-out preference signal, demonstrate a trend towards consumer agency over when and how personal data is shared online.
For more legislative updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates. If you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, then please contact a member of McDonald Hopkins’s national data privacy and cybersecurity team.