[co-author: Stephanie Kozol]*
Similar to other state consumer data protection acts enacted over the past two years, the Colorado Privacy Act (CPA) allows Colorado consumers to opt out of the sale of personal data and the processing of such data for targeted advertising purposes. Beginning on July 1, 2024, companies controlling personal data that fall within the purview of the CPA must allow consumers to opt out via a universal opt-out mechanism (UOOM).
Uniquely, CPA Rule 5.07 requires the Colorado Attorney General (AG) to vet potential UOOM technologies and maintain a public list of UOOMs that meet the standards of the CPA and that organizations can employ to effectuate the opt-out process. The rule requires the AG to publish the list by January 1, 2024, and to maintain and update it thereafter. At the beginning of October, the AG’s office solicited applications for UOOM technologies to be included on the list. The office has since narrowed the candidates and recently published three potential UOOMs for inclusion, specifically Global Privacy Control, Opt-Out Machine, and OptOut Code. The widely used Global Privacy Control was developed in response to California’s Consumer Privacy Act and is essentially a “switch” that consumers can toggle to prevent sharing of their personal information. It operates on browsers such as Mozilla Firefox and Brave, or can be installed as an extension on most other browsers. Opt-Out Machine is a comprehensive mechanism that allows a consumer to opt out of personal information use for several businesses at once with just one click. OptOut Code meanwhile is a mechanism designed solely for vehicles where consumers can opt out of information vehicle manufacturers collect through consumers’ operation of their cars. Further information on these UOOMs can be found on the Colorado AG’s website, where public comment on the three candidates will be accepted until December 11. The list and comment sites can be found at https://coag.gov/uoom/.
While the UOOM list requirement does not exist in most state consumer data protection acts, many acts do generally require that organizations employ data privacy controls to allow for the opt out of the sale of personal information for targeted advertising. The California Consumer Privacy Act, for example, requires that businesses provide two or more avenues for consumers to submit requests to opt out of personal information use. The Colorado, Connecticut, Delaware, Montana, Oregon, and Texas consumer data protection acts also broadly require that businesses utilize UOOMs as options for consumers. Still, this most recent Colorado AG action represents yet another state-specific measure among an increasing number that companies handling qualifying personal identifying information must consider.
Twelve states have now passed some form of a consumer data protection act, including California, Colorado, Connecticut, Delaware, Iowa, Indiana, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. There is pending legislation to enact similar laws in Massachusetts, Michigan, New Jersey, Pennsylvania, and North Carolina. Generally, these acts all allow for greater consumer control of their personal information, including the ability to access it, delete it, control its use, and discover how a company utilizes it. They also impose security standards for maintaining and protecting the data and require up-front notification to consumers on how they will collect and use their data. Despite the overall similarities, this patchwork of state privacy laws does pose compliance challenges and increased liability exposure for companies with multistate operations. Not only do these laws contain smaller substantive variations among them, many grant additional rulemaking authority to various state agencies that are subsequently promulgating rules in rapid fashion.
For example, on November 27, the California Privacy Protection Agency released its regulatory framework for the use of artificial intelligence (AI) in decision making, which includes allowing consumers the right to opt out of and access information about an organization’s use of AI. The agency plans to finalize this framework in December and begin associated rulemaking next year. Find additional details here: https://cppa.ca.gov/announcements/2023/20231127.html.
As state developments in privacy regulation continue for the foreseeable future, organizations must be ever-vigilant to ensure their practices meet increasingly complex standards.
*Senior Government Relations Manager