The Colorado Department of Law has published its Universal Opt-Out Shortlist under the Colorado Privacy Act (“CPA”). This is eagerly awaited guidance for organizations who are subject to the CPA as the guidance provides clarity on how to respond to certain consumer requests under the CPA (consumers can use such signals to send requests to opt out of a company’s sale of personal data or its use for targeted advertising). The guidance may also inform an organization’s approach with respect to other U.S. comprehensive state data privacy laws.

Overview

Although most substantive provisions of the CPA are already in effect, the CPA requires controllers that engage in targeted advertising or the sale of personal data to allow consumers to opt out of such activities through a user-selected universal opt-out mechanism (“UOOM”). However, companies must respond only to mechanisms meeting technical specifications established by the Colorado Attorney General. That is, the Universal Opt-Out Shortlist contains the UOOMs and related technical specifications that are valid under the CPA.

Critically, the only UOOM currently listed on the Universal Opt-Out Shortlist is the global privacy control (“GPC”). GPC is a specification (the response to which is also required by California privacy law) that consists of a setting or extension in the user’s browser designed to allow internet users to notify businesses of their privacy preferences. Additional information regarding GPC can be found here. The Universal Opt-Out Shortlist states that the list does not exclude additional UOOMs from meeting CPA requirements, but it does represent the valid and recognized UOOMs for enforcement.

The CPA also provides that a controller may enable the consumer to consent through a web page, application, or similar method, to the processing of personal data for the purposes of targeted advertising or the sale of personal data, which takes preference over the choice reflected by the consumer through the UOOM.

Next Steps

If your organization is subject to the CPA, if it has not already done so, it should determine whether it processes personal data for the purposes of targeted advertising and/or sells personal data.¹

If your organization engages in such activities, it should consider whether it wants to implement GPC (either on its own or using a third-party vendor), obtain consent for the collection of personal data in connection with such activities (often done through a cookie banner), or attempt to rely on another opt-out mechanism (although that choice carries some compliance risk). The organization must also make related disclosures in its privacy notice. Organizations will want to consider an approach that works best based on the data privacy laws that it is subject to, the nature of its business, and its overall risk profile.

California and Colorado promoting the GPC so strongly is unusual given that the standard does not apply to much online activity. Many popular internet browsers and mobile environments (where tracking is rampant) do not respond to GPC signals (often forcing companies to rely on native consent options). Anyone tasked with implementing privacy compliance should follow whether the Colorado announcement moves the needle in favor of GPC adoption.

Finally, although definitions vary slightly between laws, U.S. comprehensive data privacy laws currently in effect (such as laws in Virginia, Connecticut, and Utah) also contain similar terms. Any approach to compliance under the CPA should therefore be harmonized with requirements arising under other regimes.

Footnotes

¹ Under the CPA, “targeted advertising” means, with certain exceptions, displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer’s preferences and interests. Meanwhile, a “sale” under the CPA means the exchange of personal data for monetary or other valuable consideration by a controller to a third party.