The Colorado Privacy Act may have taken effect earlier this year, but that doesn’t mean all companies that do business in Colorado and fall within the scope of the law can take it easy just yet. Rather, for those companies that process personal data for purposes of targeted advertising or that sell personal data, an important requirement of the CPA is still to come: under C.R.S. § 6-1-1306(1)(a)(IV)(B), controllers subject to the CPA will, as of July 1, 2024, be required to comply with Colorado consumers’ requests to opt out of the processing of their personal data for targeted advertising or to opt out of the sale of personal data that are delivered passively through any “user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general.”
Rules 5.06 and 5.07 of the Colorado Privacy Act Rules in turn establish technical specifications and minimum standards for these mechanisms, and provide that the Attorney General’s office will maintain a public list of the mechanisms that meet them.
On November 21, 2023, the Colorado Attorney General published a Universal Opt-Out Shortlist identifying three potential universal opt-out mechanisms that the Attorney General may formally recognize, including the Global Privacy Control, the OptOutCode, and the Opt-Out Machine, and seeking public comments on each of the mechanisms.
This post offers a refresh of the opt-out rights granted to consumers under the CPA and the methods by which consumers may exercise those rights, then discusses the three proposed universal opt-out mechanisms put forth by the Colorado Attorney General for public comment.
The CPA’s Opt-Out Rights: Active vs. Passive Requests
Among other consumer rights, the CPA grants Colorado consumers the right to opt out of the processing of their personal data for “targeted advertising” and to opt out of the sale of their personal data.
The CPA contemplates that consumers may exercise these rights in one of two ways—actively or passively. The “active” method involves the controller offering a “clear and conspicuous method” that the consumer must actively select to communicate their opt-out choice.
The passive opt-out method, by contrast, involves the consumer passively sending and the controller automatically recognizing, standardized signals, sent via a browser or extension, that alert the controller that the consumer visiting its website prefers to opt out of the processing of their personal data for targeted advertising or the sale of their personal data. These signals are known as universal opt-out mechanisms. To be capable of responding to a universal opt-out mechanism, a controller’s website must be configured to detect and react to the preferences conveyed by the mechanism. As explained by Rule 5.02(B) of the Colorado Privacy Act Rules, the purpose of a universal opt-out mechanism is “to provide Consumers with a simple and easy-to-use method by which Consumers can automatically exercise their opt-out rights with all Controllers they interact with without having to make individualized requests with each Controller.”
As currently enacted, the CPA only requires controllers to offer an “active” opt-out method and to fulfill opt-out requests received through that method. The law allows, but does not require, controllers to respect passive opt-out requests sent through a universal opt-out mechanism. To the extent a controller decides to respond to such an opt-out, however, the onus is on the controller to determine whether the opt-out signal being transmitted to its website meets the technical specification requirements and to then configure its website to respond.
Upcoming Changes for Controllers
Under the express terms of the CPA, as of July 1, 2024, the opt-out requirements for controllers will change such that all controllers subject to the CPA will be required to comply with opt-out requests delivered passively through universal opt-out mechanisms that have been recognized to meet the Attorney General’s standards.
To ease the burden, the Colorado Attorney General is required to publish, no later than January 1, 2024, a list of universal opt-out mechanisms recognized to comply with the CPA Rules. To that end, the Attorney General sought and accepted applications for these mechanisms and selected a narrow list of potential mechanisms for consideration that it published in the Shortlist released on November 21.
The Attorney General’s Shortlist
The shortlist includes three mechanisms; the obvious standout being the Global Privacy Control, or GPC. As many will recall, GPC has been recognized by the California Attorney General as a legally binding opt-out mechanism under the CCPA for more than two years. Failure to comply with opt-out requests transmitted via GPC signal was even the subject of the Attorney General’s Office’s first public enforcement action against Sephora.
California’s previous recognition of GPC signals as a valid method for consumers to exercise opt-out rights under CCPA, coupled with the reality that businesses subject to that law are likely (or should be) already set up to recognize and respond to those signals, makes it highly likely that GPC will end up on the Colorado Attorney General’s final list. As such, controllers subject to the CPA should take a moment as we head into 2024 to double-check that they are prepared to recognize and respond to GPC signals.
The other two mechanisms on the Attorney General’s shortlist are less well-known. Neither has been formally recognized by a state regulator, and both are offered by what appear to be early-stage companies. And notably, they appear carefully designed to act outside of the browser signal space occupied by GPC.
OptOutCode, for example, describes itself as a “concept” presented by an automotive privacy-tech company. The company, Privacy4Cars, states that OptOutCode is “truly universal” in that it “is compatible with smartphones, laptops, tablets, routers, the apps that run on them and the IoTs they connect to, including vehicles, smart appliances, tracking beacons, and more.” Under OptOutCode’s proposed mechanism, consumers must change the name of their device (such as an iPhone) to include “0$S” as the first three characters of the device name to indicate they intend to opt out of the sale of their personal information and processing of their personal information for targeted advertising. Those characters act as an “opt-out code” that businesses can, in turn, read locally and parse from each device by querying the device name to recognize consumers that wish to opt out before responding to their requests accordingly.
The Opt-Out Machine, by contrast, relies primarily on email correspondence to convey consumer’s opt-out requests. To use the Opt-Out Machine, a consumer must first sign up for the Opt-Out Machine service. According to Known Privacy, the company behind this mechanism, “[t]he individual provides identifying data to match records against those held in 3rd party databases, grants limited power of attorney for the tool to exercise data and privacy rights requests (only) and then [Opt-Out Machine] initiates the process of proactively opting out to 3rd parties, such as data brokers.” To respond to opt-out requests transmitted by this mechanism, controllers make an email address to receive requests publicly available and then monitor that address to respond to the consumer rights requests they receive.
What to Expect Going Forward
While the Attorney General is soliciting feedback on these proposed opt-out mechanisms, a finished list of universal opt-out mechanisms that meet the standards of the CPA Rules must be published by January 1, 2024, ahead of C.R.S. § 6-1-1306(1)(a)(IV)(B)’s July 1, 2024, effective date. Thus, businesses that are subject to the Colorado Privacy Act will need to reexamine their practices to ensure they have built out technical capabilities sufficient to recognize and respond to any universal opt-out mechanisms that the Attorney General chooses to approve.
