Colorado adopts universal opt-out requirements

The Colorado Privacy Act (CPA) requires that beginning on July 1, 2024, businesses provide consumers with the ability to opt-out of the use of targeted advertising cookies using a Universal Opt-Out Mechanism (UOOM).^[1]A UOOM is a digital tool, used either on a desktop or a mobile device, that enables a consumer to configure their device to automatically opt-out of the use of targeted advertising cookies.  The CPA Regulations provide that the Attorney General shall “maintain a public list of Universal Opt-Out Mechanisms that have been recognized to meet the standards of this subsection,” and this list must be “released no later than January 1, 2024, and shall be updated periodically.”^[2]As of January 1, 2024, the Attorney General has provided a very short list –only a single UOOM, the Global Privacy Control, is currently identified.

Between October 5 and November 6, 2023, the Colorado Department of Law accepted applications from potential UOOMs and whittled the applications down to an initial shortlist of three potential UOOMs. These were:

• OptOutCode, a mechanism designed for vehicles where consumers can opt-out of the collection of information obtained through consumers’ operation of their cars, which was proposed to be adapted for use with desktop and mobile devices;
• Global Privacy Control, the widely-used UOOM that allows consumers to toggle a “switch” on their web browser to prevent the sharing of their personal information for targeted advertising purposes; and
• Opt-Out Machine, a comprehensive mechanism enabling consumers to opt-out of personal information use for multiple businesses at once via an autogenerated email sent to the businesses.

The Department accepted comments on each UOOM’s application until December 11, 2023. Generally, the comments highly favored Global Privacy Control over OptOutCode and Opt-Out Machine. For example, the Colorado Chamber of Commerce expressed concern that the technical implementation of OptOutCode would require extensive design and testing,^[3]and also raised concerns that Opt-Out Machine exceeds the required scope of opt-out for a UOOM by including other data subject rights such as deletion and access within its functionality.^[4]The Network Advertising Initiative (NAI) did not support OptOutCode either, referring to potential difficult implementation issues, but also to the fact that the UOOM was initially developed as a proprietary method used for vehicles and had not been expanded to the broader online environment with participation from other stakeholders such as consumers, developers, publishers, or advertisers.^[5]Further, the NAI did not support Opt-Out Machine based on the argument that it functioned as an authorized agent service to assist consumers in exercising their data subject rights, not simply a UOOM.^[6]

On the other hand, Global Privacy Control’s application was broadly supported. It was endorsed by the NAI,^[7]Future of Privacy Forum,^[8]the Electronic Privacy Information Center,^[9]and the California Privacy Protection Agency,^[10]among others. Consequently, on January 1, 2024, the Department issued its final list, which included only a single UOOM – the Global Privacy Control. Nevertheless, the Regulations do require the CO Attorney General to update the list periodically, so other UOOMs may be recognized in the future.

Companies subject to the CPRA should already be familiar with the Global Privacy Control and should already have a mechanism to recognize this UOOM. However, if your business is subject to the CPA and does not as yet recognize the Global Privacy Control, you should take steps to ensure compliance by July 1, 2024. The Colorado Attorney General’s website provides links for the Global Privacy Controls’ technical specifications, as well as an implementation guide. Commonly implemented cookies management services are often able to assist in addressing these mechanisms but do generally require certain engagement with the provider to make sure that the solution is configured appropriately.