The Colorado Privacy Act goes into effect on July 1, 2023, and the regulations have been finalized. Here are some things you should know!
Users Have the Right to Opt-Out of Targeted Advertising
Just like California, users in Colorado have the right to opt-out of what most would consider traditional online behavioral advertising and retargeting. Colorado also considers this “selling” personal information. Marketers, you are on notice: as of July 1 you must have a mechanism that allows both identified and pseudonymous users from Colorado to be able to opt-out of these activities.
“1. A Controller that Sells Personal Data or Processes Personal Data for Targeted Advertising must also provide a clear and conspicuous method for Consumers to exercise the right to opt out of the Processing of Personal Data for each or all of the OptOut Purposes, as applicable.
a. The clear, conspicuous method must be provided either directly or through a link, in a clear, conspicuous, and readily accessible location outside the privacy Notice.” (Page 7)
“Any clear and conspicuous method for Consumers to exercise the right to opt out of Processing for the Opt-Out Purposes, provided pursuant to this section, must comply with the requirements of 4 CCR 904-3, Rule 4.02(B). If a link is used, it must take a Consumer directly to the opt-out method and the link text must provide a clear understanding of its purpose, for example “Colorado Opt-Out Rights,” “Personal Data Use Opt-Out,” “Your Opt-Out Rights,” “Your Privacy Choices,” or “Your Colorado Privacy Choices.” (Page 8)
If you read my article on the CPRA draft, you’ll notice a common thread from the Colorado Act. A “Your Privacy Choices” button or link on all pages of your website (i.e. the footer) is an acceptable location to launch a consent management experience for users to “opt-out” of targeted advertising. Pro tip: This will comply with both California and Colorado!
Colorado Requires Adherence to Universal Opt-Out Mechanisms
Colorado, like California, will require that your website responds to privacy signals from browsers so users may opt-out of targeted advertising. Colorado is not specifically mentioning Global Privacy Control, but they are referencing universally acceptable standards, and those with high “consumer adoption.” Since GPC is the most prevalent standard to date, likely your website will need to respond to Global Privacy Control signals from Colorado users. The finalized draft mentions that a formal list of required “Opt-Out Mechanisms” will be supplied in six months, and this requirement will not go into effect until July 1, 2024.
“A. The Colorado Department of Law shall maintain a public list of Universal Opt-Out Mechanisms that have been recognized to meet the standards of this subsection. The initial list shall be released no later than January 1, 2024 and shall be updated periodically.
B. The goal of the public list is to simplify the options facing Controllers, Consumers, and other actors.
C. To be recognized, a Universal Opt-Out Mechanism must at a minimum meet these standards:
1. Comply with all of the technical and other specifications of Rule 5; and
2. Not create Consumer or Controller confusion about the similarities and differences between Universal Opt-Out Mechanisms on the public list.”
A. Effective July 1, 2024,
- A Controller that receives an opt-out request through a Universal Opt-Out Mechanism shall treat such as a valid request to opt out of the Processing of Personal Data for purposes of Targeted Advertising, Sale of Personal Data, or both purposes, as indicated by the mechanism, for the associated browser or device, and, if known, for the Consumer.” (Page 16)
In summary, opt-out preference methods/signals are here to stay; two states have now formally required them. The hope of both California and Colorado is that users can browse the web and send privacy wishes to websites without the need to interact with banners from each website they visit. Be prepared to have your website comply with this requirement!
The Privacy Notice Requirement Is Similar to California’s
“A. A privacy notice must include the following information:
- A comprehensive description of the Controller’s online and offline Personal Data Processing practices, including but not limited to the following, linked in a way that gives Consumers a meaningful understanding of how each category of their Personal Data will be used when they provide that Personal Data to the Controller for a specified purpose:
a. The categories of Personal Data Processed, including, but not limited to, whether Personal Data of a Child or other Sensitive Data is Processed.
- Categories shall be described in a level of detail that provides Consumers a meaningful understanding of the type of Personal Data Processed. For example, categories of Personal Data described at a sufficiently granular level of detail include, but are not limited to: “contact information,” “government issued identification numbers,” “payment information”, “Information from Cookies,” “data revealing religious affiliation,” and “medical data.”
b. The Processing purpose described in a level of detail that gives Consumers a meaningful understanding of how each category of their Personal Data is used when provided for that Processing purpose.
c. Whether the Personal Data provided for a specific purpose will be sold or used for Targeted Advertising or Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer.
d. Categories of Personal Data that the Controller Sells to or shares with Third Parties, if any.
e. Categories of Third Parties to whom the Controller sells, or with whom the Controller shares Personal Data, if any. Categories of Third Parties must be described in a level of detail that gives Consumers a meaningful understanding of the type of, business model of, or processing conducted by the Third Party.
- For example, categories of Third Parties described in a sufficiently granular level of detail include, but are not limited to: “analytics companies,” “data brokers,” “third-party advertisers,” “payment processors,” “lenders,” “other merchants,” and “government agencies.”
- If a Controller’s Processing activity involves the Processing of Personal Data for the purpose of Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer, all disclosures required by 4 CCR 904-3, Rule 9.03.
- A list of the Data Rights available.” (Page 18-19)
This is all very similar to California’s requirement, and Colorado is even mentioning you do not need to have a separate policy just for Colorado:
“B. A Controller is not required to provide a separate Colorado-specific privacy notice or section of a privacy notice as long as the Controller’s privacy notice meets all requirements of this section and makes clear that Colorado Consumers are entitled to the rights provided by C.R.S. § 6-1-1306.” (Page 17)
If you are disclosing data collection to consumers properly for California, you are likely going to be for Colorado as well.
One final reminder: at InfoTrust we are trusted advisors in the area of analytics, governance, privacy, and more—but not lawyers! We recommend that you consult with a lawyer when making decisions about the law. We do offer services that can benefit your organization when working through these decisions, such as privacy audits, Tag Inspector, tag management services, and consent management configuration. Let us know how we can help!
**Important – The information covered in this article is not intended to be legal advice or counsel. You should not act or refrain from acting on the basis of any content included in this article regarding legal compliance without obtaining appropriate legal guidance. The contents of this article contain general information related to various laws and regulations, but may not reflect your current situation. In addition, applicable laws and regulations regularly change. This is particularly true with respect to data privacy laws and regulations. Therefore, any laws and regulations described or otherwise referenced in this article may not be current when you read the article or even at the time of publication. We disclaim all liability for actions you take or fail to take based on anything in this article. Any action you take or any action you refrain from taking based on the information in this article is entirely at your own discretion and risk.**