While the Colorado Privacy Act (CPA) has already been in effect, as of July 1, 2024, companies that meet the threshold compliance criteria for CPA and that engage in the processing of personal data for purposes of targeted advertising or the sale of personal data ("covered entities") must implement a universal opt-out mechanism, which allows users to more easily exercise their opt-out rights with these covered entities. Specifically, a universal opt-out mechanism allows a user to configure their internet browser settings, and as a result, the websites the user visits from that browser automatically receive the user's opt-out signal. As of July 1, 2024, covered entities must recognize and honor a user's opt-out preferences where communicated through a universal opt-out mechanism.
As required under CPA Rule 5.07, the Colorado Attorney General's Office published a public list of universal opt-out mechanisms that it determined met the requisite opt-out standards. At present, there is only one mechanism included on this list, which is the Global Privacy Control. The list is not however comprehensive and there is no exclusion on using other opt-out mechanisms, as long as they meet the CPA requirements.
Of note, the California Consumer Privacy Act (CCPA) requires companies to provide consumers with two mechanisms to opt out of the sale of their personal information or sharing for the purposes of targeted advertising.The California Attorney General has taken the position that requests to opt out using the Global Privacy Control must be honored by covered businesses as a valid consumer request to stop the sale or sharing of personal information.As such, companies that fall under the scope of CCPA should already be compliant with this opt-out mechanism.Accordingly, companies that are compliant with CCPA, as amended, should likewise meet the universal opt-out mechanism requirements of the Colorado law.
For a business that is not subject to California privacy laws but is a covered entity under the Colorado Privacy Act, it is important to take steps to ensure compliance with the universal opt-out mechanism and other CPA requirements.
As a reminder, Colorado's privacy law applies to any entity that either conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to Colorado residents and satisfiesone or bothof the following thresholds:
- Controls or processes the personal data of 100,000 or more Colorado residents in a calendar year; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more Colorado residents.
For More Information
If you have any questions about this Alert, please contact Michelle Hon Donovan, Sandra A. Jeskie, Ariel Seidner, any of the attorneys in our Privacy and Data Protection Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.