Colorado has a new data-privacy law. But how to implement it?
A lot of work needs to be done over the next few months to make the Colorado Privacy Act workable, businesses, nonprofits and consumer advocacy organizations said in a recent virtual forum.
The act, which was signed into law last year, aims to make it easier for Coloradans to control their personal information — giving them the ability to opt out of businesses selling or using their data for targeted advertising purposes. In addition to individual opt-out requests, the state wants to make it possible for residents to universally opt-out of their data being collected, processed or sold.
It is this universal opt-out mechanism, or UOOM, that has become a focus of much concern for businesses, nonprofits and other entities that collect data from large numbers of users. They’re seeking more clarity from the state on how residents will signal their desire to opt-out, who is responsible for verifying these requests, how these requests should be tracked and acknowledged and the interoperability of global and individual opt-out requests.
Two potential methods of UOOM were discussed during the Thursday meeting — a browser-based approach that would inform websites not to collect a visitor’s data, and a list of names of people who have requested to universally opt-out of the sale of their data — similar to “do not call” lists.
Both options may present operational challenges, particularly if not aligned with opt-out mechanisms currently being contemplated by other states, such as California and Connecticut, business representatives said in the meeting. While discussing possible technical solutions, some at the meeting pointed to existing browser-based tools, such as the Global Privacy Control function implemented by Mozilla’s Firefox browser, which tells websites when a user does not consent to have their personal information tracked or sold.
While this browser-based approach would be simple to use, the opt-out would be limited to the information the user shares in that browser and may not work on a mobile phone or in conjunction with other data-privacy tools. A “do not sell” list would provide a more concrete signal to companies that users do not want their data to be sold, but who would maintain it, how often it would be updated and how often businesses would have to query it, are open questions.
“In the next two years, there will be a significant focus among a broad range of industry, government, and advocacy stakeholders in developing methods for complying with global opt-out requirements,” the global software industry trade association BSA, The Software Alliance, wrote in comments submitted to the Colorado Office of the Attorney General. “As Connecticut and California continue their own efforts to address the use of opt-out mechanisms, we encourage you to leverage the ongoing engagement by stakeholders and other regulators, to further support an interoperable approach to opt-out mechanisms in Colorado’s regulations.”
The Future of Privacy Forum, a consumer advocacy group, shared a similar message in its written comments, likewise urging Colorado to work with other states in developing its universal opt-out mechanism.
“Despite longstanding stakeholder efforts, at present, universal opt-out mechanisms remain a nascent concept in US privacy law,” the Future of Privacy Forum wrote. “As the first state to unambiguously establish the ability for consumers to exercise privacy rights through technological preference signals, Colorado has an important opportunity to establish principled rules and guidance that will drive the effective development and adoption of preference signals while promoting harmonization of consumer rights across state borders.”
The Colorado Privacy Act was signed into law by Gov. Jared Polis in July 2021, and draft rules were published last month. Two meetings hosted by the Colorado Department of Law are scheduled this week to share further feedback on the draft rules.
