Aspects of enacted and enforceable comprehensive U.S. state privacy laws are beginning to land with businesses. The latest example comes from Colorado, where covered entities under the Colorado Privacy Act became subject to rules and requirements for recognition of universal opt-out mechanisms 1 July.
Colorado's law was approved 7 July 2021 and took force 1 July 2023. However, the law offered companies an additional one-year grace period to prepare for UOOM adherence specifically, which included additional regulations finalized 15 March 2023 under the Colorado attorney general's office's rulemaking authority.
The opt-out method provides a signal to applicable companies that communicate consumers' choice to opt-out of having their data collected or sold. Such mechanisms aim to streamline acknowledgement of user preferences, removing the consumer burden of indicating consent choices with each individual website visit.
Colorado is not an outlier with its provisions on UOOMs. The push to protect consumer data and the rising debate over targeted advertising practices led California, Connecticut, Delaware, Oregon, Montana, New Hampshire and New Jersey to also require businesses to comply with UOOM signals.
The Colorado Attorney General's Office accepted the Global Privacy Control as a state-recognized opt-out method that lets consumers download a browser extension to stop web-tracking. The GPC is the lone UOOM method approved in Colorado, which took applications and considered a "shortlist" of options and public comment before ultimately landing on the GPC alone.
Colorado Attorney General Phil Weiser told the IAPP that UOOM requirements can be an important way for consumers to "be in charge of their data."
The enforcement angle
The use of opt-out mechanisms aim to prevent businesses from using consumer data in ways that are "not disclosed or even contrary from what they’re telling consumers," Weiser said. "We’re telling responsible businesses 'You don’t have to compete with irresponsible businesses who are cutting corners or treating consumers badly.'"
Through the initial stages of the UOOM requirements rollout, Weiser said Colorado will be "overseeing the marketplace” to identify any potential issues. He emphasized the importance of consumer protection, which he said could be upheld by "educating consumers, educating businesses, and engaging in broker enforcement."
Electronic Frontier Foundation Staff Technologist Lena Cohen said businesses must ensure third-parties with content on their website are also complying with GPC signals. Organizations must "respect GPC signals and not force users to go through confusing cookie banners when they’ve already expressed their preference about data sharing through the GPC," she said.
Cohen claimed some states with rules around the GPC, and UOOMs in general, lack the enforcement actions needed to hold businesses accountable. UOOMs can only benefit consumers if they are "enforced meaningfully to advance consumer privacy," she said. "It's necessary for privacy laws like these to have bite and make sure that there is some way to ensure companies do not ignore them."
Enforcement trends may change as other state laws become effective. To this point, only California has taken action. The first-ever California Consumer Privacy Act enforcement action, a USD1.2 million settlement with retailer Sephora, included allegations the company did not respond to opt-out requests or adhere to the GPC requirements within a 30-day cure period.
Compliance considerations
GPC-accepted browsers and web extensions include Firefox, DuckDuckGo Privacy Browser and the Electronic Frontier Foundation's Privacy Badger. The use of these browsers could be a straightforward way for consumers to opt out of having their data collected by multiple companies. The goal is for companies to provide consumers with transparency, helping individuals avoid potentially harmful collection with a stable and predictable privacy system.
Colorado residents can download the approved GPC browser extensions on the GPC website. The list of approved UOOMs is expected to grow beyond GPC as new mechanisms are vetted and approved by Weiser's office.
Husch Blackwell Associate Shelby Dolen, CIPP/US, said while the UOOMs may benefit consumers with reduced targeted advertising and website tracking, businesses could struggle to adapt to a variety of U.S. state and international privacy laws.
Dolen noted some companies are relying on cookie management providers and vendors to recognize the GPC signal. "Although clients are using these cookie management tools, it kind of comes with not only needing to recognize the signal … but also staying up to date with all the other issues going on within the space," Dolen said.
The Future of Privacy Forum produced an October 2023 study of UOOMs and their availability. Eight GPC-endorsed tools were identified and analyzed in terms of operationalization and effectiveness.
Among its observations, FPF found default settings post-installation differed "significantly" among the eight tools, "potentially creating consumer confusion in switching from one service to another." It also explained that each tool "significantly differ in configuration options for when and where to send the GPC signal."
Lexie White is a staff writer for the IAPP.