On November 21, 2023, the Colorado Attorney General (the “AG”) published a shortlist of potential universal opt-out mechanisms (“UOOMs”) that the AG is considering recognizing as binding under the Colorado Privacy Act (the “CPA”).
Beginning on July 1, 2024, the CPA will require covered controllers to comply with Colorado consumers’ requests to opt out of data sales and targeted advertising submitted through UOOMs that meet the technical specifications described in the CPA Rules. The concept is similar to California: If a consumer uses an AG-recognized UOOM, then when the consumer visits a website, the website must treat the consumer’s preferences – as transmitted by the UOOM – as a formal opt-out request. This in turn requires websites to have means in place for detecting UOOMs used by consumers, and for honoring UOOM-transmitted preferences – such as by deactivating certain cookies and trackers.
To help consumers and controllers understand which UOOMs meet such standards, the CPA requires the AG to publish and maintain a public list of UOOMs that controllers must process. The AG previously solicited applications for UOOMs to establish this list, and today’s shortlist represents the following three UOOM applications that the AG has selected for final consideration: (1) OptOutCode, (2) Global Privacy Control, and (3) Opt-Out Machine.
The AG will consider the public’s feedback when selecting the UOOMs that the final list will include. Interested parties can submit comments through Colorado’s UOOM portal, until 11:59pm (MST) on December 11, 2023. The AG is expected to publish the final list of qualifying UOOMs by January 1, 2024.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments surrounding federal and state comprehensive privacy laws and provide updates. Please contact us if you have any questions.