Attention Colorado Businesses! As of July 1, 2024, the Colorado Privacy Act (CPA) requires businesses covered by the law to offer a new way for consumers to control their data: the Universal Opt-Out Mechanism (UOOM). This consumer-centric update aligns with the CPA Rules and the CPA's goals of transparency and empowers Colorado residents with more control over their personal information. This blog post will guide you through what your business needs to know to comply with the UOOM and maintain consumer trust in the digital age.
What is a Universal Opt-Out Mechanism?
A universal opt-out mechanism (UOOM) allows consumers to easily opt-out of data processing activities, such as targeted advertising and the sale of personal data. Instead of making individual requests to each business, consumers can use a single setting or tool—like a browser extension—to signal their privacy preferences across all businesses.
On November 21, 2023, the Colorado Attorney General published a shortlist of Universal Opt-Out Mechanisms (UOOMs) that were being considered. Applications were accepted for the establishment of this list, and the three best options were published, with public feedback expected until December 14, 2023, after which Global Privacy Control (GPC) was chosen as the finalist.
What is Global Privacy Control (GPC)?
The Global Privacy Control application was submitted on behalf of several privacy-focused organizations, including Consumer Reports and DuckDuckGo, and notable individuals like Robin Berjon and Sebastian Zimmeck. Here's how it works:
- Functionality: GPC is a browser-level privacy signal that allows Internet users to notify businesses of their preference not to have their data sold, shared, or used for cross-context behavioral advertising. Users can activate GPC by toggling a browser privacy setting or installing a browser extension.
- Implementation: When GPC is enabled, the browser or extension automatically sends a signal to each website the user visits, indicating their preference. This signal is attached to HTTP requests as the Sec-GPC request header, with a value of "1" if enabled.
- Support: Currently supported by browsers and extensions like Firefox, Brave, and DuckDuckGo, users need to download and install these tools to activate GPC. While initially developed for web browsers, GPC can also be transferred to other environments, such as mobile devices and IoT platforms.
As regards other US privacy laws, GPC has already been recognized as a valid and legally binding opt out in California, and per the application it is also “likely to comply with the requirements of all other US jurisdictions that currently provide for universal opt-out mechanisms” which would include the US state privacy laws mentioned earlier:
What does your business need to do to comply?
- Recognize Opt-Out Signals: You should update your systems to detect and honor universal opt-out signals from consumers. These signals will typically come from browser settings or other user-enabled tools. Clym’s compliance tool can help solve this for you so you can avoid the headache.
- Update Privacy Policies: Clearly inform consumers about the new opt-out mechanism in your privacy policy. Make sure the information is easy to understand and accessible.
- Implement Technological Measures: Ensure your technology can process opt-out requests automatically. This might involve updates to your website, apps, and data management systems.
- Train Your Team: Educate your staff about the new requirements and how to handle opt-out signals properly. This includes customer service teams who may receive questions from consumers.
- Coordinate with Third Parties: Make sure any third-party vendors or partners you work with are also compliant with the new rules. This could involve updating contracts or agreements to include these new obligations.
What are the benefits of compliance with Colorado’s Universal Opt-Out Mechanism requirement?
- Consumer Trust: Showing that you respect consumer privacy can build stronger relationships and brand loyalty.
- Simplified Operations: Automating the opt-out process can streamline your data management practices.
- Avoid Penalties: Staying compliant helps you avoid potential fines and legal issues.
What are some challenges and their solutions?
- Technical Integration: Implementing new technology might be challenging. Consider working with privacy experts or consultants to get it right. Clym can help you with your business’ compliance needs so you won’t have to go through the hassle of figuring it out alone.
- Communication: Make sure your consumers understand the changes. Clear, simple communication will help avoid confusion and build trust.
The universal opt-out mechanism is a significant change in data privacy regulation. If your business hasn't started preparing for Colorado's universal opt-out mechanism, now is the time to act.
How can Clym help?
Clym helps to keep your website compliant with the CPA, as well as the GDPR, or CCPA along 50+ other global regulations. Clym offers the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.