Colorado AG Publishes Shortlist for Universal Opt-Out Mechanisms
The Colorado Privacy Act (CPA) allows consumers, among other rights, the right to opt out of the sale of personal data and the processing of personal data for targeted advertising. This opt-out can be done “including through a technology indicating the consumer's intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting,” according to the CPA.
What this means for you is that as of July 1, 2024 if your organization is covered by Colorado’s privacy law, you will be required to allow consumers to opt out using a Universal Opt-Out Mechanism (UOOM).
On November 21, 2023 the Colorado Attorney General published a shortlist of Universal Opt-Out Mechanisms (UOOMs) that are being considered. Previously, applications were accepted for the establishment of this list and the final three are now published, with public feedback expected between now and December 11, 2023. This is in line with the CPA Rules which mandate that the Attorney General will “maintain a public list of Universal Opt-Out Mechanisms that have been recognized to meet the standards of this subsection,” and that the list “shall be released no later than January 1, 2024, and shall be updated periodically.”
Below we look at the three applicants whose applications can now be consulted on the official website of the Colorado Attorney General where the public can also leave their comments on either one of the three candidates.
OptOutCode by Privacy4Cars
According to the application, this UOOM has 4 distinguishing characteristics which make it stand out from any other such mechanism: it is universal, fully decentralized, consumer-friendly, and business-friendly. What this means is that it is “compatible with smartphones, laptops, tablets, routers, the apps that run on them and the IoTs they connect to, including vehicles, smart appliances, tracking beacons, and more, [it] does not require to build, maintain, query, or secure a central database of opting-out users, devices, or apps,” it can easily be configured by consumers by simply renaming their device by adding a predetermined set of characters before the name of the device, and “businesses can easily read and parse the opt-out code from each device using backward and future proof protocols that require no special authorizations.”
In plain English, this opt out mechanism would work the following way:
OptOutCode simply requires a device owner to modify the name of a device by adding the standardized prefix “0$S”. For example, the owner of a smartphone would opt-out of the sale or sharing of their personal data collected by their phone, by the apps running on their phone, and by the IoTs connected to their phone by simply turning OptOutCode on their phone, e.g., by changing the name of their phone from "My Phone" to "0$S My Phone." In order for it to work, OptOutCode must be turned on in at least one of two devices that are paired wirelessly, or on the device that runs apps or other software. For all tense and purposes, Consumers should be able to opt out from most if not all “Targeted Advertising or the Sale of Personal Data” by renaming three devices: their smartphone, their personal computer, and their home router.
The specification can be summed up as follows:
- “The Consumer renames their device by adding “0$S” as the first three letters in the device name.
- Businesses read the name of the device using established IT protocols, determine if the name starts with “0$S” and, if so, consider it an opt-out.”
For example, in the case of an app running on a smartphone, “if a Consumer downloads an app (for instance, a game or a social media app) on a smartphone that has OptOutCode on, the app can read the name of the smartphone it is installed on without requesting special permissions, parse the first three letters, and if the name of the smartphone starts with “0$S”, it can interpret it as a signal that the user wants to opt out.”
As regards complying with the requirements of other US states whose privacy laws recognize UOOMs or signals, the application of OptOutCode states that at the time of the writing of this application, the tool meets all the requirements to comply with the following US states whose privacy laws recognize UOOMs or signals:
- California Consumer Privacy Act effective now;
- Colorado Privacy Act effective now;
- Texas Data Protection Act becomes effective on 07/01/2024;
- Connecticut Data Privacy Act effective now;
- Delaware Privacy Act becomes effective on 01/01/2025;
- Montana Consumer Data Privacy Act becomes effective on 10/01/2025;
- Oregon Consumer Privacy Act becomes effective on 01/01/2026.
Global Privacy Control (GPC) application
This application was submitted on behalf of Consumer Reports, DuckDuckGo, Robin Berjon (former editor of the GPC spec), Raptive, Digital Content Next, and Sebastian Zimmeck (Assistant Professor of Computer Science, Wesleyan University and GPC co-founder), and in layman’s terms it would work the following way:
Global Privacy Control is a browser-level privacy signal designed to allow Internet users to notify businesses of their preference to not have their data be sold or shared, or used for cross-context behavioral advertising. People can activate GPC by toggling a browser privacy setting or installing an extension for their browser. When people have turned on GPC, the browser or extension will automatically send a signal to each website the user visits broadcasting that user’s preference not to have their information sold or shared, or used for cross-context behavioral advertising. A user agent's Global Privacy Control setting is attached to HTTP requests as the Sec-GPC request header. This header's value will be "1" if enabled, and not present otherwise.
Where this functionality is not already installed and/or supported, as is the case with web browsers and browser extensions such as Firefox, Brave, or DuckDuckGo, users would actively have to download one of these web browsers and install an extension and would toggle the privacy setting to reflect their desire not to have their personal data sold or shared. Additionally, while it was initially developed for web browsers, it does allow for easy transfer to other environments such as mobile devices, payment services, or other IoT (Internet of Things) platforms.
As regards other US privacy laws, GPC has already been recognized as a valid and legally binding opt out in California, and per the application it is also “likely to comply with the requirements of all other US jurisdictions that currently provide for universal opt-out mechanisms” which would include the US state privacy laws mentioned earlier:
- California Consumer Privacy Act effective now;
- Colorado Privacy Act effective now;
- Texas Data Protection Act becomes effective on 07/01/2024;
- Connecticut Data Privacy Act effective now;
- Delaware Privacy Act becomes effective on 01/01/2025;
- Montana Consumer Data Privacy Act becomes effective on 10/01/2025;
- Oregon Consumer Privacy Act becomes effective on 01/01/2026.
The Opt-Out Machine by Known Privacy
This UOOM is an online service provided by Known Privacy and in simple English, according to the application submitted, it would work as follows:
The purpose of the Opt-Out Machine is to proactively engage companies that have in the past collected 1st, 2nd or 3rd party data about individuals to request that they stop selling that personal data, send a copy of that data back to the individual, or delete it. [...]
It does this proactively at scale, automatically, so that individuals do not need to visit hundreds or thousands of entities separately, fill out hundreds or thousands of forms, or verify their identities hundreds or thousands of times required by each entity. [...]
The primary mechanism the Opt-Out Machine uses is email correspondence. We are advocating that if a company receives an email as the form of Opt-Out Mechanism, it must honor that email to be in compliance with the CPA. [...]
It may in the future use Robotic Process Automation (bots, either traditional or AI powered) to automatically fill out forms, but this creates its own set of challenges. [...]
Consumers would have to “Sign up for the Opt-Out Machine service, either as an employee of a company, or as an individual. The Opt-Out Machine then reaches out proactively to likely holders of consumer data via email, primarily Data Brokers. The individual provides identifying data to match records against those held in 3rd party databases, grants limited power of attorney for the tool to exercise data and privacy rights requests (only) and then initiates the process of proactively opting out to 3rd parties, such as data brokers. [...]
Controllers would have to “make an email address publicly available and then monitor it.”
In order to determine that the consumer making use of the UOOM is a resident of the state of Colorado, consumers would be asked “to provide their physical address as a data matching mechanism” and in some cases, even “to provide proof of identity, which the Opt-Out Machine verifies with a 3rd party service provider” after which “the Opt-Out Machine notifies the Controller that it has done that identity verification.”
As regards compliance with other US privacy laws, this opt-out mechanism has “mostly relied on the CPRA as the primary benchmarks for what privacy law will look like” and the interpretation of the UOOM’s creators of the CPRA was that “email is an acceptable form of communication to make Opt-Out Requests and other data or privacy rights requests. It is possible for others to interpret the statues in such a way as to make counter arguments, but these are certainly not within the spirit of the law.”
As a last remark, the UOOM’s creators included for the consideration of their product by Colorado’s AG the following:
The way that privacy laws are currently constructed, consumers can’t practically leverage them. There are over 500 hundred data brokers listed in state-level registries (in CA and VT) that collect consumer data without the genuine understanding, knowledge or permission from those consumers.
Businesses that collect this data at scale all direct consumers to fill out a form and make them jump through a series of hoops to exercise their privacy rights. Businesses insist on reducing their cost of compliance by shifting the burden to Consumers and making them fill out forms.
No consumers will fill out hundreds of forms or verify their identity hundreds of times.
We are advocating that if a company receives an email as the form of Opt-Out Mechanism, it must honor that email to be in compliance with the CPA.
How can Clym help?
Clym helps to keep your website compliant with GDPR requirements, as well as 40+ other global regulations. Clym offers the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.