What’s up with the Colorado Privacy Act?

Updated March 20, 2023.

Colorado has announced the Colorado Privacy Act rules are final. What is Colorado’s privacy law and how does it impact you? We’ve got the answers to all your questions below.

When does the Colorado Privacy law go into effect?

The Colorado Privacy Act (CPA) will become effective on July 1, 2023 — though certain provisions, like the requirement to recognize universal opt-out mechanisms, won’t go into effect until 2024.

What is the Colorado Privacy Act? Is it the same as the California laws and the new Virginia law?

Colorado’s new law is similar to the Virginia Consumer Data Protection Act (CDPA) and the California privacy laws (the California Consumer Privacy Act (CCPA) and the forthcoming California Privacy Rights Act (CPRA), effective in January 2023, and with a look-back to January 2022). 

Among the similarities, it provides consumer rights, allowing consumers to access, delete, and correct personal data, as well as opt-out of the processing of personal data for the purposes of targeted advertising, sale or profiling. 

So Colorado, Virginia and California all require opt-outs for targeted advertising? 

Under Virginia’s law we saw the opt-out for targeted advertising become explicit, whereas under CCPA, the language referenced the “sale” of personal information—so there was some question about whether targeted advertising constituted a sale. This was later clarified in CPRA, also known as CCPA 2.0. The passage of the Colorado and Virginia laws seem to indicate that this opt-out requirement is likely to continue throughout the US. 

How does Colorado define targeted advertising? Does this only apply to cross-site/cross-app advertising? 

Yes, under the Colorado law, consumers can opt-out of any advertising displayed to a consumer that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated sites, apps, etc. to predict consumer preferences or interests. Their definition of targeted advertising is similar to Apple’s notion of “tracking,” referring to behaviorally targeted advertising that occurs cross-site or cross-app. Under Colorado, consumers can’t opt out of any advertising based on activities within a controller’s own websites or apps, although the consumer can request deletion of any personal data concerning the consumer. 

Does Colorado have a provision that requires recognition of global opt-outs?

It will require recognition of opt outs through “user-selected universal opt-out mechanisms” , but that requirement won’t go into effect until 2024. More details can be found in the official Colorado Privacy Act Rules, which were finalized in March 2023. California requires recognition of global privacy controls as well. Virginia, on the other hand, does not have such a provision, though that could always change in the future. 

If a consumer has a global opt-out enabled, can a specific website ask the user to opt-in? 

The Colorado law explicitly allows for informed user consent to override the opt-out signal on a site specific basis. But consumers must be able to revoke consent as easily as providing it. 

How is the Colorado law going to impact the advertising industry? The global opt-out requirement sounds like a big change?

Based on our experience with CCPA so far, universal opt-out signals aren’t that prevalent. It’s a pretty small portion of the population who will be implementing those settings. However, this could change as more browsers adopt GPC support. As more states start to require it, we could see more of an impact as awareness grows among consumers. 

How will the Colorado law be enforced? What do the penalties look like?

Unlike CPRA, it does not require the creation of a specific enforcement agency, and will be enforced by the state Attorney General and district attorneys. It does not include a private right of action. The cure period is 60 days until January 1, 2025. The penalty is a hefty $20,000 per violation. 

How will Sourcepoint and its clients need to adapt in order to comply with the Colorado law?

In many ways, the Colorado law reflects how quickly the creation of US state privacy laws have evolved since CCPA.  So far, the industry’s reception of the law has been more positive. There are fewer gray areas than there appeared to initially be under the California law, though customers should be prepared now, as it goes into effect on July 1, 2023.

However, when this law was passed, as well as the Virginia law, everyone was thinking it would go into effect after Chrome deprecated the third-party cookie. Many companies seemed to be thinking they would tackle the deprecation of the third-party cookie first — and then think about the law. 

But now with Google’s most recent delay announced, there will be a period of time where the third-party cookie isn’t deprecated yet and the new laws are already in effect. 

Smart companies are dealing with compliance now, as well as preparing to say good-bye to the third-party cookie. Thinking about this holistically, and building a privacy program that will work both now and then, will make it a lot easier to approach new, similar laws as they roll out across the US.  

To learn more about how Sourcepoint is best positioned to help you prepare for emerging privacy regulations like the Colorado Privacy Act, contact us.

Disclaimer: The information above is provided for general, informational purposes only, does not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.