Similar to other state consumer data protection acts enacted over the past two years, the Colorado Privacy Act (CPA) allows Colorado consumers to opt out of the sale of personal data and the processing of such data for targeted advertising purposes. Beginning on July 1, 2024, companies controlling personal data that fall within the purview of the CPA must allow consumers to opt out via a universal opt-out mechanism (UOOM).
Uniquely, CPA Rule 5.07 requires the Colorado Attorney General (AG) to vet potential UOOM technologies and maintain a public list of UOOMs that meet the standards of the CPA and that organizations can employ to effectuate the opt-out process. The rule requires the AG to publish the list by January 1, 2024, and to maintain and update it thereafter. At the beginning of October, the AG’s office solicited applications for UOOM technologies to be included on the list. The office has since narrowed the candidates and recently published three potential UOOMs for inclusion, specifically Global Privacy Control, Opt-Out Machine, and OptOut Code. The widely used Global Privacy Control was developed in response to California’s Consumer Privacy Act and is essentially a “switch” that consumers can toggle to prevent sharing of their personal information. It operates on browsers such as Mozilla Firefox and Brave, or can be installed as an extension on most other browsers. Opt-Out Machine is a comprehensive mechanism that allows a consumer to opt out of personal information use for several businesses at once with just one click. OptOut Code meanwhile is a mechanism designed solely for vehicles where consumers can opt out of information vehicle manufacturers collect through consumers’ operation of their cars. Further information on these UOOMs can be found on the Colorado AG’s website, where public comment on the three candidates will be accepted until December 11. The list and comment sites can be found at https://coag.gov/uoom/.
While the UOOM list requirement does not exist in most state consumer data protection acts, many acts do generally require that organizations employ data privacy controls to allow for the opt out of the sale of personal information for targeted advertising. The California Consumer Privacy Act, for example, requires that businesses provide two or more avenues for consumers to submit requests to opt out of personal information use. The Colorado, Connecticut, Delaware, Montana, Oregon, and Texas consumer data protection acts also broadly require that businesses utilize UOOMs as options for consumers. Still, this most recent Colorado AG action represents yet another state-specific measure among an increasing number that companies handling qualifying personal identifying information must consider.
Twelve states have now passed some form of a consumer data protection act, including California, Colorado, Connecticut, Delaware, Iowa, Indiana, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. There is pending legislation to enact similar laws in Massachusetts, Michigan, New Jersey, Pennsylvania, and North Carolina. Generally, these acts all allow for greater consumer control of their personal information, including the ability to access it, delete it, control its use, and discover how a company utilizes it. They also impose security standards for maintaining and protecting the data and require up-front notification to consumers on how they will collect and use their data. Despite the overall similarities, this patchwork of state privacy laws does pose compliance challenges and increased liability exposure for companies with multistate operations. Not only do these laws contain smaller substantive variations among them, many grant additional rulemaking authority to various state agencies that are subsequently promulgating rules in rapid fashion.
For example, on November 27, the California Privacy Protection Agency released its regulatory framework for the use of artificial intelligence (AI) in decision making, which includes allowing consumers the right to opt out of and access information about an organization’s use of AI. The agency plans to finalize this framework in December and begin associated rulemaking next year. Find additional details here: https://cppa.ca.gov/announcements/2023/20231127.html.
As state developments in privacy regulation continue for the foreseeable future, organizations must be ever-vigilant to ensure their practices meet increasingly complex standards.
Troutman Pepper State Attorneys General Team
|Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. He focuses primarily on federal and state government regulatory and enforcement matters involving state attorneys general, the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC). Drawing upon his experience as a deputy attorney general, Ashley has developed an extensive consumer practice with regard to the consumer financial services industry.
|Clay Friedman – Co-leader
Clay is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. Informed by nearly a decade in a state attorneys general office, and more than 25 years in private practice, Clay spends much of his time representing clients in singular or multistate regulatory actions. Clay has repeatedly led teams before all 50 state attorneys general and also handles matters with the Federal Trade Commission, the Consumer Financial Protection Bureau, and other local, state and federal agencies.
Judy is a partner in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based in the Richmond office. She brings experience serving as chair and commissioner of the Virginia State Corporate Commission (VSCC) from 2006 through 2022, which includes regulating the utilities, insurance, banking, and securities industries. She also served as Virginia’s attorney general from 2005-2006.
Stephen represents clients interacting with, and being investigated by, state attorneys general and other enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, particularly in heavily regulated industries.
A former deputy attorney general of New York, Avi applies his experience in bet-the-company matters, representing clients in criminal and civil investigations and enforcement actions before state and federal regulators, prosecutors and enforcement agencies.
Michael handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation.
Tim is an attorney in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, with a primary focus on financial services litigation.
Chris represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general.
Natalia is an associate in the firm’s business litigation practice. She recently received her J.D from the University of California, Davis School of Law.
Namrata is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. Her work includes advising clients in regulatory investigations and compliance matters, in addition to representing clients in civil litigation matters.
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes. Susan also represents banks, fintechs, and financial services companies in connection with regulatory examinations and investigations brought by the CFPB, state attorneys general, and the California Department of Financial Protection and Innovation.
John represents clients in a wide variety of general and complex litigation matters, shareholder disputes, products liability, and privacy claims.
Whitney is an attorney in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation.
Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement practice. His experience includes serving as a summer associate at the firm in 2021.
An experienced litigator, Daniel advises and represents regional, national and international companies, financial institutions and insurers in all facets of business, complex commercial and insurance coverage litigation. He is committed to working with his clients to find creative solutions to meet their needs.
Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department.