Colorado’s Approval of Global Privacy Control: Implications for Advertisers and Publishers

The privacy laws of both Colorado and California require organizations to recognize Universal Opt-Out Mechanisms (UOOMs), a tool through which a person can invoke their opt out rights broadly across all the websites they visit. While California has required responding to certain UOOMs since July 2021, the Colorado Attorney General has only recently approved their first tool – the Global Privacy Control – as valid within the scope of the state law. This sets the stage for organizations within the law’s jurisdiction to take appropriate action necessary to ensure that they are recognizing and responding to any person’s use of the GPC. Below we provide information for what organizations need to know about UOOMs going forward, including particular implementation challenges that must be addressed to avoid enforcement actions for falling afoul of the law.

Background

Governor Polis signed the Colorado Privacy Act (CPA) in July 2021, making Colorado the third state to pass a comprehensive privacy law. Among other things, the act requires the Colorado Attorney General to conduct a special process for approving Universal Opt Out Mechanisms (UOOMs) for people to use as a means of invoking their opt out rights. Under Colorado law, covered entities will be required to honor these UOOMs beginning July 1, 2024. 

The Colorado AG’s office closed applications for UOOM tools on November 6, 2023. After a public comment period, the Colorado AG announced that only one tool – the Global Privacy Control (GPC) – would be acknowledged on the exclusive public list of acceptable UOOMs in Colorado.

The recognition of the GPC as a valid UOOM in Colorado leaves adtech vendors, advertisers, and publishers in a broadly similar place in both California and Colorado once enforcement begins this summer: Publishers will have to respond to valid GPC requests in both states; advertisers and vendors will have to adjust business practices accordingly. Although implementations of GPC must still satisfy the requirements of the CPA, Colorado’s decision aligns their enforcement of opt-out rights with those in California, creating momentum toward a national standard.

What should Advertisers, Publishers, and Other Organizations Know About the GPC and UOOMs in U.S. law

1. Implementations of GPC must still satisfy the requirements of CPA

Under the CPA, UOOMs in Colorado must satisfy three categories of rules. By selecting a single UOOM tool, the Colorado AG’s office has indicated that this is the only tool “recognized in so far as the UOOM or any authorized implementations meet the requirements of [the Colorado Privacy Act].” 

The first and second of these rules relate to Notice and Choice under Rule 5.03 and Default Settings under Rule 5.04. The notice and choice requirements ask UOOM vendors to ensure that the signal represents an “affirmative, freely given, and unambiguous choice to opt out” of targeted advertising and data sales. The requirements for default settings seek to ensure the choice remains a genuine opt-OUT with respect to the device. The default browser installed on the device cannot simply negate the selection in a user interface to transform the user-facing mechanism into what would appear to be an opt-IN for the user. For browsers or browser extensions that do not come pre-installed on the device and that are marketed as tools for exercising a user’s opt out rights, the consumer’s decision to install and use these tools is considered an affirmative, freely given, and unambiguous choice.

The final requirement for UOOMs in the CPA is to follow Technical Specifications under Rule 5.06. The technical specification requirements make the tool “universal” in the sense that it can automatically transmit the opt-out to multiple publishers while remaining in compliance with other requirements, like the notice and choice requirements and the default settings requirements, and without unfairly disadvantaging controllers.

It is noteworthy that the AG’s office distinguishes between “the UOOM” – the GPC in this case – and “any authorized implementations” of the UOOM. Several organizations, including FPF, expressed broad support of the GPC while correctly observing that the GPC is a protocol-level technical specification and is implementable in valid and invalid ways in user-facing tools. Actual implementations of the GPC vary significantly in their interface and functionality. However, it is not clear what is required for an implementation to be “authorized”. One may read the language to require some additional recognition by the Colorado AG’s office (which has not produced a list of authorized implementations) or instead to include those implementations recognized by the creators of the GPC, which lists several implementations that support the GPC on their website. It is even possible that “authorized implementations” may even refer to other authorized, yet-to-be-approved UOOMs and have nothing to do with the GPC.

Based on this analysis, it is technically possible for publishers to receive an invalid GPC signal originating from a tool that fails to implement other requirements of the CPA. However, discerning the validity of GPC signals as they are received may require publishers to implement otherwise invasive means, like browser fingerprinting.

2. GPC will be a multi-state enforcement priority for 2024

Despite the limitations of approving a technical specification, the decision in Colorado to recognize only the Global Privacy Control marks an alignment with California that the GPC should be a clear priority for organizations looking to avoid an enforcement action in 2024. Controllers in Colorado and businesses in California should earnestly implement appropriate means to receive these signals and respond in their advertising technology stack. Industry preparation should include some mechanism for differentiating data that has been opted-out of sale or sharing from data that has not.

The Colorado AG also indicated that the current public list (which, again, consists solely of the GPC) will be “prioritized for enforcement,” meaning publishers will likely be required to respond to GPC opt-out requests as soon as the enforcement date of July 1, 2024 rolls around. Any relevant on-going or concluded investigations in California since the AG settlement with Sephora have not resulted in publicly announced enforcement actions. However, it has remained an area of active interest, including recent discussions by the California Privacy Protection Agency (CPPA) regarding the possibility of requiring browser vendors to implement a feature allowing users to express their opt-out preferences to publishers.¹

3. Novel mechanisms may still be reconsidered in upcoming years

In naming the GPC as the current exclusive UOOM recognized in Colorado, Colorado AG also indicated that this did “not exclude additional UOOMs from meeting the requirements” in the future. This could mean the other shortlisted opt out mechanisms (i.e., the OptOut Code or the Opt-Out Machine) or some tool that has not yet been developed may be able to be approved in the future. However, the process for submitting applications is uncertain. The website is no longer accepting submissions, and although it may be opened to new submissions in the future, no plans for doing so are currently public.

The Colorado AG also indicated that when it does accept new applications, it will also seek public comments on them in a similar process. The three applications listed in the shortlist each took different approaches to standardizing expression of user opt out preferences. The OptOut Code proposal focused on prepending a code to human-readable device names, the Opt-Out Machine proposed an automated email-based opt out mechanisms, and the Global Privacy Control (GPC) proposed using their HTTP-based protocol-level specification in Colorado, having already been recognized as a UOOM in California.

Challenges Ahead for Enforcement

Enforcement of the Colorado Privacy Act’s requirements for opt-outs will begin later this year. Although the Colorado AG selected the GPC, they did not reveal their rationale or respond substantively to the concerns raised during the comment process. As a result, specific enforcement techniques and investigative approaches are hard to predict. At least four enforcement challenges exist for Colorado: (1) responding to the GPC alone may not be enough to ensure compliance with the CPA, (2) confirmation of signals by controllers is not required making verification of the receipt of valid signals difficult, (3) invalid GPC signals are difficult to detect definitively, and (4) the current move toward enforcement is happening at a time of transition in the industry at large.

First, responding to the GPC alone is not enough for compliance with the CPA. Although the GPC specification includes optional requirements allowing publishers to confirm to users that they have received the GPC signal, this confirmation is not technically tied to any advertising that appears on the publisher site. In other words, it is possible for a publisher site to continue serving targeted ads while confirming to users that their GPC opt-out signal has been received, either intentionally or accidentally. The Colorado AG will need some mechanism for discerning whether any advertising displayed was targeted or not. For people who have invoked the GPC, publishers are likely to replace targeted advertising with contextual advertising, and these ads may be served by similar ad servers, making discernment challenging. (The opt-out also applies to the sale of personal data, but that would not be immediately obvious to an enforcement agency in a single web browsing session regardless of the GPC configuration.) 

Second, optional confirmation requirements in the GPC specification are not strictly required by the CPA. Although confirmation may be useful for users, advertisers, and publishers seeking to test their configuration of their GPC tool of choice, their utility as part of regulatory enforcement remains unclear, and without them it is unclear how Colorado enforcement agencies will determine whether a signal has been received and responded to. It is worth noting here that California’s recently proposed revisions to the California Consumer Privacy Act (CCPA) would require businesses to display the status of the consumer’s choice.²

Third, invalid implementations of the GPC can transform the opt-out into a user-facing opt-in. Developers of privacy-oriented browsers and browser extensions have evinced a desire to make the user’s experience of setting up both the browser and the GPC as fast and easy as possible, but the legal environment is inherently complex. The installation and configuration process for these tools will be critical to ensuring that GPC signals are valid in each jurisdiction where they are intended to apply. The GPC signal does not embed information on which browser, extension or tool sent the signal. This can make it difficult for organizations seeking to determine a mechanism’s validity and investigators seeking to respond to GPC signals sent using an invalid mechanism or configuration.  Investigators will also have to determine if the person covered by the signal is a Colorado resident.

Finally, enforcement of the CPA comes at a time when the industry is transitioning away from the third-party cookie and toward new advertising APIs, presenting an additional challenge for discernment of targeting information. Publishers will need to be able to connect receipt of the GPC signal to their new infrastructure for advertising APIs during this transition. Similarly, Colorado’s enforcement will need to be able to verify compliance with the CPA, including responses to valid GPC signals, during this industry transition. Many other states are considering comprehensive privacy laws, some with subtly different opt out rights. Colorado has indicated that they prefer a harmonious, multi-state approach where possible, but this possibility remains an open question as states consider new approaches to privacy.

Conclusion

Colorado’s adoption of the GPC as the only valid universal opt out mechanism, for now at least, represents a critical step for vendors, advertisers, publishers, and users.  Broad alignment with California marks this as important outside of Colorado as well, particularly with other states adopting or considering comprehensive privacy laws. Although some challenges and open questions remain, covered entities should earnestly work towards compliance to be able to honor these UOOMs beginning July 1, 2024.

¹ Note that this requirement may complicate the default setting requirements discussed earlier given Colorado’s differentiation between a browser that comes pre-installed on a device and one that does not.

² See page 40, in § 7025 on Opt-out Preference Signals.