Rules of the (Compliance) Game: Colorado CPA Rules adopt GDPR minimization, transparency and consent and you have a lot of work to do!

Colorado issues draft rules to supplement the Colorado CPA.?

Generally, the rules reflect the obligations that are expected from the use of GDPR language and terminology in the CPA, namely…? GDPR level transparency, consent (as predicted back in February), data protection impact assessments; data minimization, purpose limitation etc.?

Specifically, companies subject to the CPA have a lot to work to do, in not such a long time…

Data Minimization:?

• Controllers must assess and document the minimum types and amount of Personal Data needed for the stated Processing purposes.
• To ensure that the Personal Data are not kept longer than necessary, adequate, or relevant, you must set specific time limits for erasure or to conduct a periodic review.
• Biometric Identifiers or any Personal Data generated from a digital or physical photograph or an audio or video recording held by a Controller shall be reviewed at least once a year to determine if its storage is still necessary, adequate, or relevant to the express Processing purpose. You must obtain Consent to Process Biometric Identifiers or any Personal Data generated from a digital or physical photograph or an audio or video recording each year after the first year that it is stored.
• You must not collect Personal Data other than those disclosed in its required privacy notice. If you intend to collect additional Personal Data you must revise your privacy notice, and notify Consumers of the change to your privacy notice.

Purpose Specification?

• You must disclose the express purposes of the processing in a unambiguous, specific, and clear manner, understood by and predictable to the average Consumer, the Controller, Third Parties, and enforcement authorities and detailed enough enable the implementation of necessary data security safeguards and allow for compliance with the law to be assessed.
• If Personal Data is collected and Processed for more than one purpose, you must specify each unrelated purpose with enough detail to allow Consumers to understand each individual, unrelated purpose
• If the Processing purpose has evolved beyond the original express purpose, the Controller must review and update all related disclosures and documentation as necessary.
• Specified purpose may be disclosed in several places including a privacy notice and required consent disclosures.

Purpose Limitation?

• Before Processing Personal Data for purposes that are not reasonably necessary to or compatible with specified Processing purpose(s), you must obtain Consent
• If a new Processing purpose is unexpected, unnecessary, unconnected, or would have an unjustified negative impact on the Consumer, the new purpose is not likely to be considered reasonably necessary to or compatible with the original specified purpose.
• To determine whether a purpose if reasonably necessary or compatible with the original purpose consider the following and document your analysis:

1. The reasonable expectation of an average Consumer;
2. The link between the original specified purpose(s) for which the data was collected and the purpose(s) of further Processing;
3. The relationship between the Consumer and you and the context in which the Personal Data was collected;
4. The type, nature, and amount of the Personal Data subject to the new Processing purpose;
5. The possible consequence or impact to the Consumer of the new Processing purpose;
6. The identity of the entity conducting the new Processing purposes, e.g., the same or different Controller, an Affiliate, a Processor, or a Third Party; and
7. The existence of additional safeguards for the Personal Data, such as encryption or pseudonymization.

Information Security:?

Personal Data must be Processed in a manner that ensures appropriate security and confidentiality of the Personal Data, including protection against unauthorized or unlawful access to or use of Personal Data and the equipment used for the Processing and against accidental loss, destruction, or damage, using reasonable technical or organizational measures

Sensitive Data?

• You must obtain Consent to Process Sensitive Data, including Sensitive Data Inferences
• You may Process Sensitive Data Inferences from Consumers over the age of thirteen (13) without Consent only if: (1)? this would be obvious to the reasonable consumer; (2) you permanently delete them within (12) hours of collection or of the completion of the Processing activity, whichever comes first; (3) the Personal Data and any Sensitive Data Inferences are not transferred (including to Processors), sold, or shared and; (4) the Personal Data and any Sensitive Data Inferences are not Processed for any purpose other than the express purpose disclosed to the Consumer.?
• Sensitive inferences: are inferences made by a Controller which reveal an individual’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status.
• While geolocation information at a high level may not be considered Sensitive Data, geolocation data which shows an individual visited a mosque and is used to indicate that individual’s religious beliefs or geolocation data which shows an individual visited a reproductive health clinic and is used to indicate an individual’s health condition or sex life are considered Sensitive Data.
• While web browsing data at a high level may not be considered Sensitive Data, web browsing data which, alone or in combination with other Personal Data, creates a profile that indicates an individual’s sexual orientation and is considered Sensitive Data.
• A Controller may forgo obtaining Consent prior to Processing Sensitive Data Inferences from Consumers over the age of thirteen (13) if the Controller limits the use of such inferences as required by the Rules and documents how the Controller meets the requirements in its privacy notice and Data Protection Assessment.

Accountability / Documentation

• You must retain records of all Consumer Data Rights requests made for at least twenty-four (24) months.
• You must also retain records of all data rights requests with which you complied and? with respect to data minimization, secondary uses and children’s consent.?
• You may not use information retained for this purpose for any other purpose.?

Consent?

Consent is required for:?

• Processing Sensitive Data;
• Processing Personal Data concerning a known Child, in which case the Child’s parent or lawful guardian must provide Consent;
• Selling a Consumer’s Personal Data, Processing a Consumer’s Personal Data for Targeted Advertising, or Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer after the Consumer has exercised the right to opt out of the Processing for those purposes; and
• Processing Personal Data for purposes that are not reasonably necessary to, or compatible with, the original specified purposes for which the Personal Data are Processed

Consent must: (1) be obtained through the Consumer's clear, affirmative action; (2) be freely given by the Consumer; (3) be specific; (4) be informed; and (5) reflect the Consumer’s unambiguous agreement.

Clear affirmative action:?

• This is either (a) deliberate and clear conduct, or (b) a statement that clearly indicates their acceptance of the proposed Processing of their Personal Data.?
• A blanketed acceptance of general terms and conditions, silence, inactivity or in action, pre-ticked boxes, and other negative option opt-out constructions that require intervention from the Consumer to prevent agreement are not clear affirmative actions for the purposes of valid Consent

Freely given:?

• Consumers should be able to withdraw consent easily and without detriment.?
• Consent can’t be bundled with other terms and conditions.?
• You cannot condition the performance of a contract on consent to processing which is not necessary to provide the goods or services contemplated by the contract.?
• You cannot deny goods, services, discounts, or promotions to a Consumer who chooses not to provide Consent

Specific:

• You must provide the ability to separately consent to each purpose? - no bundling
• Consent to process data for one purpose is not consent to process for another? purpose - you need to specify the parties.?
• Consent to sell or share data to certain parties is not consent to sell or share to other parties.?

Informed:

• You need to provide all the disclosures required by the law in order for consent to be valid.?
• Consent obtained through Dark Patterns does not constitute Consent.
• Requests for Consent must be prominent, concise, and separate and distinct from other terms and conditions.?
• To get consent - you can’t just direct someone to your privacy notice but rather to the specific relevant section in the privacy notice.

Consent after an opt out:?

• If a Consumer has opted-out of the Processing of Personal Data for the Opt-Out Purposes, and then initiates a transaction or attempts to use a product or service inconsistent with the request to opt-out, such as signing up for a Bona Fide Loyalty Program that also involves the Sale of Personal Data, you may request the Consumer’s Consent to Process the Consumer’s Personal Data for that purpose
• [For individuals that have opted out through a UOOM], displayIng a pop-up banner seeking Consent to share the Consumer’s Personal Data for Targeted Advertising is not a valid request for Consumer Consent because the request is made through a pop-up banner that degrades or obstructs the Consumer’s experience on the Controller’s web page or application.

Consent for Children

• If you operate a website or business directed to Children or has actual knowledge that it is collecting or maintaining Personal Data from a Child, you must take commercially reasonable steps to verify a Consumer’s age before Processing that Consumer’s Personal Data
• If you process the Personal Data of a Child you must make reasonable efforts to obtain verifiable parental Consent, taking into consideration available technology
• The Rules list methods for consent which are similar to the ones set forth in COPPA.

Withdrawing consent?

• A Consumer shall be able to refuse or revoke Consent as easily and within the same number of steps as Consent is affirmatively provided
• If Consent is obtained through an electronic interface, the Consumer shall be able to refuse or withdraw Consent through the same electronic interface

Refreshing consent?

• You must refresh Consent at regular intervals based on the context and scope of the original Consent, sensitivity of the Personal Data collected, and reasonable expectations of the Consumer.
• If a Processing purpose materially evolves such that the new purpose becomes a secondary use, the Consumer’s original Consent is no longer valid, and you must obtain new Consent.
• For Processing of Sensitive Data, Consent must be refreshed at least annually

Dark Patterns

• You cannot use an interface design or choice architecture that has the substantial effect of subverting or impairing user autonomy, decision making or choice, or unfairly, fraudulently, or deceptively manipulating or coercing a Consumer into providing Consent.
• Consent choice options should be presented to Consumers in a symmetrical way that does not impose unequal weight or focus on one available choice over another
• Consent choice options should avoid the use of emotionally manipulative language or visuals to coerce or steer Consumer choice
• A Consumer’s silence or failure to take an affirmative action should not be interpreted as acceptance or Consent
• Consent choice options should not be presented with a preselected or default option.
• A Consumer should be able to select either Consent choice option within the same number of steps
• A Consumer’s expected interaction with a website, application, or product should not be unnecessarily interrupted or intruded upon to request Consent
• Consent choice options should not include misleading statements, omissions, affirmative misstatements, or intentionally confusing language to obtain Consent.
• The vulnerabilities or unique characteristics of the target audience of a product, service, or website should be considered when deciding how to present Consent choice options.
• User interface design and Consent choice architecture should operate in a substantially similar manner when accessed through digital accessibility tools.
• Consent obtained in violation of the Rules may be considered a Dark Pattern.
• The fact that a design or practice is commonly used is not, alone, enough to demonstrate that any particular design or practice is not a Dark Pattern.

Data Protection Assessments

• A data protection assessment must be a genuine, thoughtful analysis that: (1) identifies and describes all risks posed by Processing that presents a heightened risk of harm to a Consumer; (2) documents measures considered and taken to address and offset those risks; (3) contemplates the benefits of the Processing; and (4) demonstrates that the benefits of the Processing outweigh the risks offset by safeguards in place.
• You can use a DPIA done under another legal regime if it meets the requirements of the regs.?
• The depth, level of detail, and scope of data protection assessments should be proportionate to the size of the Controller, amount and sensitivity of Personal Data Processed, and Personal Data Processing activities subject to the assessment.
• You must involve all relevant internal actors from across your organizational structure, and where needed, relevant external parties, to identify, assess and address the data protection risks
• The regs contain a prescriptive list of the elements that must be included in a DPA, which generally mirror the requirements under GDPR.
• You need to do the DPA before initiating the relevant processing and you need to update it periodically as well as when existing Processing activities are modified in a way that materially changes the level of risk presented.??
• You must make the data protection assessment available to the Attorney General within thirty (30) days of the Attorney General’s request.

Profiling

• The Automated Processing used in Profiling includes Solely Automated Processing, Human Reviewed Automated Processing, and Human Involved Automated Processing.
• You need to provide expanded disclosure regarding profiling activities [which is broader than under GDPR] including: (i) A plain language explanation of the logic used in the Profiling process; (ii) Why Profiling is relevant to the ultimate decision; (iii) if the system has been evaluated for accuracy, fairness, or bias, including the impact of the use of Sensitive Data, and the outcome of any such evaluation; (iv) The benefits and potential consequences of the decision concerning the Consumer; and (v) Information about how a Consumer may exercise the right to opt out.
• You must conduct and document a data protection assessment before Processing Personal Data for Profiling if the Profiling presents a reasonably foreseeable risk of: (1) Unfair or deceptive treatment of, or unlawful disparate impact on Consumers (including violation of UDAP or anti discrimination laws); (2) financial or physical injury to Consumers; (3) A physical or other intrusion upon the solitude or seclusion, or private affairs or concerns, of Consumers if the intrusion would be offensive to a reasonable person; or (4) Other substantial injury to Consumers (includes but is not limited to a small harm to a large number of Consumers).?
• This Data protection assessment needs to include additional requirements.?

Disclosures / Transparency

• A privacy notice must provide Consumers with a meaningful understanding and accurate expectations of how their Personal Data will be Processed
• You are not required to provide a separate Colorado-specific privacy notice or section of a privacy notice as long as the Controller’s privacy notice contains all information required in this section and makes clear that Colorado Consumers are entitled to the rights provided by CPA.?

The disclosure must be: [Similar to the GDPR and #CPRA Regs standard]

• Concrete and definitive - no abstract or ambivalent terms.?
• Clearly labeled (especially re: the rights) [similar to DPC in WhatsApp[]
• Understandable and accessible to a Controller’s target audiences, considering the vulnerabilities or unique characteristics of the audience and paying particular attention to the vulnerabilities of Children.
• Reasonably accessible to Consumers with Disabilities, including through the use of digital accessibility tools.
• Available: ?

1. Online through a conspicuous link using the word “privacy” on your website homepage or on a mobile application’s app store page or download page. If you maintain an application on a mobile or other device shall also include a link to the privacy notice in the application’s settings menu.
2. Offline - through a medium regularly used by the Controller to interact with Consumers

• Specific: level of specificity in a privacy notice should enable a Consumer to understand, in advance or at the time of the Processing, the scope of the Controller’s Processing operations, such that a Consumer should not be taken by surprise at a later point about Personal Data that has been collected and the ways in which Personal Data has been Processed.
• Available in the languages in which the Controller in its ordinary course provides web pages, interfaces, contracts, disclaimers, sale announcements, and other information
• Available through an interface regularly used in conjunction with the Controller’s product or service
• Readable on all devices through which Consumers interact with the Controller, including on smaller screens

Public data privacy:

• A visual observation of an individual’s physical presence in a public place by another person is considered publicly available but "data collected by a device in the individual’s possession" is specifically carved out from this definition.
• Doesn't include: (1) Inferences made exclusively from multiple independent sources of publicly available information; (2) Biometric Data; (3) Genetic Information; (4) Publicly Available Information that has been combined with non-publicly available Personal Data; or (5) Nonconsensual Intimate Images known to the Controller.?

A privacy notice must include:

• A comprehensive description of your online and offline Personal Data Processing practices, including the following information for each Processing purpose:
• The purpose, in sufficient detail; if includes Targeted Advertising or Profiling - mention that specifically
• The categories processed, specifically setting out sensitive information and described in a level of detail that provides Consumers a meaningful understanding of the type of Personal Data Processed.
• Categories of information that you sell or share.?
• Categories of third parties to whom you sell or with whom you share a level of detail that gives Consumers a meaningful understanding of what type of entity the Third Party is, and to the extent possible, how the Third Party may Process Personal Data.
• Additional disclosure for profiling (see below)?
• A list of the data rights available and a description of the methods to exercise them including: instructions for using each method, instruction for submission by an Authorized agent, a description of the process for authentication.?
• Your contact information?
• Instructions on how to appeal a decision?
• The date the notice was last updated.?
• If you delete Sensitive Data Inferences within twelve (12) hours, a description of the Sensitive Data Inferences subject to this provision and the retention and deletion timeline for such Sensitive Data Inferences.

Change to Privacy Notice:?

• Notice of a substantive or material change to a privacy notice must be made 15 calendar days before the change goes into effect
• You must notify Consumers of substantive or material changes to a privacy notice, including, but not limited to, changes to: (1) categories of Personal Data Processed; (2) Processing purposes; (3) your identity; or (4) methods by which Consumers can exercise their Data Rights request. Changes to a privacy notice shall be communicated to Consumers in a manner by which the Controller regularly interacts with Consumers.
• You must obtain Consent from a Consumer before Processing Personal Data for a secondary use, even if the new purpose is disclosed in the privacy notice

Loyalty Programs

You must provide the following additional disclosures with respect to loyalty programs in your privacy notice, in your loyalty program terms and in the consent disclosures? for request to consent to process sensitive data in connection with a loyalty program:?

• Categories of personal data or sensitive data collected through the loyalty program that will be sold or processed for targeted advertising
• Categories of Third Parties that will receive the Consumer’s Personal Data and Sensitive Data, including whether Personal Data will be provided to Data Brokers;
• The value of the Bona Fide Loyalty Program Benefits available to the Consumer if the Consumer opts out of the Sale of Personal Data or Processing of Personal Data for Targeted Advertising, and the value of the Bona Fide Loyalty Program Benefits available to the Consumer if the Consumer does not opt out of the Sale of Personal Data or Processing for Targeted Advertising; and
• A list of any Bona Fide Loyalty Program Benefits that require the Processing of Personal Data for Sale or Targeted Advertising, and the Third Party receiving the Personal Data and providing each such Bona Fide Loyalty Program Benefit, if applicable.
• You may not increase the cost of or decrease the availability of a product or service based solely on a Consumer’s exercise of a Data Right
• You are not prohibited from offering Bona Fide Loyalty Program Benefits to a Consumer based on the Consumer’s voluntary participation in that Bona Fide Loyalty Program.
• You may not condition a Consumer’s participation in a Bona Fide Loyalty Program on the Consumer’s Consent to Process Sensitive Data unless the Sensitive Data is required for all Bona Fide Loyalty Program Benefits.?
• If the consumer requests that data be deleted or sensitive data not be processed such that is it not possible to provide the loyalty program benefit to the consumer - you need to still provide the benefits that are possible to provide (e.g. non personalized)
• If a Consumer’s decision to exercise a Data Right impacts the Consumer’s membership in a Bona Fide Loyalty Program, you must notify the Consumer of the impact of the Consumer’s decision and at least twenty-four (24) hours before discontinuing the Consumer’s Bona Fide Loyalty Program Benefit or membership, and must provide a reference or link to the loyalty program disclosures.?

Consumer Rights:

The methods for submitting consumer request must:

• Take into account the ways in which Consumers normally interact with the Controller
• Use reasonable data security measures when exchanging information
• Be easy for Consumers to execute, requiring a minimal number of steps; and
• Not use Dark Patterns
• The Data Rights request method does not have to be specific to Colorado, so long as the request method:
• Clearly indicates which rights are available to Colorado Consumers;
• Provide all Data Rights available to Colorado Consumers;
• Provide Colorado Consumers a clear understanding of how to exercise their rights; and
• Meet all other requirements

Data minimization - for consumer rights request, collect only the information reasonably necessary for authentication or to effectuate the request; you can't require the consumer to create an account to submit the method but can require them to use an existing method.

Right to Opt Out

• A controller must comply with an opt out request as soon as feasibly possible but not later than within 15 days. (similar to CPRA)
• Need to provide an opt out method directly or through a link; ; If a link - it must take the consumer directly to the opt out method + explanation (similar to CPRA)
• You must provide this clearly and conspicuously in the privacy notice or a readily accessible location outside the privacy notice which must be:
• Positioned in an obvious location of a website or application, such as the header or footer of a Controller’s internet homepage, or an application’s app store page or download page; and
• Available to the Consumer at or before the time the Personal Data is Processed for the Opt-Out Purposes

Right of Access

Personal Data provided in response to an access request must be:

• Understandable to the Controller’s target audiences, considering vulnerabilities or unique characteristics of the audience and paying particular attention to vulnerabilities of Children. This means: concise, transparent and easily intelligible, and avoids incomprehensible or unexplained internal codes and identifiers [GDPR and CPRA standards)
• Provided in the language in which the Consumer interacts with the Controller.
• Provided in a form that would allow the average Consumer to make an informed decision of whether to exercise deletion, correction, or opt-out rights.

Right to Correction

• You must instruct all Processors that maintain the Personal Data at issue to make the necessary corrections in their respective systems and to ensure that the Personal Data remains corrected.
• You may direct consumers to account settings if correction can be done through them IF: (1) the process if not unduly burdensome; (2) the instructions meet the transparency/disclosure requirements; (3) you respond in a timely manner?
• If you decide, based on the totality of the circumstances, that the data is more likely than not accurate, you may decide not to act upon a request.?
• If you received the information from a third party and not the consumer directly the Consumer’s assertion of inaccuracy shall be sufficient to establish that the Personal Data is inaccurate
• You may require the Consumer to provide documentation if necessary to determine whether the Personal Data, or the Consumer’s requested correction to the Personal Data, is accurate. When requesting documentation, you must provide the Consumer with a meaningful understanding of why the documentation is necessary.
• You may only process any data received for the purpose of assessing the accuracy of the data.?
• You must implement proper reasonable security measures for processing this information.?

Right to Deletion

• You may comply by permanently and completely deleting the information or by de-identifying it AND notifying all Processors and Affiliates to delete the information.?
• For archive/backup data - you may delay compliance until the system is restored to an active system or is next accessed or used for a Sale, disclosure, or commercial purpose
• If there is an exception to deletion - you must delete all data not subject to the exception and cannot use the information retainer for any purpose other than as permitte by the exception.?
• For data obtained from a source other than the consumer: you may comply by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the Consumer’s Personal Data remains deleted from the Consumer’s records and not using such retained data for any other purpose, or (ii) opting the Consumer out of the Processing of such Personal Data for any purpose except for those exempted

Data Portability [echoing CA AG opinion on inferences]

• You are not required to to provide Personal Data to a Consumer in a manner that would disclose your trade secrets
• Personal Data or Sensitive Data Inferences created using a trade secret algorithm or other mechanism must be disclosed to comply with a data portability request without disclosing the algorithm or mechanism itself

Authentication

• You must establish reasonable methods to Authenticate the Consumer submitting a Data Right request and to Authenticate the authority of an Authorized Agent submitting an opt-out request on behalf of a Consumer
• To determine whether a method is reasonable consider the Data Rights exercised, the type, sensitivity, value, and volume of Personal Data involved, and the level of possible harm that improper access or use could cause to the Consumer submitting the Data Right request. Avoid methods that place an unreasonable burden on the Consumer or Authorized Agent
• Avoid requesting additional Personal Data to Authenticate a Consumer unless you cannot Authenticate the Consumer from the Personal Data already maintained by you.
• You may only use the authentication data for the purpose of authentication and delete it as soon as possible after.?
• You cannot charge a fee for authentication. (Cannot require a notarize affidavit unless you pay for it).?
• You don’t have to comply with a request if you cannot authenticate the Consumer using commercially reasonable efforts. You need to inform the Consumer that you weren’t able to authentication and may request additional personal data if reasonably necessary to authenticate.?

Responding to Requests

• If you decide not to act on a request - you need to state and explain the legal basis for refusing to do so.? For example: you need to explain why compliance is impossible, why you think the request is fraudulent or abusive and your reasonable efforts to authentical and why you were not able to do so.?
• You must provide instructions on how to appeal the refusal.?
• When you comply with a request you must notify al Processors that process the personal data included in the request.?
• You must maintain documentation related to this process

Universal Opt Out Mechanism

• Consumers may exercise their right to opt out of the Processing of Personal Data concerning the Consumer for purposes of Targeted Advertising or the Sale of Personal Data through a user-selected Universal Opt-Out Mechanism that meets the technical and other specifications provided in the Rules.?
• The UOOM may be for for “all purposes” or for “specific purposes” or both.?
• The Rules contain requirements for designing a compliant UOOM.?
• Consumer’s decision to adopt a tool that does not come pre-installed with a device, such as a browser or operation system, but is marketed prominently as a privacy-protective tool or specifically as a tool designed to exercise a user’s rights to opt out of the Processing of Personal Data shall be considered the Consumer's affirmative, freely given, and unambiguous choice to use a Universal Opt-Out Mechanism.

Obligations regarding UOOM

• When Processing a Universal Opt-Out Mechanism, you may not require the collection of additional Personal Data beyond that which is strictly necessary to confirm a Consumer is a resident of Colorado or determine that the mechanism represents a legitimate request to opt out of the Processing of Personal Data
• You may provide the Consumer with an option to provide additional Personal Data only if it will extend the recognition of the Consumer’s use of the Universal Opt-Out Mechanism across platforms, devices, or offline. For example, you may give the Consumer the option to provide their phone number or email address so that the Universal Opt-Out Mechanism or signal can apply to offline Sale of Personal Data or link the Consumer’s opt-out choice across devices
• You may not require a Consumer to login or otherwise Authenticate themself as a condition of recognizing the Consumer’s use of the Universal Opt-Out Mechanism.
• You may display in a conspicuous manner if it has Processed the Consumer’s opt-out preference signal (in CPRA this is mandatory)

Starting 7/1/2024:?

• If you receive an opt-out request through a Universal Opt-Out Mechanism you must treat such as a valid request to opt out of the Processing of Personal Data for purposes of Targeted Advertising, Sale of Personal Data, or both, as indicated by the mechanism, for the associated browser or device, and, if known, for the Consumer.
• After receiving a valid opt-out request through the use of a Universal Opt-Out Mechanism, you must continue to treat the browser, device, and Consumer as having exercised opt-out rights until the browser, device, or Consumer overrides the opt-out, as specified in the Rules.

Opt in after opt out:?

• You may not interpret the absence of a Universal Opt-Out Mechanism signal after the Consumer previously utilized a Universal Opt-Out Mechanism as Consent to opt back in.
• The Colorado Department of Law shall maintain a public list of Universal Opt-Out Mechanisms that have been recognized to meet the standards of the Rules. The initial list shall be released no later than April 1, 2024 and shall be updated periodically

Next Steps:

• The draft regulations are open for public comments through the comment portal available at coag.gov/CPA during the comment period between October 10, 2022, and February 1, 2023. Comments submitted by November 7, 2022, will inform the stakeholder meetings; comments submitted by January 18, 2023, will considered for any proposed revisions presented at the hearing.
• The Department will host three (3) virtual stakeholder meetings to discuss the CPA proposed draft rules