Targeted Ads Under the Colorado Privacy Act: What Can A Consumer Nix and How?
Effective July 1, 2023, the Colorado Privacy Act (CPA) aims to “build a world where technological innovation and privacy can coexist,”[1]; the CPA does so by letting consumers opt out of the sale of their personal data or use of that data for targeted advertising. The specific ability to opt out of targeted advertising is novel in United States privacy law, but fewer ads are affected by this CPA right than you might think.
As a refresher, the CPA applies to any organization, including nonprofits, conducting business in Colorado, or delivering products or services targeted to Colorado residents that either (1) control or process personal data regarding 100,000 or more consumers during a calendar year, or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process data of 25,000 consumers or more.
Therefore, Colorado companies with large email lists, or companies that rely heavily on online advertising to drive sales, may need to comply with the CPA.
What is Targeted Advertising?
Under the CPA, targeted advertising means displaying to a consumer an advertisement based on personal data[2] obtained or inferred, over time from the consumer's activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.[3]
Does Targeted Advertising Include Behavioral Advertising?
Yes. Targeted advertising under the CPA includes behavioral advertising, which is the tracking of a consumer’s activities online to deliver advertising targeted to the individual consumer’s interests and includes any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
What if I Only Target Based on Activity on My Website, Is that Targeted Advertising?
No. Targeted advertising under the CPA does not include advertising to a consumer based on:
· The consumer's request for information or feedback
· Activities solely within a controller's own websites or online applications (known as contextual targeting)
· The context of a consumer's search query, or visit to a controller’s website or online application.[4]
What if I Show Ads After a Consumer Leaves My Website?
No problem. Targeted Advertising under the CPA does not include re-targeting consumers with advertisements for a business’s product across nonaffiliated websites once the consumer leaves that business’s website, so long as the targeting is based solely on the consumer’s visit to that business’s website and not on the consumer’s activities across nonaffiliated websites or businesses.
The Universal Opt-Out Mechanism
By July 1, 2024, controllers must allow consumers to opt out of the sale of their data or its use for targeted advertising through a user-selected universal opt-out mechanism.[5] Unlike the other consumer rights requests under the CPA for which controllers have 45 days to comply, Section 5 of the Colorado Attorney General’s draft rules specifies that consumers have right to opt out of targeted advertising using via the Universal Opt-Out Mechanism.
While the draft regulations do not say how quickly the Opt-Out Mechanism must work, the regulations’ extensive description of the mechanism’s design and browser integration scenarios indicate that the Colorado AG wants the Universal Opt-Out Mechanism to work quickly or immediately. The mechanism cannot be enabled by default on an operating system to constitute a consumer’s opt out preference, but the installation of a browser with such a mechanism enabled by default does suffice to express a consumer’s opt-out.
Practically, the Universal Opt-Out Mechanism means that businesses subject to the CPA need to either find or make a mechanism to disable targeted advertising for their consumers. While this will be a decently heavy technical lift for many businesses, the range of ads affected by the mechanism is narrower than one might initially think.
Contact us at Codevilla@skandslegal.com with any questions on Colorado Privacy Act compliance.
*********
[1] C.R.S. 6-1-1302(b)(I) (2022).
2 “Personal data” means information linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information.
[3] C.R.S. 6-1-1303(25)(a) (2022).
[4] C.R.S. 6-1-1303(25)(b)(I)-(IV) (2022).
[5] C.R.S. 6-1-1306(1)(a)(IV)(B) (2022).