On July 8, 2021, Colorado became the third U.S. state with a comprehensive privacy law when the Colorado Privacy Act (CPA) was signed into law.
The Act, which takes effect July 1, 2023, imposes new rules on businesses that control the personal information of at least 100,000 Colorado residents per year, or which derive revenue from the sale of at least 25,000 Colorado residents per year.
Do you provide digital marketing services or run targeted ads on your website or app?
Several provisions in the CPA aim directly at the activities of online advertisers. You’ll soon need to provide transparent information to Colorado consumers and offer them an opt out of targeted marketing.
Here’s what you need to know.
The CPA’s provisions include several that are particularly important in the context of online advertising:
- Businesses that engage in targeted advertising must provide notice to Colorado consumers about their activities
- Colorado consumers have the right to opt out of targeted advertising
- From July 2024, businesses may recognize a browser-level “universal opt out”
What Is “Targeted Advertising?”
Here’s a breakdown of how the CPA defines “targeted advertising”:
- Displaying to a consumer an advertisement
- That is selected based on personal data obtained or inferred over time
- From the consumer’s activities across nonaffiliated websites, applications, or online services
- To predict preferences or interests
This type of targeting is also known as “profiling”: building up an impression of a consumer over time—and, crucially, the CPA’s definition necessarily involves “third-party” data.
Commonly-used online advertising platforms, including Google and Facebook Ads, fit this description—so if you’re in scope of the CPA, and you’re running these sorts of marketing services on your site, you’ll need to comply with the CPA’s rules on targeted ads.
The definition of “targeted advertising” excludes:
- Advertising to a consumer in response to their “request for information or feedback”
- Ads based on “first-party” activity on your website or app
- Ads based on a current search query or website visit (so-called “contextual” ads)
- Using personal data to measure ad performance
You must provide notice to consumers about your targeted advertising activity. You must clearly and conspicuously provide this information, both:
- Within your privacy notice
- In a “readily accessible location” outside of your privacy notice
Your notice must contain details about:
- The CPA consumer rights
- The categories of personal data you process
- The purposes for which you process personal data
- How consumers may withdraw consent
Your privacy notice must also contain a mechanism via which consumers can exercise their right to opt out.
Right to Opt-Out
Similar to the California Consumer Privacy Act (CCPA), which has been in effect since January 2020, the CPA grants Colorado consumers the right to opt out of targeted advertising.
You must provide a mechanism allowing consumers to opt out. Such a mechanism may include:
- Web link
- Browser setting
- Browser extension
- Global device setting
Until the rules are clarified regarding global device opt-outs (see below), a web link allowing the consumer to submit their preference is likely to be the most practical means of enabling the right to opt out. This may take the form of a “cookie banner” or pop-up.
Universal Opt Out
From July 2024, you’ll need to recognize a “universal opt-out” mechanism, selected by the consumer, that provides an indication of the consumer’s desire to opt out of targeting advertising. Such universal opt-out solutions may resemble the Global Privacy Control.
Before July 2024, the Colorado Attorney General will provide technical specifications that such a mechanism must meet in order to be recognized by businesses under the CPA.
Cassie is a world-leading cookie consent and data management solution that enables organisations to meet the Colorado Privacy Act (CPA). Get in touch to learn more about how Cassie can help your business.