Warning to digital marketers: The grace period for the Colorado Privacy Act (CPA) is over as of July 1, 2024. Most companies using basic personalization or session tracking cookies on their websites are affected because they are collecting sensitive data.
Are you properly managing consent and opt-out options for your Colorado users?
The Colorado Privacy Act is similar to other online privacy laws that have been passed in 19 other states and are the third to go into effect. However, the exact rules and details differ in every state.
In this article, we break down the details of the CPA and what it means to you, whether you are a Colorado resident or do business in Colorado.
In this guide:
I’m Katie Jones and I’m writing this guide because I’m currently helping our clients get CPA-compliant. This guide is based on my research and experience as a marketing analytics implementor. Our Denver, Colorado-based analytics team has several years of experience implementing consent management solutions for clients who see the value in winning customer trust with transparent consent systems.
This guide will help you decide what action to take on implementing CPA compliance. However, nothing in this guide is legal advice. Contact us for a proper consultation that takes into account your needs before taking action that could disrupt your marketing data.
What Is the Colorado Privacy Act?
The Colorado Privacy Act (CPA) is a piece of consumer privacy legislation that gives Colorado residents more control over how personal data is used, and more information about how data is collected.
As of July 1, 2023, businesses that collect the data of Colorado residents are required to provide information about data collection and options that allow customers to access and edit their data. It’s important that anyone who advertises in Colorado take note because the fine is $20,000 per violation (per user or per transaction), which will add up fast.
The CPA requires the following:
- Privacy Policy provisions for users to understand how their data will be collected and used, as well as how to access or request deletion of this data.
- The ability for users to easily opt out of advertising data collection and targeting, either by opting out on your website directly or via the universal opt-out mechanism.
- Currently, the only provider that has been approved as the Universal Opt-out Mechanism (UOOM) for Colorado is the Global Privacy Control.
Important Dates
Here are the dates you need to be aware of. The CPA is already in effect and opt-outs must be honored. Until July 1, 2025, businesses will be able to comply retroactively.
- July 1, 2023. This is the date the CPA went into effect.
- July 1, 2024. This is the date controllers (businesses) need to honor user-selected universal opt-outs.
- January 1, 2025. The “right to cure” expires on this date. Prior to this date, employers who violate the act will have 60 days to fix the alleged violation (called the “right to cure”).
FAQs for Consumers
What rights do Colorado residents have under the Colorado Privacy Act?
Under the Colorado Privacy Act, Colorado residents now have the right to:
- Know when their data is being collected
- Opt of its sale and use by data collectors
- Access, correct, delete, and download their data
According to the Office of the Colorado Attorney General, the law seeks to “give Coloradans meaningful information about the collection and use of their data, to conduct data protection assessments, and to obtain consent before processing certain sensitive personal data.”
How can Colorado residents opt out under the Colorado Privacy Act?
You can opt out of having your data collected or processed for the purpose of advertising (or the sale of personal data) in three ways:
- Clicking on an opt-out button or denying consent on your website
- Installing a browser extension that passes the opt-out signal with every request
- Using a GPC-enabled browser that passes the opt-out signal with every request
To use the approved UOOM, go to Global Privacy Control — Take Control Of Your Privacy
Click on “Get Started” or scroll down to see the list of browsers and browser extensions that will send the opt-out signal with every request. Install the browser or extension. To verify if your signal is being sent, go back to GPC, and you should see a different banner at the top:
Note that you will have to use this browser or extension to send the signal with all of your internet activity.
For example, if you install the DuckDuckGo Privacy Browser, but still use Chrome or Edge to browse the web, those browsers will not send the GPC opt-out signal.
FAQs for businesses
Which businesses are included in the Colorado Privacy Act?
The CPA applies to entities, including nonprofits, that conduct business in Colorado OR deliver commercial products or services targeted to residents of Colorado; AND either:
- Process the personal data of more than 100,000 individuals in any calendar year; or
- Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.
These entities are defined as data controllers. A controller is an entity that determines the purpose for and means of collecting and processing personal data.
So, if you run a website and control what tags, code and tracking are installed, you are a controller.
The law also applies to service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of these companies. These entities are defined as data processors.
Processors, who also need to follow this legislation, are entities that maintain and process consumer personal data on behalf of a controller. This can include cloud storage providers and advertisers like Google.
There are some exclusions to the CPA. These entities include:
- Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act;
- Air carriers subject to Federal Aviation Administration regulation; and
- National securities associations registered under the Securities Exchange Act.
The CPA also does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act, or for certain governmental purposes.
What are the Colorado Privacy Act’s requirements for businesses?
Under the Colorado Privacy Act, controllers must do the following:
- Ask your legal team to review your site’s privacy policy and ensure that it meets all of the stated requirements in both contents and accessibility.
- Set up an opt-out page or mechanism on your site, and ensure that your tracking respects this. If a user has opted-out, you cannot have ads-related tags firing during their session, or collect their data for the purpose of profiling or sales.
- Update your website and tags to capture and respect opt-out signals obtained from the Global Privacy Control browser extension or privacy-enabled browser.
What are the penalties for non-compliance under the Colorado Privacy Act?
After a drafting and feedback process, the final rules for the CPA were published on March 15, 2023. You can see the full list here.
The CPA imposes a heavier fine than other, similar acts. Every act of nonconsensual data processing counts as an offense, and each offense incurs a fine of $20,000. That could quickly add up to the cap of $500,000.
However, until January 1, 2025, if the Colorado Attorney General determines that the noncompliance can be remedied, the controller or processor has 60 days to remedy it. This remedy requirement only lasts until 2025.
It’s worth noting that there is no individual right to sue for remedy; all complaints must be handled by the attorney general. Some have suggested that this will reduce the likelihood of enforcement. But with such high penalties, we’re encouraging all of our clients to take the CPA seriously and implement the required changes.
A quick guide to Colorado Privacy Act compliance
The Colorado Privacy Act introduces stringent requirements for organizations processing consumer data. To stay compliant, controllers should take the following steps:
- Assess Your Data Practices: Identify gaps in data privacy and information security. Understand where and how consumer data is collected, processed, and stored.
- Update Privacy Policies: Develop or revise privacy policies to align with CPA requirements. Be transparent about data usage and automated decision-making technologies, and inform users of their rights, including opting out of targeted advertising and data sales
- Implement Safeguards: Maintain reasonable measures to protect personal data. Conduct periodic data protection assessments and document them for transparency.
- Obtain and Respect Users’ Consent Preferences: Ensure that your website has a mechanism for opting out and can receive the opt-out signal from GPC browsers and apply preferences to tagging.
Remember, early action is crucial. If you’re unsure or want to take action, consider reaching out to Session Interactive! Compliance is an ongoing effort, but it’s essential for building trust with consumers and avoiding penalties.
FAQs for compliance
Have companies like Google and Facebook updated their tagging and data processing options for the Colorado Privacy Act?
Yes, some have, and we expect to see more tools with privacy and compliance features included in their tag templates and settings in the near future.
Right now, only Google and Facebook have available tag configurations to help controllers stay compliant with their data collection and processors be compliant in their usage of data. In the tag templates for each in Google Tag Manager (GTM), there is a setting to allow for “restricted data processing” or “limited data use”, which should be set to True or clicked to enable.
Google Ads
GPC Opt-Out Signal
Additionally, in the tools’ consoles, there is another setting to enable restricted data processing if the GPC opt-out signal has been received.
Since these tools are used widely across the web, this allows for the advertiser to receive the opt-out signal from other websites and apply the processing implications to data for the same user on your site.
- For Google products, see this page for guidance
- For steps to take for Google Ads tags, see this page:
- For Facebook/Meta Business, see this page
HubSpot
Hubspot is also now offering a feature to request for the user’s consent and turn off any non-essential cookies if the consent is not given.
So far, we haven’t seen many other tools having an answer to this legislation. This is due to the relative newness of the law, as well as controllers ultimately needing to control their tags themselves.
Does my website need Consent Mode or a Consent Management Platform (CMP)?
Not exactly. The CPA does not mandate full consent mode, which would include a banner that asks users to accept or deny cookies and configuring all tags to check for the appropriate consent before firing. However, you still need to ensure that your website can detect and respect opt-outs, which necessitates some degree of consent management.
The CPA requires controllers to get affirmative consent from consumers prior to
- Collecting and processing sensitive data,
- Processing personal data for reasons other than those specified when the data was collected, or
- Selling or processing personal data for targeted advertising after a consumer has opted out of such uses.
Such consent must be affirmative, freely given, specific, informed, and unambiguous. Acceptance of broad terms of service, hovering over, pausing, or otherwise interacting with content generally, and agreement obtained through deceptive webpage design is not considered consent under the CPA.
How can I ensure compliance with Consent Mode?
There are two broad steps, asking for consent and applying consent.
Asking for consent
The first step is to ask for consent (typically in a pop-up banner), obtaining the user’s preference, and saving that preference. This can be done through a custom configuration, but more commonly (and much more reliably), it is done through a Consent Management Platform (CMP).
A CMP (such as OneTrust or Cookiebot) is a tool that is applied site-wide and pops up a consent banner on a user’s first visit to the site.
The tool may give options in which a user can consent to just one or more of the consent types, or it may simply be an all-or-nothing choice. The banner may either be supplied by the CMP or custom designed by the website to fit better with branding.
CMPs are the most robust (and possibly the most expensive) option, but also the most reliable way to stay compliant and avoid fines.
The alternative option that is still compliant is to set up your own opt-out page and customize your site code and all of your tags to respect the GCP opt-out signal.
Applying consent options
GTM’s Consent Mode has been available for several years now and it provides mechanisms for consent requirements on every tag loaded by GTM. Each tag can be set to require a certain type or types of consent, which depend on the purpose of the tag.
These are the built-in consent types in GTM:
- ad_storage: allows for the collection and storage of data necessary for delivering personalized ads based on user actions.
- ad_personalization: user data will be used for remarketing
- ad_user_data: user’s personal data (such as email or phone number) being used for advertising customization and optimization
- analytics_storage: relates to the collection and storage of data for analytics (think page views and event tracking), enabling websites to analyze user behavior and enhance user experience.
In each tag (or you can apply settings in bulk through the Consent Overview icon),
- Go into the Advanced section, and
- Select which type of consent is required for the tag.
Once obtained, consent status is available on every page, and the tags will check to confirm whether it has the required consent before firing or dropping a cookie. See this page for more details.
When consent settings are applied to tags, and the user denies consent, tags may still fire, but they will not store cookies. Instead, they send cookieless pings to collect minimal data, including the consent state and analytics pings for page loads and events. With Consent Mode v2, the behaviors of users who do not consent will still be modeled. See this page for more details
What is my best option for website compliance under the Colorado Privacy Act?
Trying to decide how to act on the CPA? Here’s a breakdown of pros and cons to each strategy:
Option | Pros | Cons |
Set up your own opt-out page and tracking configurations | Could be cheaper than a CMP Likely to collect more data because the opt-out mechanism isn’t presented immediately to all users upon landing (but it must still be easy to find). | Could be more expensive if you don’t have the right expertise on your team to set this up correctly. Custom solutions will need to be updated as this legislation evolves and other opt-out mechanisms are approved. |
Purchase and install a CMP on your site | This is a robust and complete solution to ensure your compliance with all state laws and other countries’ privacy laws. Easy to install and update tag configurations in GTM. CMP will stay up to date on compliance and receiving opt-out signals, as long as you enable updates. | Cost: ongoing cost of CMP and initial cost of designing consent banner. CMP costs are typically a monthly fee per domain, depending on the amount of traffic or pages. Typically around $10-$60 per month per domain, but some tools may be free for smaller sites. Potential for data loss due to making it easier for users to opt-out of all or some tracking. |
Do nothing | Cheapest, easiest option. Only recommended for sites that do not get close to 100,000 Colorado-based users in a calendar year, and don’t sell the data of 25,000 or more Coloradans. | If the law is applicable to your site, violations can be extremely costly. The fine is $20,000 per user or per transaction, so that can add up fast! The 60-day grace period to remedy any issues that are identified by the CO government ends by Jan 1 2025, so violators may not have a chance to remedy before facing fines or legal action. |
Get compliant with Session Interactive
Want an expert eye on your compliance? Our analytics experts can help install a CMP or an on-site opt-out mechanism.
Here’s what we offer:
- Calls to discuss your tech stack, needs, and our ongoing progress
- Guidance for CMPs
- An opt-out mechanism or CMP install
- GTM consent settings applied to all tags
- Testing and verification
Talk with a tracking specialist today to learn how to get and stay compliant with the CPA.
Resources
Want to learn more about the CPA? Here are four resources to provide you with more information: