States have recently taken important steps toward implementing so-called “Universal Opt-Out Mechanisms” (“UOOMs”), which will provide consumers with a method for automatically exercising privacy rights. UOOMs, sometimes referred to as opt-out preference signals, are user enabled features, typically within the user’s browser or through a browser add-on, that send a signal to each website the user visits to communicate the user’s preference to opt-out of certain target advertising (and potentially other uses of data discussed below). Several states have adopted a requirement to honor UOOMs as part of their “comprehensive” privacy law. New Jersey, which has recently enacted a comprehensive privacy law, includes an UOOMs requirement that, unique among state legislation, would extend the right to opt-out through UOOMs to include opting out of the use of automated decisionmaking technologies. Businesses may struggle to implement technical solutions for responding to UOOMs, particularly if the specifications for UOOMs vary between states. Businesses should work with their IT teams or website providers to ensure they have developed solutions to comply, if they have not done so already.Continue Reading States Move Forward with Automated Privacy Opt-Out Signals; Colorado Approves First Universal Opt-Out Mechanism
As 2021 comes to a close, it is a great time to take stock of the present state of affairs with respect to U.S. privacy laws. With the relatively recent passage of comprehensive privacy laws in California, and additional countries adopting laws that closely follow the principles of the EU’s General Data Protection Regulation (GDPR), along with increasing public concerns regarding how companies manage customers’ personal data, legal practitioners entered 2021 with high hopes that comprehensive federal privacy legislation may finally be on the horizon. Nevertheless, in a trend that is likely to continue in the year ahead, it was the states rather than federal legislatures that successfully added to the ranks of privacy laws with which businesses will soon need to comply.
Continue Reading Momentum Builds for State Privacy Laws but the Possibility of a Federal Law Remains Remote
On July 8, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (the “Colorado Law”), a comprehensive privacy law that will take effect on July 1, 2023, into law. Colorado is the third U.S. state to pass a comprehensive privacy law, following California (the CCPA, as modified by the CPRA) and Virginia (the CDPA).
The Colorado Law generally resembles both the California and Virginia privacy laws, but more closely tracks the Virginia CDPA in terms of structure, approach, and language. The Colorado Law also contains some notable deviations from either law, including novel provisions regarding a mandatory universal opt-out mechanism for targeted advertising or sales of personal data.
Continue Reading Colorado Privacy Law Signed Into Law