The Colorado State Attorney General has issued an update indicating that the Colorado Department of Law has chosen the Global Privacy Control (GPC) browser signal as the first Universal Opt-Out Mechanism (UOOM) that is approved and must be implemented for compliance with the Colorado Privacy Act.
While there were a number of other submissions, the approval is not surprising. The California State Attorney General and the new California Privacy Protection Agency had already suggested that compliance with the GPC signal was mandatory under the CCPA, and it would make sense for Colorado to at least allow that as one possibility for uniformity. Plus, the GPC signal seems generally more widely available to consumers, either directly through browsers or through browser extensions. Nevertheless, the Colorado Privacy Act does require in Rule 5.07 that the list be updated periodically, and the Colorado State AG left the door open for additional or different UOOMs in the future, leaving browser manufacturers and website operators with a little uncertainty.
Impact to Businesses
For businesses that are subject to the Colorado Privacy Act, compliance with the GPC signal is required by July 1, 2024. These businesses should begin to work with their website developers to recognize and comply with the signal as soon as possible, as some website updates may take some significant effort and require the adoption of a cookie consent manager that recognizes the signal. For websites that have already been updated to comply with the CCPA, this may be a smaller lift to ensure that the signal is recognized and effective as an opt-out mechanism in Colorado and not just California to comply with CCPA. More information on the decision and compliance with the GPC signal in Colorado can be found at https://coag.gov/uoom/.