Business/Technology Reporter
Quick links: How to opt-out for consumers | How to comply tips for business | Not just Colorado | Retirement poll results | DenAI is coming
Websites that interact with Colorado residents have been required to give visitors a choice that often looks like this:
“Do not sell or share my personal information”
or
“OK” (which could mean, yes, sell it and tell the world!)
But consumers may start seeing fewer of these messages starting Monday because of a law that kicks in to make a user’s default privacy settings well known to websites. There’s action needed by consumers, as well as by companies to get their websites in compliance.
The message stems from the Colorado Privacy Act, which passed in 2021, and has been in effect for the past year. The law gives Colorado consumers more control of their personal data that companies may have collected or are still collecting. This includes the right to:
The law is already a year old but one last part comes due July 1, 2024.
By Monday, websites that attract Colorado visitors must be able to detect a visitor’s privacy preferences using a tool created by Global Privacy Control, which the Colorado Attorney General’s Office approved after a public comment period. GPC is a consortium of universities, tech firms, consumer advocates and media companies, including The New York Times. More tools could be approved but for now, this is the only one.
The point behind this so-called Universal Opt-Out Mechanism, or UOOM, is that it’s annoying for consumers to have to configure privacy settings for every site. They only need to do it once, thanks to the GPC standard.
“When your browser is configured to set GPC, every single website you go to includes the instruction, ‘Don’t sell my data’ or ‘Don’t share my data.’ It’s like a little flag that the website has to go look for” and respond, said Justin Brookman, director of technology policy at Consumer Reports as well as editor of the GPC spec. “It’s like wearing a T-shirt that says, ‘Don’t hug me,’ and walking around the public so everyone can see it and make choices about whether to hug you or not.”
What consumers need to do
For this to work, consumers must use a tool that talks to GPC. Those are plentiful and free.
Internet browsers like Firefox, DuckDuckGo and Brave have the no-sharing-data options built in, with the latter two turned on by default. For Firefox, you’ll need to add a checkmark next to the the privacy preference, as seen in the image below (find it by pressing the menu button in the browser’s upper right, then Settings and then Privacy & Security):
Chrome users can add a browser extension, like the Electronic Frontier Foundation’s Privacy Badger or OptMeowt, from the Wesleyan University math department’s Privacy-Tech-Lab.
Several options are also mentioned on GPC’s site — at globalprivacycontrol.org/orgs — that would help businesses honor GPC and maintain consumer privacy options.
Some of the privacy tools go a step further by configuring which cookies or ads to allow or block per site.
Here’s an example of what my Privacy Badger within the Chrome browser looks like on the Colorado AG’s page about the opt-out options. There are four potential trackers, plus three other cookies that don’t appear to be tracking users.
When a consumer rejects all cookies, some sites do warn that this could break the website’s experience and log users out of accounts so they have to always log back in.
But rejecting all doesn’t always mean all cookies are rejected. It’s more like “reject most,” said Brookman, who almost always hits the “reject all” option.
“They largely reserve the right to set cookies that they call functional cookies or basic operational cookies to remember who you are from page to page,” he said. “These days, very little breaks when you reject all. But a lot of sites don’t offer that option to you. They’re not legally required to offer that in the United States. European law kind of requires it and a lot of companies do it in Europe and are starting to do it more in America. But it’s also kind of annoying and that’s why universal controls are better.”
What do businesses need to do?
If your company has someone running IT, getting into compliance should be relatively easy. GPC offers instructions complete with the code to drop into a site. It’s also free. Essentially, website owners add a folder to the base level of their site and call it “.well-known” and drop in a text file that indicates GPC is true and the date, like this (page 4 of the guide):
Adding this sends the machine-readable signal to the outside world that the site respects GPC, said Sebastian Zimmeck, an assistant professor at Wesleyan University’s Mathematics and Computer Science Department and worked with students on OptMeowt. He also cofounded Global Privacy Control and cowrote the implementation manual.
But not all sites recognize this well-known option. Zimmeck shared the spec on how to add it to a site’s header (section 3.3 of the spec) or the more popular JavaScript option (section 3.4) so the server hosting the website would look for the request and act on it. The code to add to the server side is on GPC’s spec interaction page under “Server-side detection.”
“Speaking more generally, the technical implementation of GPC is easy,” Zimmeck said in an email exchange with The Colorado Sun. “The more difficult question for site owners to answer is their business model. If they are reliant on personalized ads based on tracking people, they would need to rethink their practice and come up with new ideas (e.g., do general ads without tracking, use new mechanisms like Google’s Topics API etc.).”
Consent Management Providers
There are services to help companies comply with state privacy policies and the European one, called GDPR, short for General Data Protection Regulation. Those are called Consent Management Providers, or CMPs, and include companies like OneTrust, WireWheel, Complianz, Didomi, SourcePoint and TrustArc.
“CMPs essentially give site owners a piece of code that they put on their website to make them compliant with privacy laws. Once they put this code on their website, they can access a CMP dashboard where they can turn on GPC and make other privacy settings,” Zimmeck said. “For example, WireWheel is a CMP and they provide instructions.”
Colorado is only the second state to require universal opt-out, though a number of states have passed privacy laws that are not yet in effect. A plethora of state privacy policies can make it challenging for companies that do business in multiple states. That’s where a CMP can help businesses control what visitors from multiple states see, said Brookman, with Consumer Reports.
“Some companies have said we’re going to follow the heart of the strictest law, like Microsoft. But a lot of these tools do offer granularity. So, like for California, you can do X, Y and Z but for other states, you can do different things. You can pick the state that you want to honor GPC in,” he said. “But most companies that have to comply with the Colorado law will already have had to be in compliance with the California law and should know what they’re supposed to be doing. The laws are slightly different, but the general gist is the same: People have the right to turn off on a universal basis, sharing of targeted ads.”
Add a privacy policy
As for privacy policies, there are a lot of examples online — GPC links to The New York Times. Companies should probably get them vetted by a lawyer. But for smaller companies with fewer resources, Zimmeck suggested low-cost policy generator iubenda, “which is sort of the main solution in that space.”
He’s also been working with his students on PrivacyFlash Pro, “a minor hit in the iOS developer community,” he added. “Basically, PrivacyFlash Pro is a computer program that takes (a) developer’s iOS app and from the code of the app generates a privacy policy that developers can use as a starting point and further modify it.”
Follow the rest of the law or face fines of up to $50,000
Not all companies are required to abide by the new law. It applies to businesses that process data (i.e., use, sell, store, delete or modify personal information linked to a consumer) of 100,000 Colorado residents or more, or receive revenues from personal data of 25,000 or more people. It doesn’t apply to the personal data of employees or job applicants.
Colorado AG Phil Weiser has told What’s Working that companies found in violation have 60 days to fix the issue, but his office is working with companies to make compliance easier, with a grace period at least through January. Under a separate law, the Colorado Consumer Protection Act, the AG could seek penalties of $20,000 per violation and $50,000 if the victim is an elderly person.
“And for those businesses who make honest mistakes, we will work to enable them to comply with the law,” Weiser said previously. “(While) for those willfully violating the law, we will work to enforce it vigorously.”
Not just Colorado
California led the U.S. with the first consumer privacy laws when it passed the Consumer Privacy Act of 2018. It provides consumers the same rights as what Colorado’s law does today. California’s AG began enforcement after the law went into effect in 2020. Beauty product seller Sephora was one of the first to get socked with violating CCPA and in 2022 agreed to pay $1.2 million to settle the case.
Besides Colorado, several other states have passed consumer privacy protection laws that require universal opt-out tools, including Texas, Connecticut, Montana, Oregon, Delaware and New Jersey, according to the Future of Privacy Forum. At least five others — Virginia, Utah, Iowa, Tennessee and Indiana — don’t require a UOOM tool but still have passed laws.
“Colorado’s privacy law went into effect in the middle of last year (and) there’s like 15 other states now that have similar opt-out provisions,” Brookman said. Without a UOOM, “very few people take advantage of this because they’re really hard to use. As a consumer, you don’t want to have to go to the bottom of every single page, find the privacy controls and click it.”
Consumer advocates like Danny Katz, executive director of CoPIRG, a consumer advocacy organization, advises consumers to reject all cookies “because more often than not, there is information being gathered that you don’t know is being gathered or is going to be used for purposes that don’t relate to the services on the website that you’re on.”
But ultimately, he hopes companies change their ways when it comes to using or abusing consumer data.
“So many business practices rely on the collection of consumer data and using consumer data,” Katz said. “And yes, if this is truly protecting our data then there will be an impact on business models moving forward. I think that’s a good thing for consumers because it means that increasingly, you’ll have to opt in if you want companies to have and use information about you. Most people would agree that we should be able to choose if you want this information shared or not.”
➔ View the GPC guide: How to implement Global Privacy Control for publishers
➔ Have questions? CoPIRG is having a joint webinar with Weiser on Monday to help consumers better understand the tools and what’s at stake. Log in at this link at noon Monday. >> AG/CoPIRG webinar (ID: 97709700791; Password: 0UuFZ9w&)
Sun economy stories you may have missed
➔ Kansas forced Colorado to stop irrigating 25,000 acres of farmland. Was it too soon to put them in the same room? Farmers’ water wounds still fresh as senators convene gathering near the Republican River Basin >> Read story
➔ This former dumping ground in Nederland is being turned into an eco-friendly nature center. Wild Bear Nature Center — a nearly 30-year-old nonprofit — will open an eco-friendly nature center by fall next year as a place where people can “rewild” >> Read story
➔ Xcel says it needs $1.9 billion to prevent future wildfires as it faces nearly 300 lawsuits over Marshall fire. The utility filed its wildfire mitigation plan with Colorado regulators on Thursday >> Read story
➔ Most Colorado oil and gas wells do not generate enough cash to ensure they will be cleaned up, study says. Only a handful of basins in the state have wells profitable enough to cover the cost of remediation, leaving 27,000 wells at risk, a Carbon Tracker analysis finds. >> Read story
➔ $75 million in federal funds flow into Colorado Springs to expand computer chip manufacturing. Entegris, which makes cases for silicon chips, picked the city because of CHIPS Act incentives. >> Read story
➔ Colorado resort communities want more focus on residents, less emphasis on tourism, survey shows. Residents, part-timers and second homeowners in Eagle, Grand, Pitkin, Routt and Summit counties see their quality of life in decline and view their communities as overcrowded with “too many visitors” >> Read story
Got some economic news or business bits Coloradans should know? Tell us: cosun.co/heyww
Get smarter and get What’s Working: Sign up for the free newsletter!
Poll results: How folks plan to retire
A recent column about the state’s retirement plan for workers who don’t have one also offered a reader poll asking “Are you ready to retire?”
The vast majority, at 76.7% out of 116 responses, said yes, they are financially ready! Or they’re already retired so there could be mixed feelings there. That makes sense since the main topic of these weekly economic stories attract readers with an interest in money, jobs and the economy so readers have been preparing for this.
While reader polls are mostly for fun and help inform future reporting, the rate of those who are prepared for retirement is higher than the national average, according to a variety of reports. Fidelity’s America’s Retirement Score measurement has 48% on track but only 32% on target for saving enough to cover retirement costs. A recent AARP survey found that 1 in 5 adults over 50 has no retirement savings and more than half worry they don’t have enough.
Of course, being retired already doesn’t mean someone was financially ready for it. Health care costs and the plight of Social Security were big concerns. “How long will my body hold up,” asked one person who is in their 70s.
“I’m staying in CO as long as I can, but I’m fully prepared to sell my house and cash out when the time arrives,” said another respondent, who added that they’ve only saved up half of what is traditionally advised for someone in their 60s.
Other results to share: Of those who have a retirement account, 56% have been saving up their whole working life. But 24.1% don’t feel like it’s going to be enough. Another 6.9% say, “All good. I’m rich!”
New poll: Hard to find a job or hire workers?
➔ Please share your experience for this newest poll at cosun.co/wwjolts24
Other working bits
➔ Hot topic of AI to be focus at new Denver event. The city of Denver announced that it’ll convene the first DenAI Summit at the Colorado Convention Center on Sept. 19 to 20. The speaker list is yet to be finalized but Denver Mayor Mike Johnston and the city’s Chief Information Officer Suma Nallapati will be two speakers. “Change brings opportunity for us to find new solutions to problems cities have long struggled to solve,” Johnston said in a news release. “We know that AI can be exactly that type of disruptive change, and we are committed to partnering to harness that innovation for good.” >> DETAILS
➔ Colorado’s unemployment rate rises to 3.8%. That’s up from 3.3% in December. The nation’s is up, too, to 4%. An economist at the state Department of Labor and Employment pointed out that the rates are still relatively low and the U.S. “has only been 4.0% or less in three years since 2000,” said economist Joe Winter. Job growth also continued — 9,800 nonfarm payroll jobs were added — so that helped ease concerns. >> READ
Thanks for sticking with me for this week’s report. We’ll be skipping next week’s edition because of the holiday. Happy July 4th! Remember to check out The Sun’s daily coverage online. As always, share your 2 cents on how the economy is keeping you down or helping you up at cosun.co/heyww. ~ tamara
Miss a column? Catch up:
What’s Working is a Colorado Sun column about surviving in today’s economy. Email tamara@coloradosun.com with stories, tips or questions. Read the archive, ask a question at cosun.co/heyww and don’t miss the next one by signing up at coloradosun.com/getww.
Support this free newsletter and become a Colorado Sun member: coloradosun.com/join
Corrections & Clarifications
Notice something wrong? The Colorado Sun has an ethical responsibility to fix all factual errors. Request a correction by emailing corrections@coloradosun.com.