Colorado Posts Public Comments to CPA Draft Rules

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

Colorado Posts Public Comments to CPA Draft Rules

Comments submitted by various organizations in response to the proposed draft rules under the Colorado Privacy Act have been made publicly available on the Colorado Attorney General website.

Among other commentators, the Network Advertising Initiative submitted recommendations regarding Universal Opt-Out Mechanisms and Consent, including a recommendation that Controllers have the opportunity to reconcile conflicts between Universal Opt-out Mechanism (UOOM) Signals and local preferences selected by the user directly with the Controller—a capability permitted under the latest version of the California draft regulations.

Conversely, comments from Consumer Reports argue that opt-out rights should never be overridden by a consumer’s subsequent election to opt in to a product or service, such as a loyalty program, emphasizing that selling data or engaging in cross-site targeted advertising is unnecessary to operate a loyalty program. 

Several organizations also commented on rules allowing for UOOMs in non-signal formats, such as lists. Future of Privacy Forum, for example, pointed out the complexity of authenticating individuals in a list across different technologies.

NEXT STEPS

The first of three stakeholder meetings was held November 10, with two additional meetings scheduled for November 15 and November 17, which will give organizations further opportunity for public comment. A hearing on the proposed rules will then be held February 1.   

EUROPE

Irish DPC Submits Draft Decision in Case Against Yahoo!

The Data Protection Commission (DPC) in Ireland announced that it has submitted to other concerned supervisory authorities in the EU a draft decision regarding Yahoo!’s compliance with transparency requirements under GDPR. Concerned supervisory authorities will have until November 24 to object to the decision before it can be finalized. Details of the decision have not been made public.

WHY IT MATTERS

The DPC inquiry into Yahoo!’s practices under GDPR has been a multi-year process, beginning in 2019. At the time, the Irish Data Protection Commissioner told reporters that her office had received over 38 complaints redirected from other EU data protection authorities, some of which related to giving no option other than to click okay in cookie banners. Over the past two months, the Irish DPC has also submitted draft decisions regarding inquiries into TikTok and Meta. 

Danish DPA Criticizes JP/PolitikEN Consent Solution

The Danish Data Protection Authority released a decision criticizing the JP/Politiken website www.eb.dk based on findings by its inspectorate that the consent solution on the site was not sufficiently informed to comply with the DPA’s rules. Specifically, the first layer of the consent solution gave users three options: Necessary Only, Customize Settings, and Accept All, with information about all processing purposes only available in the second layer after a user clicked “Customize Settings”. The supervisory authority found that this solution did not give informed consent as visitors who clicked “Accept All” did not receive information about all processing purposes. 

WHY IT MATTERS

The inquiry was conducted in accordance with the Danish Data Protection Authority’s special focus on “processing of personal data about website visitors (cookies)” announced in 2021, among other areas of focus.  

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.