NAI Comments on CPA Proposed Draft Rules
November 7, 2022
The Hon. Philip J. Weiser
Colorado Department of Law
Ralph L. Carr Judicial Building
1300 Broadway, 10th Floor
Denver, CO 80203
Dear Attorney General Weiser,
On behalf of the Network Advertising Initiative (“NAI”), thank you for the opportunity to comment in response to the Notice of Proposed Rulemaking for the Colorado Privacy Act (“CPA”), and for the thoughtful and open process for developing CPA implementing regulations. Following an initial review of the Notice and proposed draft rules, we offer the following initial comments to inform the upcoming stakeholder sessions, and we look forward to the opportunity to submit more detailed comments following further discussions and consideration.
I. Part 5 – Universal Opt-Out Mechanism (UOOM)
Enabling consumers to express their preferences through easy-to-use choice mechanisms is a
foundational element of tailored advertising that the NAI has championed for decades. The NAI
appreciates the thoughtful and detailed approach this section takes to implement the statutory
requirements to ensure that intermediaries do not unfairly disadvantage Processors, and to ensure that UOOMs represent a consumer’s affirmative choice. Following are key areas where we believe that the proposed draft rules could be amended to further enable UOOMs to provide a valuable tool for both consumers and businesses alike.
- 5.04(B) – This section establishes that a tool that is “marketed prominently as privacy protective” can by default send a UOOM on behalf of a consumer as long as the consumer proactively chooses such a tool, rather than using it pre-installed on a device. The NAI appreciates the recognition in the proposed draft rules that pre-installed tools sending UOOM signals would not qualify as a consumer’s “affirmative, freely given, and unambiguous choice to opt out of the processing of personal data,” established by the statute.1 To that end, we do not believe that a consumer’s choice of a product based on an element of that product’s marketing can effectively demonstrate their unambiguous choice. Products are often marketed for a wide range of purposes, including but not limited to privacy features. A consumer might select a product that is marketed as “privacy friendly” for another reason, such as another set of resources that product provides, rather than signifying a choice regarding their privacy preferences. While we understand the objective of enabling software and technology tools to compete on privacy, there is no clear means to substantiate a claim that a product is sufficiently marketed as “privacy friendly,” or that such marketing is the reason a consumer chooses that product. We therefore propose that the regulations maintain consistent requirement that a consumer need activate a UOOM on any tool, preinstalled or otherwise.
- 5.06(A)(2) – This section specifies that a UOOM “may operate through a means other than by sending an opt-out signal, for example by maintaining a ‘do not sell’ list.” The NAI appreciates this thoughtful approach and thinks that it could provide for a practical opportunity for both consumers and businesses if administered as a voluntary approach. For instance, the NAI currently maintains a voluntary opt-out mechanism that operates in this way for companies, providing a list of users who have chosen to opt out of Tailored Advertising based on their email addresses. While our current mechanism was not created to be associated with the CPA’s legal requirements, or any other legal requirements for that matter, it could present an opportunity for a voluntary list to align with these requirements in the future. However, this provision is ambiguous as currently drafted and would need to practically provide for proper oversight and approval by the Colorado Department of Law (DOL) of such a list, with similar opportunities for stakeholder input and safeguards to ensure that it is administered fairly. On the contrary, if there were multiple lists, and any such list that is not clear to a consumer what they are opting in to, this could present an uninformed scenario for consumers, and it could also present operational questions and legal uncertainty for businesses. Again, the NAI appreciates this thoughtful approach, and we will further consider and submit more detailed recommendations to incentivize companies to recognize a list without unduly adding liability for an approach that is fragmented.
- 5.07(D) – This section establishes a set of criteria for the DOL to consider when determining which UOOM to recognize. The NAI supports this provision and the factors listed in (D)(1)-(3). However, we believe it would also be useful to explicitly recognize the role of stakeholder input into this process by adding another factor that recognizes the value of stakeholder input on an ongoing basis. This is a particularly valuable component, as administration of UOOMs within devices is not likely to remain static. Instead, these may be offered in a certain way initially, then changed and deployed differently at a later date. It is imperative to have the DOL periodically review UOOMs and their administration, and to take input from stakeholders as a key component of this process. We therefore recommend that the proposed draft rules are amended to provide for ongoing review and stakeholder engagement.
- 5.08(A)(2) – This section establishes a requirement for a Controller to continue honoring opt-out rights on a device or browser unless or until overridden by the consumer. However, as drafted this provision is likely to present an impractical requirement on businesses to honor a signal after it is no longer transmitted. For example, in the event that a Controller receives an opt-out signal from a UOOM, and then the browser or device is updated and no longer transmits a signal, or if a consumer actively disables the signal intentionally, the Controller is not likely to recognize whether they should continue to apply an opt-out. While it is reasonable to establish that the discontinuation of a UOOM does not equal consent, after a UOOM signal ceases to be transmitted, a Controller should no longer be expected to recognize an opt out preference for that user, device, device, or browser unless it was previously associated with a specific known consumer as a valid opt-out preference.
II. Part 7 – Consent
Closely associated with the objectives discussed above to ensure that UOOMs provide a valuable
choice mechanism for both consumers and businesses, it is essential for Processors to retain the
ability to provide clear and meaningful disclosures about the collection, sharing and uses of the data for advertising and marketing purposes in conjunction with obtaining a user’s consent. We
recommend the following amendments in this section to clarify the draft rules for obtaining consent.
- 7.05 – This section establishes rules for instances where a Controller may seek a consumer’s consent, or an explicit opt-in for processing data for that opted-out purpose. This is an essential element of the regulations, it does not effectively contemplate circumstances where a Controller may have already received a consumer’s opt-in for that processing activity, and therefore would reasonably need to inform the consumer that the opt out, such as a signal from a UOOM, is in conflict with their previous opt-in choice. Many web and app publishers currently seek consumer consent to process their data for advertising and marketing purposes, and therefore conflicting signals are likely to be common. It is essential that Controllers have the opportunity to efficiently inform their customers and reconcile conflicting preference choices should they arise. This is handled effectively in the draft regulations implementing the California Privacy Rights Act (CPRA),2 and we request that you adopt a similar approach that explicitly recognizes situations where consumers have previously consented to the selling or sharing of their personal data, or to receive Targeted Advertising.
- Related to this above recommendation, the NAI notes the prohibition in 7.05(B)(1) provides that a Controller may not use a pop-up window to seek consent after receiving an opt out signal. In the case highlighted above, it would be reasonable for a Controller to deploy a just in-time notice, most likely through the use of a pop-up window, as long as that notice does not substantially block the content of the website or unreasonably degrade the user’s experience, or of course deceive the user into making a decision they would not otherwise make. In such cases, the proposed draft rules prohibition on the use of dark patterns could apply effectively. We therefore further recommend that the proposed draft rules be amended to enable the use of reasonably-deployed just-in-time notices, often deployed through a concise interstitial or pop-up notification.
Again, thank you for providing a thorough and open process for developing implementing regulations for the CPA. The NAI is grateful for this opportunity to comment on the proposed draft rules, and we would be happy to participate in the upcoming stakeholder sessions on November 10, and November 17, regarding UOOMs and consent respectively. We also look forward to further review of the proposed draft rules and submitting additional comments in advance of the deadline.
Vice President, Public Policy
Network Advertising Initiative (NAI)
1COLO. REV. STAT. § 6-1-1312(2) (2022).
2CAL. CODE REGS. tit. 11, § 7025(c)(3)(proposed).