What the Colorado Privacy Act Means for You

How to exercise your rights under the Colorado Privacy Act

The Colorado Privacy Act gives you some control over how businesses use and share your personal data.

Consumer alerts

Explainer


Updated

Tero Vesalainen | Shutterstock.com

On July 1st 2023, Colorado’s new privacy law went into effect. On July 1st of 2024, the second part of the law – the Global Privacy Control that makes it easier to opt out of data sales – went into effect.

What is the Colorado Privacy Act?

The Colorado Privacy Act is a consumer privacy law designed to help protect some of your personal information if you live in Colorado. It gives you some more control over how businesses use and sell your data. Exercising those rights requires some work on your part. Let’s take a look.

What does the Colorado Privacy Act mean for consumers?

The Colorado Privacy Act grants you several rights regarding your personal information: 

  • Right to Access: You can request a copy of the personal information businesses have collected about you. 
  • Right to Correct: You can request a business correct inaccuracies in the personal data that it has has collected about you.
  • Right to Delete: You can ask businesses to delete your personal information.
  • Right to Opt Out: You can opt out of businesses selling your personal information and or processing your information for targeted advertising.

To access, correct or delete your data, you have to submit requests one at a time to individual companies. That means fully exercising your rights can be a pain. There are likely hundreds of third parties holding your information right now.

However, the Colorado Privacy Act includes an additional important protection. Starting on July 1st, 2024, you will be able to automatically tell websites you don’t want them to sell your personal data by downloading a tool called a universal opt-out mechanism. The new Colorado privacy law makes it illegal for companies to ignore universal opt-out signals.

What is a universal opt-out mechanism and how do I get it?

A universal opt-out mechanism is a piece of technology that helps you automatically opt out of data sales online. Once you’ve downloaded the tool in your browser, the mechanism will broadcast to every site you visit that you don’t want your personal data sold. That way you don’t have to individually contact every website you visit to opt out.

You will, however, need to do a bit of work to get the tool working.

How to use the Global Privacy Control

The Global Privacy Control is currently the most widely recognized version of universal opt-out mechanism. There are a number of tools available that incorporate the Global Privacy Control (GPC).

Find your web browser below for our recommendations of tools that include GPC signals.

Global Privacy Control in Google Chrome

To automatically opt out of data sales on websites while using your Chrome browser, you need to download a special browser extension. You have a couple of options.

  • Our favorite is Privacy Badger made by our friends at Electronic Frontier FoundationYou can download Privacy Badger from the Chrome Web Store here. Once you download it, Privacy Badger will do the rest, and you shouldn’t have to take any more steps. We like this one because it has other privacy tools that will further protect your data built in, and it won’t disrupt your browsing experience.
  • Another good option is DuckDuckGo Privacy Essentials. You can download DuckDuckGo Privacy Essentials from the Chrome Web Store hereIn addition to using the GPC, this extension will change your default browser to DuckDuckGo. DuckDuckGo collects a lot less data about you than Chrome, but some people may not want to make the switch.

Global Privacy Control in Apple Safari

Apple does not currently allow you to download a browser extension onto Safari to automatically opt out of websites selling your personal information. However, Safari does automatically limit third-party cookies and prevent cross-site tracking from third-party content providers for ads.

It’s good that Apple provides a feature to cut down on third-party data collection. However, it would be better if they would also allow browser extensions like Privacy Badger or DuckDuckGo Privacy Essentials that send GPC opt-out signals. 

Universal opt-out mechanisms provide more certain protection. Because of the Colorado Privacy Act, websites are legally required to listen to signals from universal opt-out mechanisms. Apple could change what its feature does tomorrow, but with a law that requires websites to listen to GPC signals, the protections you get are more guaranteed.

Global Privacy Control in Microsoft Edge

To automatically opt out of data sales on websites in Edge you’ll need to download a special browser extension. You have a couple of options:

  • Our favorite is Privacy Badger made by our friends at Electronic Frontier FoundationYou can download Privacy Badger from the Microsoft store here. Once you download it, Privacy Badger should do the rest, and you shouldn’t have to take any more steps. We like this one because it has other privacy tools that will further protect your data built in.
  • Another good option is DuckDuckGo Privacy Essentials. You can download DuckDuckGo Privacy Essentials from the Microsoft store hereDuckDuckGo collects a lot less data about you than Edge, but some people may not want to make the switch.

Global Privacy Control in Mozilla Firefox

Firefox is the only major browser that has a GPC signal built into it automatically, so you don’t have to download any special tools. But you do have to go turn it on.

How to enable GPC on Firefox
  1. Make sure you have a recent version of Firefox. Firefox started carrying the GPC in November 2023. If you haven’t updated your browser since then, do that first.
  2. In FireFox, click the menu button that’s 3 horizontal lines stacked on top of each other
  3. Go to Privacy & Security
  4. Scroll down to “Website Privacy Preferences”
  5. Click “Tell websites not to sell or share my data”
  6. Then close out of your Settings page. The change is saved automatically

The Global Privacy Control isn’t perfect, and it remains to be seen how well this part of the Colorado Privacy Act is enforced. But it’s absolutely worth taking the time to do.

How do I exercise my Colorado privacy law rights?

To exercise your other core rights – accessing, correcting or deleting the data a company has already collected on you – you must submit a request directly to each business. Companies must tell you how to send a request in their privacy policy.

Read: How to read a privacy policy

Where can I find instructions for exercising my rights in a privacy policy?

When looking at a privacy policy, search for a section titled “Your Privacy Rights,” “Your Rights and Choices,” or something similar. Use ctrl+f for the term “privacy”, “rights”, or “opt” to find this information more quickly. In this section, the business should give you instructions for how to access, correct, or delete your personal data. It will typically be a web form or an email address you need to send a request to.

If you run into problems during this process – like an invalid email address, or a web form where Colorado isn’t available in a dropdown menu – make sure to log a complaint with the AG’s office. That way the AG knows which companies need a talking to.

What companies should I request delete my data?

There are lots of companies that likely have your data. The worst actors are shadowy companies called data brokers that specialize in collecting, buying, combining and reselling data that it bundles into profiles about you. They get data from all kinds of places and sell it to practically whomever is looking to buy. They’re terrible for your personal security.

We recommend starting with some of the biggest brokers:

Epsilon

Acxiom

LiveRamp

Oracle

How could the Colorado Privacy Act be better?

The Colorado Privacy Act gives you some rights to ask companies to delete your data and the ability to use a browser tool to automatically opt out of websites’ data sales. That’s good. It’d be even better, however, if less of the work of protecting your privacy was on you.

The best thing for consumers is to change how companies can collect and use data in the first place.

To maximally protect consumers, it should be on companies to only collect the data they need to deliver the service you’re expecting to get. There’s no good reason for your fast food loyalty app to be collecting your location 24/7 or your VR game app to be collecting your social security number. They plain don’t need it.

Companies should also be limited to only using the data they collect for what the consumer is expecting. There’s no good reason for your health app to turn around and sell your prescription information to advertisers or your child’s internet-enabled stuffed animal to be sending transcripts of your child’s conversations to third parties.

This matters for your personal security. The more data that companies collect, and the more companies they sell it to, the more likely it is that your personal information is going to be exposed in a breach or a hack and end up in the wrong hands. This makes it more likely you’ll be the victim of identity theft, financial fraud or hyper-targeted scams.

The Colorado Privacy Act is a great start. But – like all of the state privacy laws on the books – it has room for improvement. Colorado’s law currently earns a C+ grade on our recent scorecard report – co-authored with the Electronic Privacy Information Center (EPIC) – for how well it actually protects consumers.

Every state that has passed a law has the opportunity to make it stronger. Instituting stronger upfront rules on how companies can collect and use data would improve Colorado’s grade – and improve the privacy and security of Coloradans.

We look forward to seeing how Montana continues to strengthen its protections in the future. And in the meantime, folks should take advantage of their new rights.

What else can I do to protect my data?

If you want to ensure that your data is as protected as possible, there are other steps you can take besides relying on your Montana data rights. We’ve got more simple ways you can boost your data security here.

See below for even more tips to put you more in control of your information online.

Topics
Authors

Danny Katz

Executive Director, CoPIRG

Danny has been the director of CoPIRG for over a decade. Danny co-authored a groundbreaking report on the state’s transit, walking and biking needs and is a co-author of the annual “State of Recycling” report. He also helped write a 2016 Denver initiative to create a public matching campaign finance program and led the early effort to eliminate predatory payday loans in Colorado. Danny serves on the Colorado Department of Transportation's (CDOT) Efficiency and Accountability Committee, CDOT's Transit and Rail Advisory Committee, RTD's Reimagine Advisory Committee, the Denver Moves Everyone Think Tank, and the I-70 Collaborative Effort. Danny lobbies federal, state and local elected officials on transportation electrification, multimodal transportation, zero waste, consumer protection and public health issues. He appears frequently in local media outlets and is active in a number of coalitions. He resides in Denver with his family, where he enjoys biking and skiing, the neighborhood food scene and raising chickens.