If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing. It is important to note that the CPA uses a heightened “consent” standard that is similar to the standard used by the CPRA. “Consent” under the CPA means “a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.” The CPA states that the following does not constitute “consent”: (a) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; (b) hovering over, muting, pausing, or closing a given piece of content; and (c) agreement obtained through dark patterns (a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision- making, or choice). Similar to the VCDPA and to the CCPA (other than in the context of data breaches), the CPA does not create a private right of action. Enforcement is exclusively with the Attorney General and District Attorneys. A violation of the CPA is considered a deceptive trade practice under the Colorado Consumer Protection Act. Until January 1, 2025, prior to any enforcement of the CPA, controllers must be given a 60 day cure period (where a cure is deemed possible by the Attorney General or District Attorney). The CCPA and the VCDPA also provide for cure periods, though those are not set to sunset as is provided under the CPA.
127
Made with FlippingBook - Online Brochure Maker