• by Wendy Davis , Staff Writer @wendyndavis, July 8, 2021

Colorado Governor Jared Polis has signed into law a privacy bill that will require companies to honor people's requests to opt out of targeted advertising -- including requests that consumers make through browser settings or other global mechanisms.

With the move, Colorado is joining California, Virginia and Maine in requiring companies to allow state residents to wield more control over ad personalization.

Colorado's "Protect Personal Data Privacy" (SB 21-190), signed Wednesday and slated to take effect in July of 2023, obligates companies to allow state residents opt out of the processing of their personal data for ad targeting.

Personal data includes information that's “linked or reasonably linkable” to identified or identifiable individuals -- which covers a great deal of data used for personalized ads.

The Colorado law also will require companies to obtain people's express consent before processing sensitive data -- including information that reveals race, ethnicity, religious beliefs, health conditions, citizenship status and sexual orientation.

Targeted ads are defined as ads based on personal data obtained or inferred from consumers' activities across non-affiliated sites, applications and services.

The definition excludes ads based on people's activity “within a controller's own websites or online applications.” That exemption appears to allow some of the largest companies that own different brands to target ads based on people's behavior across multiple sites.

While the state laws are relatively new, the idea that consumers should be able to reject online targeted advertising is hardly groundbreaking. Consider that for around 20 years, the online ad industry's self-regulatory codes have required companies to let people reject personalized advertising.

For most of that time, the U.S. ad industry largely fended off legislation by pointing to its self-regulatory codes.

The situation changed recently, after revelations about data harvesting by the defunct political consultancy Cambridge Analytica came to light.

In 2018, California became the first state in the country to pass a comprehensive privacy bill that allows consumers to opt out of the sale or transfer of their personal data.

That same year, Maine passed a privacy bill that's less sweeping than the one in California, but more restrictive. That measure, which faces a court challenge, requires broadband providers to obtain consumers' opt-in consent before drawing on their web activity for ad targeting.

Since then, lawmakers in Colorado and the California attorney general have gone further than simply requiring companies to allow consumers to choose whether to receive personalized ads.

Specifically, both states are requiring companies to honor global opt-out requests that consumers send via “user-enabled” controls, including browser settings or other mechanisms. (In Colorado, that portion of the law takes effect in July of 2024.)

Both California and Colorado also now prohibit companies from using “dark patterns” to hinder consumers from opting out of personalized ads.

In California, regulations approved by the attorney general in March prohibit businesses from thwarting opt-out attempts, while the Colorado bill specifically bans companies from using dark patterns -- loosely defined as interfaces designed to subvert users' choices.

The concept of dark patterns is vague, but regulations in California offer some examples. For instance, business in that state can't present consumers with double-negatives, such as “don't not sell my personal information.”

California businesses also can't require consumers who click on a do-not-sell-my-information link to then scroll through a privacy policy to find an opt-out mechanism.