Colorado AG’s Office Published Proposed Colorado Privacy Act Rules
On Friday, September 30, the Colorado Attorney General’s office published proposed Colorado Privacy Act rules. The Office also announced that it will hold three stakeholder meetings on November 10, 15, and 17, 2022, and a public hearing on February 1, 2023.
The Draft Rules are long and complex and closely aligned with Virginia’s VCDPA and California’s CPRA. That being said, there are significant differences among them including, the handling of sensitive data, and consumer-facing obligations for compliance with multiple state privacy laws. The CPA Draft Rules will likely see additional modifications before it is codified. Below are some of the takeaways from the proposed rules.
Consumer rights state that businesses must:
- Clearly state that they are available to Colorado consumers
- Provide access to all data rights available under CPA
- Opt out of the processing
- Provide a clear explanation of how to exercise consumer rights
- Meet notice requirements
Similar to the EU’s GDPR, consent must reflect a consumer’s clear, affirmative choice, be freely given, be specific and informed, reflect the consumer’s unambiguous agreement and have the ability for consent to be withdrawn. The Draft Rules add new requirements for “refreshing” consent. Businesses must “refresh” sensitive data annually and other data at undefined time periods.
The CPA is not an opt-in law but does require consent for specific use cases:
- Processing sensitive data
- Secondary or additional use of data
- Processing of personal data of minors
Data controllers must avoid using “dark patterns” that confuse or manipulate people providing consent.
A new definition of biometric data was created similar to other state privacy laws requiring controllers to obtain consent for the collection of biometric data.
- “Biometric Data” means Biometric Identifiers that are used or intended to be used, singly or in combination with each other or with other Personal Data, for identification purposes. Unless such data is used for identification purposes, “Biometric Data” does not include (a) a digital or physical photograph, (b) an audio or voice recording, or (c) any data generated from a digital or physical photograph or an audio or video recording.
- “Biometric Identifiers” means data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics.
Consumer Opt-Out Requests
Clarity and direction on how controllers must receive and respond to consumer opt-out requests have been spelled out and include:
- Providing a method to opt out of personal data processing through a clear and conspicuous link in privacy notices or easily accessible places on websites.
- Links must go directly to the opt-out mechanism.
- Opt-outs must be processed within 15 days of receiving valid opt-out requests
- Providing “reasonable” methods to authenticate a consumer submitting data rights requests.
The privacy notice requirements focus on processing purposes rather than categories of personal information and contain obligations for controllers including:
- Privacy notices must clearly indicate which data subject rights are available to Colorado residents.
- Disclosing the “express purposes” for each type of personal data collected and processed, providing consumers with a “meaningful understanding of how their personal data is used and why their personal data is reasonably necessary for the processing purpose.”
- Adhering to the principles of purpose specification and data minimization.
- Purposes must be documented
- Personal data that allows identification of consumers should be kept only so long as necessary, adequate or relevant to the specified, express purposes.
- Processing of personal data for a purpose that is not reasonably necessary or compatible with the purpose(s) stated at the time of collection requires consumer consent.
- Notifying consumers of material changes to the privacy notice 15 days before the change goes into effect.
Extensive disclosure requirements were created around bona fide loyalty programs that provide discounts, rewards or “other actual value” to consumers.
- Controllers may not increase the cost of or decrease the availability of a product or service based solely on a Consumer’s exercise of a Data Right
- Controller is no longer obligated to provide that Bona Fide Loyalty Benefit to the Consumer If:
- a Consumer exercises their right to delete Personal Data making it impossible for the Controller to provide Loyalty Program benefits.
- a Consumer refuses to Consent to the Processing of Sensitive Data necessary for a personalized Loyalty Program benefit.
- Controllers must notify the Consumer if Consumer’s decision Impacts the Consumer’s membership in a Loyalty Program.
Unified Opt-Out Mechanisms
As required by the CPA unified opt-out mechanism (UOOM) requirements have been defined.
- UOOMs must have an easy path for consumers to exercise opt-out rights with all controllers rather than having to make requests with each.
- Controllers must offer consumers a way to provide an affirmative, freely given and unambiguous choice to opt out of personal data processing for targeted advertising, sales or both.
- Controllers must adhere to notice and choice, acceptable default settings, technical specifications for recognizing and honoring opt-out requests.
Controllers must create and enforce document retention schedules.
Sensitive data “inferences” is a new category of sensitive data created in the Draft Rules. Inferences include personal information collected from a consumer that a company uses to infer a sensitive data category. Sensitive data inferences:
- Require prior consent for processing. Under certain circumstances consumers over age 13 can be processed without consent.
- Must be deleted no later than 12 hours after collection if controllers do not have consent.
Data Protection Impact Assessments (DPIAs) are required for processing activities that present a “heightened risk of harm” to Colorado consumers. DIPA’s must:
- Be a “genuine, thoughtful analysis” of all aspects of a controller’s organization structure.
- Include the specific purpose of the processing, procedural safeguards, names and categories of third-party recipients of personal data and risks to consumers.
- Must be revisited and updated at least annually.
The right to opt of profiling is prominently contemplated in the Draft Rules and create three tiers of profiling:
- Solely automated processing,
- Human reviewed automated processing
- Human involved automated processing
Companies may deny requests to opt out of profiling if “human involved automated processing” was used and details must be provided to the consumer.
In addition to the profiling tiers companies must:
- Provide a means for consumers to opt out of profiling decisions that “produce legal or similarly significant effects”.
- Provide consumers with a notice that includes a plain-language explanation of the logic used in the profiling process and disclose whether the profiling system was evaluated for accuracy, fairness or bias.