The rulemaking process in the Colorado Privacy Act (CPA) has been underway since the Colorado AG published prepared remarks in January 2022. These remarks commented on the way forward for privacy and security in Colorado and were used as the basis for the initial rulemaking process under the CPA.
On October 10, 2022, the Colorado Attorney General (AG) Phil Weiser released the first version of draft regulations under the CPA for public consultation. The consultation period – which took place between October 2022 and January 2023 – welcomed feedback on a range of topics that were addressed in the AG’s second version of the draft rules (released December 2022) and the third version of the proposed draft rules, released on January 27, 2023.
Further public comment can still be made at the formal CPA rulemaking hearing on February 1, 2023.
Rulemaking under the CPA
In January 2022, the Colorado AG published remarks that focused on what could be expected from the proposed rulemaking process and that drew attention to several key areas the rulemaking would approach. These included:
- Developing fair mechanisms for consumers to exercise their rights
- Combatting the use of dark patterns
- Transparency
- Empowering individuals with the ability to understand their data profiles
- Developing methods of correcting inaccurate data
- Auditing and risk assessment requirements
“When I reflected on the state of federal inaction on data privacy and security three years ago, I called the state of play a ‘second best solution.’ The first best solution, I explained, would be national leadership by Congress that empowers states to act withing [sic] a framework of cooperative federalism. We are not in that world, however, and we must move to adopt second best solutions, meaning that the responsible step to take is to support state leadership to protect consumers. The alternative, unfortunately, is no protection at all.” – Phil Weiser, Colorado Attorney General
Since the remarks published in January, the AG’s office has posted a series of topics seeking written comments from consumers, businesses, and other stakeholders. The results of the call for comments culminated in the notice of proposed draft rules published in October 2022 and subsequent draft versions of the CPA regulations.
What do the draft CPA regulations contain?
The first version of draft regulations, issued in October, focused on some of the main themes included in the AG’s remarks made in January 2022. The first version of the draft regulations added to, and clarified, several key definitions including sensitive data, biometric data, and universal opt-out mechanisms. They also include further information on areas such as consumer rights and how to respond to them, conditions for valid consent, and dark patterns.
The second version of the draft regulations – issued in December 2022 – addresses specific questions raised in the public consultation process. And further clarity has been included in third draft. The current version of the draft regulations includes a range of new definitions including employment records, commercial activity, and loyalty programs as well as revisions made to opt-out requirements (including universal opt-out mechanisms), consumer rights, and privacy notices.
Updates to definitions
Biometric data and biometric identifiers
Biometric data and biometric identifiers were both new definitions found under the first version of the proposed regulations.
The definition of biometric data refers to biometric identifiers as information that is used alone or in combination with other personal data for identification purposes. As a result, the draft regulations further define biometric identifiers as “data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics.”
There are some exceptions to the definition of biometric data, which do not include:
- Digital or physical photographs
- Audio or voice recording
- Any data generated from a digital or physical photograph or an audio or video recording
Employment records
The second version of the draft regulations clarifies the definition of employment records. The Colorado AG states that the draft rules rely upon the definition of Employee and Employer found under the Colorado Wage Act and use this as a basis for the definition of employment records. This is defined as:
“The records of an Employee, in the manner maintained by the Employer in the context of the Employer-Employee relationship and using reasonable efforts by the Employer to collect, having to do with hiring, promotion, demotion, transfer, lay-off or termination, rates of pay or other terms of compensation, as well as other information maintained because of the Employer-Employee relationship.”
Bona fide loyalty programs
Within the second and third draft versions of the CPA regulations the definitions for both Bona Fide Loyalty Program and Bona Fide Loyalty Program Benefit have been updated to contain language that would refine the concept of a loyalty program under the CPA.
The third version of the proposed draft rules also includes a new definition for a Bona Fide Loyalty Program Partner, which is defined as “a third Party that provides Bona Fide Loyalty Program Benefits to Consumers through a Controller’s Bona Fide Loyalty Program, either alone or in partnership with the Controller.”
Commercial activity
In the second version of the draft rules, the Colorado AG has set out definitions of both Commercial Product or Service and Noncommercial Purpose in order to provide further clarity on the activities that fall under the scope of the CPA.
A Commercial Product or Service is defined as “a product or service bought, sold, leased, joined, provided, subscribed to, or delivered in exchange for monetary or other valuable consideration in the course of a Controller’s business, vocation, or occupation.”
The definition of a Noncommercial Purpose “includes, but is not limited to the following activities when conducted by a state institution of higher education, as defined in C.R.S. § 23-18- 102(10), the state, the judicial department of the state, or a county, city and county, or municipality:
- Processing activities related to the delivery of services and benefits;
- Research purposes;
- Budgeting;
- Improving operations or the delivery services or benefits;
- Auditing operations or service or benefit delivery;
- Sharing Personal Data between these categories of entities for any of these purposes; or
- Any other purpose related to speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.”
Sensitive data
Further clarifying what information can be classified as sensitive data, the first version of the draft regulations includes a new definition for Sensitive Data Inference(s).
This includes personal data that has been used by the data controller in combination with other data to make inferences that indicate information about an individual that would fall under the existing definition of sensitive data, e.g., racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.
Privacy notices
The first version of the draft CPA rules required Controllers to provide consumers with a privacy notice that was ’purpose-based’ in order to make the purpose specification and secondary use provisions of the CPA more meaningful.
Following the public consultation period, the Colorado AG has removed the requirement for purpose-based privacy notices and instead requires Controllers to provide “consumers a meaningful understanding of how their Personal Data will be used.” This revision was made in response to comments that stated purpose-based privacy notices would be potentially burdensome to Controllers.
Opt-out requirements and universal opt-out mechanisms
The latest version of the draft rules has been updated to revise the timeframe for responding to opt-out requests, amending the current 15-day response time. Controllers must now process requests “without undue delay”. Additionally, the CPA currently requires Controllers to offer a conspicuous method for opting out of targeted advertising and the sale of personal data. The second version of the draft regulations is updated to include conspicuous methods for opting out of profiling.
The first version of the draft regulations provided for the use of universal opt-out mechanisms (e.g. the Global Privacy Control) to allow consumers to send a single opt-out to multiple controllers to exercise their right to opt-out of sale. Under the initial draft regulations, a universal opt-out mechanism was defined as “mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the Processing of Personal Data for purposes of Targeted Advertising or the Sale of Personal Data OR which meets the technical specifications set forth pursuant to C.R.S. § 6-1-1313(2).” Data controllers are also required to maintain records of opt-outs and provide a conspicuous opt-out method that meets certain conditions specified by the draft regulations.
The latest version of the draft regulations has loosened requirements relating to the universal opt-out methods removing the requirement for Controllers to authenticate that the consumer is a resident of Colorado and by allowing consumers to exercise all of the opt-out rights afforded to them via a universal opt-out method.
An initial list of recognized universal opt-out mechanisms will be released no later than April 1, 2024, and will be updated periodically by the Colorado Department of Law.
Consent
To make clear the conditions for valid consent under the CPA, the draft regulations outline further detail on each of the conditions for valid consent.
Valid CPA consent must meet each of the following conditions:
- It must be obtained through the consumer’s clear, affirmative action
- It must be freely given by the consumer
- It must be specific
- It must be informed
- It must reflect the consumer’s unambiguous agreement
When asking for consent, the data controller must disclose the identity of the data controller, reasons for collecting consent, the processing that the consent is needed for, the categories of personal data involved, and a list of all parties who will have access to the personal data. Consumers must also be informed of their right to withdraw consent and details of how to withdraw consent.
The latest version of the draft rules removes language that requires Controllers to verify the age of the consumer in certain scenarios.
Data protection assessments
Data protection assessments under the draft regulations aim to bring clarity to the scope of the assessments, stakeholder involvement, the contents of an assessment, and timings.
The initial draft regulations stated that a “data protection assessment must be a genuine, thoughtful analysis that: 1) identifies and describes all risks posed by processing that presents a heightened risk of harm to a consumer 2) documents measures considered and taken to address and offset those risks 3) contemplates the benefits of the processing and 4) demonstrates that the benefits of the processing outweigh the risks offset by safeguards in place.”
Additionally, data controllers must consider the depth and scope of data protection assessments, and these should be proportionate to the size of the data controller. They should also be proportionate to the volume and sensitivity of personal data and processing activities.
The draft regulations contain a list of the elements that must be included in a data protection assessment, including but not limited to:
- The processing activity
- The specific purpose of the processing activity
- The specific types of personal data
- How the personal data is adequate, relevant, and limited to what is reasonably necessary
- Names and categories of personal data recipients, including third parties, affiliates, and processors
- The relationship between the data controller and the consumer
- The expectations of the consumer
- Procedural safeguards
- Measures and safeguards a data controller will put into place to mitigate risks
Data controllers will need to perform the data protection assessment before starting the processing activity concerned. The assessment is required to be updated periodically as well as when existing processing activities are modified in a way that materially changes the level of risk presented.
Data protection assessments must be made available to the AG within 30 days of request.
Consumer rights
The initial draft regulations had a focus on clarifying the scope of consumer rights and the processes for fulfilling those rights. The initial draft regulations required Controllers to specify which methods are available for consumers to submit rights requests in their privacy notices. These intake methods would also need to meet specific specifications as outlined by the draft regulations. Such specifications include considering how consumers would normally interact with the data controller, the reasonable security measures used, and identity authentication requirements.
The latest draft regulations include clarification over the application and scope of consumer rights.
Right of access
The initial draft regulations highlighted how data controllers must provide information to consumers. This includes using the language that the consumer interacts with the data controller, considering the target audience, and allowing consumers to make an informed decision regarding their other consumer rights. In the latest version, consumers are entitled to request specific pieces of information including final profiling decisions and marketing profiles.
Right to correction
The initial draft regulations included new requirements for Controllers to make sure corrections to personal information remain corrected and that requests are made accessible to the consumer through their account settings.
The latest version further amends the right to correction to exclude correcting personal data stored on backup and archive systems until those systems are restored or access for a new sale or disclosure of personal data.
Right to deletion
The initial draft regulations included language relating to data controllers permanently erasing personal data from existing systems, except archive or backup systems, or de-identifying personal data and inform data processors to delete the consumer’s personal data.
Right to data portability
The draft regulations state that requests should be fulfilled through “a secure method in a commonly used electronic format.” Data controllers would not be required to fulfill requests that would disclose trade secrets.
Data controllers will also have a clearer understanding of the scenarios in which they can refuse to fulfill a consumer rights request. Lawful reasons would include conflict with other laws, if fulfilling the request is impossible, or if there is a belief that a request is fraudulent or abusive, among other things.
Dark patterns
Regarding Dark Patterns, the draft regulations prohibit the use of these interfaces, as defined by the CPA, and deem any consent acquired through the use of Dark Patterns as invalid.
It should also be noted that the commonality of any interface is not enough for it to not be considered a Dark Pattern and data controllers can consider guidance from other jurisdictions relating to Dark Patterns when evaluating the appropriateness of their proposed choice architecture or system design.
What will this mean for organizations?
There will be another public hearing for the latest version of the proposed draft regulations on February 1, 2023, as a result, organizations covered by the CPA should prepare for further amendments to be made before the final regulations are made. A key aim of the rulemaking process is to bring greater interoperability with other US state privacy laws. Those organizations covered by other US state privacy laws should therefore find some relief in the ability to benchmark their program holistically against provisions across multiple laws.
Once final regulations are issued organizations may have significant changes that they will need to make to their privacy programs including the correct classification of personal data, ensuring consent is valid, not collected through the use of Dark Patterns, and documented accordingly, and data protection assessments have been completed.
Request a demo to see how the OneTrust Privacy & Data Governance Cloud can get you set up for compliance with the Colorado Privacy Act
