Colorado Attorney General Releases Colorado Privacy Act Draft Regulations

Firm Publication

The Colorado Attorney General’s Office issued its proposed Colorado Privacy Act (CPA) Rules (Draft Rules) on Friday, September 30. The CPA Rules differ in many ways from those in the proposed California Privacy Rights Act (CPRA) from late May, so businesses must understand how these Draft Rules may uniquely impact their operations. While the deadline for compliance is July 1, 2023, those businesses that must comply with the Colorado privacy law, as well as either Virginia or California, may want to take these rules into account in rolling out new compliance measures before January 1.

The High-Level Summary

  • The Draft Rules touch on, among other things, consumer disclosures, personal data rights, a universal opt-out mechanism (UOOM), consent, data protection assessments (DPAs), sensitive data, and profiling (defined below).
  • Under the Draft Rules, businesses subject to the law would need to provide a separate Colorado-specific privacy notice or section within its privacy notice. Essentially, it must be clear that Colorado consumers are entitled to exercise specific data rights.
  • A new class of sensitive data is introduced in these rules: “Sensitive Data Inferences,” which are inferences based on particular types of sensitive data (listed below). This specific data has a much shorter retention timeline.
  • In addition to sensitive data, the Draft Rules also provide new time limits for deletion and a requirement for periodic review of how long personal data is retained. This means that businesses that have not already done so will need to implement a framework for keeping track of data retention and deletion.
  • “Profiling” means “any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” Businesses must now provide consumers with a right to opt out when profiling results in the furtherance of decisions that produce legal or similarly legal effects concerning a consumer (pursuant to CRS § 6-1-1306(1)(a)(I)). There are very specific requirements in the Draft Rules regarding the content of privacy notices, consent, and DPAs regarding profiling.
  • As for privacy notices, UOOMs, sensitive data inferences, and DPAs, see below for more key highlights.

New Privacy Notice Requirements Tied to Processing Purposes

  • In contrast to California’s rules under the CPRA, new privacy notice requirements under the Draft Rules are tied to processing purposes rather than categories of personal data. Consumers must be able to gain a meaningful understanding of how their personal data is being used and why the use of their data is necessary for whatever processing purpose is specified.
  • The Draft Rules provide for very specific privacy notice requirements, particularly regarding methods of notice, location of opt-out methods, ease and simplicity of exercising data rights, authentication of consumers or authorized agents, and “dark patterns” (an interface designed to manipulate, subvert, or impair consumer decision-making or choice).
  • Consumers must be able to request full access to, correction of, and deletion of their personal data. Businesses must cease processing a consumer’s personal data for targeted advertising, the sale of personal data, or profiling within 15 days of receipt of the opt-out request. Note that third parties (like processors and affiliates) must cease processing data for these purposes after a consumer opt-out request, which means that primary data controllers are required to provide notice to those third parties and ensure that they are complying with their obligations. Note also that businesses have a separate obligation regarding the processing of sensitive data, described below.

UOOMs: Opt Outs Based on Browser and Device Settings and a Publicly Accessible “Do Not Sell” List

  • Consumers may use a UOOM to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data, and they must be allowed to opt out for either or both of these purposes. Further, consumers must be allowed to automatically communicate their opt-out choice to multiple controllers using their personal data.
  • Developers of UOOMs will have certain requirements as well. For example, for the UOOM to be valid, consumers must be given a clear choice as to whether to opt out. Consequently, a UOOM that lives in the default settings in a browser does not provide consumers with sufficient choice, while a tool marketed as one that assists with exercising opt-out rights that is not pre-installed on a device is sufficient (because a consumer has to install it themselves).
  • There are other precise standards with which UOOMs must comply. The Colorado Department of Law will maintain a public list of UOOMs recognized to meet these standards (in other words, a list of approved mechanisms).
  • The Draft Rules also mention that a UOOM may take the form of a “do not sell” list that businesses can reference, which can be equated to similar to “do not call” lists operated at the state and national level to protect telephone consumers. Businesses will be required to regularly check their consumer lists against the approved “do not sell” lists before selling personal data or using it for targeted marketing.

Sensitive Data Inferences

  • “Sensitive Data Inferences” is a new concept that includes inferences made based on an individual’s race, ethnicity, religion, sex life or sexual orientation, citizenship, or mental or physical health. The Draft Rules impose strict restrictions on these inferences, which includes obtaining explicit consent. However, businesses may process sensitive data inferences without consent if:
  • The processing purpose would be apparent to a reasonable consumer.
  • The underlying personal and sensitive data are deleted within 12 hours of the first of either the completion of the processing activity or the collection of the data.
  • The data and inferences are not transferred, sold, or shared.
  • The data and inferences are not processed for any purposes other than those disclosed to consumers.
  • Note, however, that consent for the processing of sensitive data cannot be obtained using “dark patterns” (utilizing the user interface to manipulate or subvert the consumer’s ability to make an autonomous decision regarding consent) or through a pop-up window or banner that obstructs the consumer’s experience. Consent for this category of data also must be “refreshed at regular intervals.”

New Rules Surrounding DPAs

  • The Draft Rules indicate that a business’ DPAs must comply with specific requirements both in content and execution. If a particular processing activity presents a heightened risk of harm to the consumer (defined in CRS § 6-1-1309(2)), a DPA should be conducted before the processing activity begins.
  • A DPA conducted in compliance with another state’s regulation may satisfy the Colorado requirement if it’s reasonably similar in scope and effect.
  • A business may be able to address a comparable set of processing operations in a single DPA if the processing operations use similar methods to collect the same categories of data for the same purposes.

Important Dates and Time Periods

  • July 1, 2023: Date for compliance with the new legislation overall (including execution of DPAs for activities conducted after this date).
  • July 1, 2024: Date for compliance with obligations for UOOMs.
  • At least two years: How long businesses must maintain records of consumer data rights requests.
  • At least three years: How long businesses must store DPAs after the conclusion of the processing activity and record of analysis of compliance with rules regarding data minimization, secondary use, and consent for children (Rules 6.07, 6.08, and 7.06).
  • At least annually: How often DPAs should be reviewed and updated if processing is for profiling and consent for processing of sensitive data refreshed.
  • 45 Days: Response period for a data rights request.
  • 15 Days: How quickly a business must stop processing a consumer’s personal data after receiving an opt-out request.

Until at least February 2023—when a public hearing is scheduled—uncertainty will remain surrounding the final contents of these Draft Rules. As such, our team will continue to monitor the CPA as it progresses.

If you have questions about the CPA Draft Rules and how they could affect your business, please contact the author.

Related Professionals
Related Services
Firm Publication

The Colorado Attorney General’s Office issued its proposed Colorado Privacy Act (CPA) Rules (Draft Rules) on Friday, September 30. The CPA Rules differ in many ways from those in the proposed California Privacy Rights Act (CPRA) from late May, so businesses must understand how these Draft Rules may uniquely impact their operations. While the deadline for compliance is July 1, 2023, those businesses that must comply with the Colorado privacy law, as well as either Virginia or California, may want to take these rules into account in rolling out new compliance measures before January 1.

The High-Level Summary

  • The Draft Rules touch on, among other things, consumer disclosures, personal data rights, a universal opt-out mechanism (UOOM), consent, data protection assessments (DPAs), sensitive data, and profiling (defined below).
  • Under the Draft Rules, businesses subject to the law would need to provide a separate Colorado-specific privacy notice or section within its privacy notice. Essentially, it must be clear that Colorado consumers are entitled to exercise specific data rights.
  • A new class of sensitive data is introduced in these rules: “Sensitive Data Inferences,” which are inferences based on particular types of sensitive data (listed below). This specific data has a much shorter retention timeline.
  • In addition to sensitive data, the Draft Rules also provide new time limits for deletion and a requirement for periodic review of how long personal data is retained. This means that businesses that have not already done so will need to implement a framework for keeping track of data retention and deletion.
  • “Profiling” means “any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” Businesses must now provide consumers with a right to opt out when profiling results in the furtherance of decisions that produce legal or similarly legal effects concerning a consumer (pursuant to CRS § 6-1-1306(1)(a)(I)). There are very specific requirements in the Draft Rules regarding the content of privacy notices, consent, and DPAs regarding profiling.
  • As for privacy notices, UOOMs, sensitive data inferences, and DPAs, see below for more key highlights.

New Privacy Notice Requirements Tied to Processing Purposes

  • In contrast to California’s rules under the CPRA, new privacy notice requirements under the Draft Rules are tied to processing purposes rather than categories of personal data. Consumers must be able to gain a meaningful understanding of how their personal data is being used and why the use of their data is necessary for whatever processing purpose is specified.
  • The Draft Rules provide for very specific privacy notice requirements, particularly regarding methods of notice, location of opt-out methods, ease and simplicity of exercising data rights, authentication of consumers or authorized agents, and “dark patterns” (an interface designed to manipulate, subvert, or impair consumer decision-making or choice).
  • Consumers must be able to request full access to, correction of, and deletion of their personal data. Businesses must cease processing a consumer’s personal data for targeted advertising, the sale of personal data, or profiling within 15 days of receipt of the opt-out request. Note that third parties (like processors and affiliates) must cease processing data for these purposes after a consumer opt-out request, which means that primary data controllers are required to provide notice to those third parties and ensure that they are complying with their obligations. Note also that businesses have a separate obligation regarding the processing of sensitive data, described below.

UOOMs: Opt Outs Based on Browser and Device Settings and a Publicly Accessible “Do Not Sell” List

  • Consumers may use a UOOM to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data, and they must be allowed to opt out for either or both of these purposes. Further, consumers must be allowed to automatically communicate their opt-out choice to multiple controllers using their personal data.
  • Developers of UOOMs will have certain requirements as well. For example, for the UOOM to be valid, consumers must be given a clear choice as to whether to opt out. Consequently, a UOOM that lives in the default settings in a browser does not provide consumers with sufficient choice, while a tool marketed as one that assists with exercising opt-out rights that is not pre-installed on a device is sufficient (because a consumer has to install it themselves).
  • There are other precise standards with which UOOMs must comply. The Colorado Department of Law will maintain a public list of UOOMs recognized to meet these standards (in other words, a list of approved mechanisms).
  • The Draft Rules also mention that a UOOM may take the form of a “do not sell” list that businesses can reference, which can be equated to similar to “do not call” lists operated at the state and national level to protect telephone consumers. Businesses will be required to regularly check their consumer lists against the approved “do not sell” lists before selling personal data or using it for targeted marketing.

Sensitive Data Inferences

  • “Sensitive Data Inferences” is a new concept that includes inferences made based on an individual’s race, ethnicity, religion, sex life or sexual orientation, citizenship, or mental or physical health. The Draft Rules impose strict restrictions on these inferences, which includes obtaining explicit consent. However, businesses may process sensitive data inferences without consent if:
  • The processing purpose would be apparent to a reasonable consumer.
  • The underlying personal and sensitive data are deleted within 12 hours of the first of either the completion of the processing activity or the collection of the data.
  • The data and inferences are not transferred, sold, or shared.
  • The data and inferences are not processed for any purposes other than those disclosed to consumers.
  • Note, however, that consent for the processing of sensitive data cannot be obtained using “dark patterns” (utilizing the user interface to manipulate or subvert the consumer’s ability to make an autonomous decision regarding consent) or through a pop-up window or banner that obstructs the consumer’s experience. Consent for this category of data also must be “refreshed at regular intervals.”

New Rules Surrounding DPAs

  • The Draft Rules indicate that a business’ DPAs must comply with specific requirements both in content and execution. If a particular processing activity presents a heightened risk of harm to the consumer (defined in CRS § 6-1-1309(2)), a DPA should be conducted before the processing activity begins.
  • A DPA conducted in compliance with another state’s regulation may satisfy the Colorado requirement if it’s reasonably similar in scope and effect.
  • A business may be able to address a comparable set of processing operations in a single DPA if the processing operations use similar methods to collect the same categories of data for the same purposes.

Important Dates and Time Periods

  • July 1, 2023: Date for compliance with the new legislation overall (including execution of DPAs for activities conducted after this date).
  • July 1, 2024: Date for compliance with obligations for UOOMs.
  • At least two years: How long businesses must maintain records of consumer data rights requests.
  • At least three years: How long businesses must store DPAs after the conclusion of the processing activity and record of analysis of compliance with rules regarding data minimization, secondary use, and consent for children (Rules 6.07, 6.08, and 7.06).
  • At least annually: How often DPAs should be reviewed and updated if processing is for profiling and consent for processing of sensitive data refreshed.
  • 45 Days: Response period for a data rights request.
  • 15 Days: How quickly a business must stop processing a consumer’s personal data after receiving an opt-out request.

Until at least February 2023—when a public hearing is scheduled—uncertainty will remain surrounding the final contents of these Draft Rules. As such, our team will continue to monitor the CPA as it progresses.

If you have questions about the CPA Draft Rules and how they could affect your business, please contact the author.

In Case You Missed It:

  • Kentucky Gallops into the Privacy Race: Kentucky’s New Consumer Data Privacy Law
    April 15, 2024 | Firm Publication
  • CISA Publishes Proposed Rule for Cyber Reporting
    April 10, 2024 | Firm Publication
  • David Wilson Examines the Applicability of Law to Artificial Intelligence and Nonhumans
    April 4, 2024 | Virginia Journal of Law & Technology