This holiday season and the new year brought us a revised draft of the Colorado Privacy Act (CPA) rules, gifted by the Colorado Attorney General’s (AG) Office on December 21, 2022, along with a second round of revisions published on January 27, 2023 (collectively, the Revised Draft Rules). The Revised Draft Rules modify the originally published draft rules in several major areas while retaining many of the hallmark provisions that make the CPA rules a significant and important addition to the U.S. privacy law landscape.
The changes are largely controller-friendly, removing the purpose-based privacy notice requirement, alteration of the requirements surrounding data protection assessments, and relaxing conditions on when businesses have to seek refreshed consumer consent. The Colorado AG’s Office will hold a public rulemaking hearing on February 1, 2023. Interested parties can submit written comments until February 3, 2023. From there, we anticipate the Colorado AG will make final changes to the regulations before ultimately publishing them in advance of the July 1, 2023, effective date of the CPA.
Below, we summarize some of the more notable changes to the Revised Draft Rules.
Purpose-Based No More
In a significant change that will benefit controllers, the Revised Draft Rules no longer require that privacy notices be drafted around processing purposes. The initial Draft Rules required controllers to describe each processing purpose and provide specific disclosures around that purpose, such as the following:
- The categories of personal data processed.
- The categories of personal data the controllers sell to or share with third parties, if any.
- The categories of third parties to whom the controllers sell or with whom the controllers share personal data, if any.
The Colorado AG’s Office explained that it removed this requirement “[i]n consideration of comments arguing that purpose-based privacy notices would be burdensome and would not be interoperable with California’s Privacy Notice Requirements.” In its place, controllers now must link the processing purpose and type of personal data processed in a way that gives consumers a meaningful understanding of how their personal data will be used.
Note also that although the Revised Draft Rules still require notification of material changes to a privacy notice, there is no longer a requirement to do so 15 calendar days before the change goes into effect. Material changes may include, but are not limited to, the following:
- Categories of personal data processed.
- Processing purposes.
- A controller’s identity.
- The act of sharing personal data with third parties.
- Categories of affiliates, processors, or third parties’ personal data is shared.
- Methods by which consumers can exercise their data rights request.
Narrowing Data Protection Assessment Requirements
The Revised Draft Rules have considerably reworked the specific requirements surrounding what controllers must consider when preparing data protection assessments. The initial Draft Rules identified 18 topics for consideration, whereas the Revised Draft Rules now list 13 topics. Data protection assessments must consider: the processing activity; the categories of personal data to be processed and whether sensitive data or personal data from a known child will be processed; the context of the processing activity; the nature and operational elements of the processing activity; the core purposes of the processing activity; the sources and nature of the risks to consumers; and the measures and safeguards the controller will employ to mitigate the potential risks.
Consent: Refresh Less Often, Requirements for Children and More Time to Obtain Consent and Delete Inferences
The initial Draft Rules required controllers to obtain refreshed consent for processing sensitive data annually. The Revised Draft Rules now only require controllers to refresh consent for such processing when a consumer has not interacted with the controller in the prior 12 months. Controllers also are not required to refresh consent where a consumer has access and the ability to update their opt-out preferences at any time through a user-controlled interface.
The Revised Draft Rules also removed the provision requiring controllers to obtain consent to process biometric identifiers from digital or physical photographs or recordings each year after the first year it is stored. Controllers must still review such information at least annually to determine if its storage is necessary, adequate, or relevant to the purpose of its collection.
In the initial Draft Rules, controllers operating a website or business directed at children or controllers with actual knowledge of collecting personal data from children were required to take commercially reasonable steps to verify a consumer’s age before processing that consumer’s personal data. The Revised Draft Rules removed this requirement and, instead, require that controllers obtain parental consent before collecting or processing a child’s personal data.
The initial Draft Rules stated that controllers would need to obtain consent prior to January 1, 2023, to continue processing sensitive data. This was presumably a typo, given that consent would need to be obtained six months prior to the CPA’s effective date. The Revised Draft Rules change the date to January 1, 2024.
Lastly, controllers are not required to obtain consent to collect sensitive data inferences if those inferences are permanently deleted within 24 hours of collection (rather than 12 hours, which was the requirement in the initial Draft Rules).
Jurisdiction Interoperability
The Revised Draft Rules made several changes in an attempt to make the Revised Draft Rules more interoperable with the privacy laws in other jurisdictions (for example, the California Consumer Privacy Act), including the revisions to the privacy notice requirements as stated above as well as the following:
- A controller may collect additional personal data beyond that which is necessary to authenticate a consumer as a resident of Colorado or determine whether the Universal Opt-Out Mechanism (UOOM) is a legitimate request to opt out if that collection is required by another jurisdiction’s law.
- The UOOM notice requirement does not need to refer to “any other specific provisions of these rules or the CPA.” The Revised Draft Rules also state that it is sufficient for the notice to state that the UOOM allows consumers to exercise “any and all opt-out rights available to you under state laws” or “the right to opt out of the sharing of personal data.”
- If a controller has conducted a data protection assessment in compliance with another jurisdiction’s law and that data protection assessment does not satisfy the CPA’s requirements, a controller may submit the assessment it conducted in compliance with that other jurisdiction with a supplement containing any additional information required under the CPA.
In addition to the above changes, updates were also made to various other sections of the initial Draft Rules, including new and revised definitions, clarifying certain requirements with respect to personal data rights (whether it be the right to/of opt out, access, correction, deletion, or data portability), and narrowing the prohibition on dark patterns. Further, the deadline for UOOM public list recognition was moved up from April 1, 2024, to January 1, 2024 (i.e., six months before the July 1, 2024, deadline for controllers to recognize UOOMs), and the Revised Draft Rules remove the provision stating that UOOMs can operate through a means other than by sending an opt-out signal (i.e., by maintaining a “do not sell” list).
Our team will continue to monitor the CPA rules as they progress through this comment period and the public hearing scheduled for Wednesday, February 1. If you have any questions about the Revised Draft Rules and how they could affect your business, please contact the authors.