On Friday, September 30, the Colorado Attorney General (“CO AG”) published draft regulations pursuant to the Colorado Privacy Act (“CPA”). Though only 38 pages long, the draft includes detailed, sometimes prescriptive requirements on topics such as privacy policy disclosures, consumer rights, sensitive data, data protection impact assessments (“DPIAs”), “dark patterns,” and “profiling.”
The regulations are open for comment from October 10, 2022 to February 1, 2023 (the same day that the CO AG will hold a public hearing regarding the draft regulations). Moreover, the AG will host stakeholder meetings in November, and any comments that stakeholders want to submit for those meetings are due by November 7. The regulations, along with the CPA, will be enforceable as of July 1, 2023 (with the exception of the universal opt-out requirement, enforceable as of July 1, 2024). Below, we discuss some of the key provisions in the draft.
Privacy Policies
Description of Processing: While the draft regulations do not require privacy policies to have a Colorado-specific section, they must include all Colorado-specific disclosure requirements applicable to data controllers (entities that determine the means and purposes of processing). Notably, policies must specify each purpose of processing in enough detail to give consumers a “meaningful understanding” of how their personal data will be processed and why it is “reasonably necessary” for such purposes. For each processing purpose, the policy must list (1) the categories of personal data processed and (2) the categories of third parties to whom the controller sells or with whom it shares the data. These categories must provide consumers with enough information to meaningfully understand them (e.g., “real name” and “contact information” rather than “identifiers”; “analytics companies” and “payment processors” rather than “service providers”). Further, if a processing purpose includes the sale of data, targeted advertising, or profiling, such activity must be specifically listed.
Consumer Rights: Privacy policies must also clearly indicate which rights are available to Colorado residents. Many policies list potentially applicable rights and state that they may apply depending on the jurisdiction, but the draft regulations appear to require more specificity regarding the rights available to Colorado residents.
Notice of Changes: The draft regulations also require controllers to notify consumers of “substantive or material changes” to privacy policies at least 15 days before the changes are effective. “Substantive” changes include changes to the categories of personal data processed, processing purposes, the controller’s identity, and methods for exercising consumer rights. If included in the final rules, this notice requirement will go beyond existing FTC and California rules regarding notice in the event of “material changes,” and will likely result in a significant uptick in the number of privacy notice update emails consumers receive. Finally, controllers must also obtain consumer consent before using their data for secondary uses, even if the secondary use is disclosed in the privacy policy update.
Consumer Rights
Data Portability: The CPA defines data portability as the right to obtain personal data in a portable and readily usable format that can be easily transmitted to another entity. The draft regulations expand on this by requiring controllers to transmit data in a form giving consumers “complete access to and full enjoyment of” the data, including the to ability save, edit, and transfer the data. This appears to be an attempt to provide stronger data portability rights than exist under current law, whereby providers often rely on “technical infeasibility” exceptions to providing data in a truly portable form.
Opt Out Rights and Universal Mechanisms: A data controller must provide a clear, conspicuous, and readily available link to an opt-out method in its privacy policy and in an “obvious” location on the controller’s website or app (e.g., header or footer) that is available at or before the point that personal data is sold or used for targeted advertising or profiling. In contrast to the California regulations, which require the opt out mechanism link to be titled “Your Privacy Choices” or “Do Not Sell or Share My Personal Information,” the Colorado regulations recommend that the link be titled “Colorado Opt-Out Rights,” “Personal Data Use Opt-Out,” or “Your Opt-Out Rights.” It appears that these recommended link names are just examples, but hopefully, the final regulations under both laws will allow companies to use the same link name.
Beginning on July 1, 2024, controllers must also allow consumers to exercise the right to opt out through a Universal Opt-Out Mechanism (“UOOM”) that clearly communicates a consumer’s “affirmative, freely given, and unambiguous choice.” Among other things, a UOOM:
- May express an opt-out of either sales, or targeted advertising, or both;
- Cannot unfairly disadvantage certain controllers; and
- Cannot be a default setting of a pre-installed tool (e.g., a browser), but can be a default setting of a tool that is not pre-installed and markets itself as a privacy or opt-out tool.
The CO Department of Law will maintain a list of state-recognized UOOMs that meet the regulatory requirements, and will release the first draft of this list by April 1, 2024. Controllers must conspicuously display if they have opted out a consumer using a UOOM by, for example, displaying the phrase “Opt-Out Signal Honored” when a consumer using a UOOM visits the controller’s website.
Sensitive Data
The draft regulations reiterate the CPA requirement to obtain consent to process sensitive data, defined as (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; and (2) genetic or biometric data that can be processed to identify someone. The draft regulations add a new concept of Sensitive Data Inferences (“SDIs”), meaning inferences made by a controller based on personal data, alone or combined with other data, that indicate sensitive data about a consumer (e.g., inferring that a consumer has a specific health condition based on other data collected). Controllers must have consent to process SDIs unless a strict set of criteria are followed to meet a consent exception (including the requirement to delete SDIs without consent within 12 hours). This change is important for companies that do not directly collect sensitive data elements from consumers, but that use other information to infer sensitive characteristics. It will be important that companies review advertising segments and consumer profiles to determine whether they process SDIs, and if so, how to address these new rules.
Other Topics
The draft regulations contain numerous other requirements, including prescriptive disclosures about bona fide loyalty programs, prohibitions on “dark patterns,” strict data minimization requirements, required assessments for secondary uses of data, and a general duty of care. Notably:
- DPIAs: The draft regulations list eighteen topics that DPIAs must address and enumerate the activities that would trigger a DPIA (e.g., “material” changes in processing activities). At a high level, DPIAs must document the risks of processing, the measures to mitigate the risks, the benefits of processing, and an analysis showing that the benefits outweigh the risks.
- Consent: Similar to the GDPR, consent must be “freely given, specific, informed, and unambiguous” and indicated by a “clear, affirmative act.” Moreover, consent cannot be “bundled,” meaning that consent must be given for a specific processing purpose, not for several purposes at the same time. Consent must be as easy to revoke as to give. While the consent standard is high, consent is only required for processing sensitive data or children’s data, for secondary uses of personal data, and when a previously opted-out consumer opts in to their personal data being sold, or used for targeted advertising or profiling.
- Profiling: The CPA defines “profiling” as automated processing of data to evaluate, analyze, or predict personal aspects of an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. The draft regulations require controllers to make very specific disclosures in their privacy policy about their profiling activities and distinguish between disclosures for solely automated processing for profiling and disclosures for profiling that results, at least in part, based on human involvement.
The draft regulations may undergo revisions prior to being finalized, so we will closely watch the regulatory process and provide updates on significant developments.
