The regulations are open for comment from October 10, 2022 to February 1, 2023 (the same day that the CO AG will hold a public hearing regarding the draft regulations). Moreover, the AG will host stakeholder meetings in November, and any comments that stakeholders want to submit for those meetings are due by November 7. The regulations, along with the CPA, will be enforceable as of July 1, 2023 (with the exception of the universal opt-out requirement, enforceable as of July 1, 2024). Below, we discuss some of the key provisions in the draft.
Description of Processing: While the draft regulations do not require privacy policies to have a Colorado-specific section, they must include all Colorado-specific disclosure requirements applicable to data controllers (entities that determine the means and purposes of processing). Notably, policies must specify each purpose of processing in enough detail to give consumers a “meaningful understanding” of how their personal data will be processed and why it is “reasonably necessary” for such purposes. For each processing purpose, the policy must list (1) the categories of personal data processed and (2) the categories of third parties to whom the controller sells or with whom it shares the data. These categories must provide consumers with enough information to meaningfully understand them (e.g., “real name” and “contact information” rather than “identifiers”; “analytics companies” and “payment processors” rather than “service providers”). Further, if a processing purpose includes the sale of data, targeted advertising, or profiling, such activity must be specifically listed.
Consumer Rights: Privacy policies must also clearly indicate which rights are available to Colorado residents. Many policies list potentially applicable rights and state that they may apply depending on the jurisdiction, but the draft regulations appear to require more specificity regarding the rights available to Colorado residents.
Data Portability: The CPA defines data portability as the right to obtain personal data in a portable and readily usable format that can be easily transmitted to another entity. The draft regulations expand on this by requiring controllers to transmit data in a form giving consumers “complete access to and full enjoyment of” the data, including the to ability save, edit, and transfer the data. This appears to be an attempt to provide stronger data portability rights than exist under current law, whereby providers often rely on “technical infeasibility” exceptions to providing data in a truly portable form.
Beginning on July 1, 2024, controllers must also allow consumers to exercise the right to opt out through a Universal Opt-Out Mechanism (“UOOM”) that clearly communicates a consumer’s “affirmative, freely given, and unambiguous choice.” Among other things, a UOOM:
- May express an opt-out of either sales, or targeted advertising, or both;
- Cannot unfairly disadvantage certain controllers; and
- Cannot be a default setting of a pre-installed tool (e.g., a browser), but can be a default setting of a tool that is not pre-installed and markets itself as a privacy or opt-out tool.
The CO Department of Law will maintain a list of state-recognized UOOMs that meet the regulatory requirements, and will release the first draft of this list by April 1, 2024. Controllers must conspicuously display if they have opted out a consumer using a UOOM by, for example, displaying the phrase “Opt-Out Signal Honored” when a consumer using a UOOM visits the controller’s website.
The draft regulations reiterate the CPA requirement to obtain consent to process sensitive data, defined as (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; and (2) genetic or biometric data that can be processed to identify someone. The draft regulations add a new concept of Sensitive Data Inferences (“SDIs”), meaning inferences made by a controller based on personal data, alone or combined with other data, that indicate sensitive data about a consumer (e.g., inferring that a consumer has a specific health condition based on other data collected). Controllers must have consent to process SDIs unless a strict set of criteria are followed to meet a consent exception (including the requirement to delete SDIs without consent within 12 hours). This change is important for companies that do not directly collect sensitive data elements from consumers, but that use other information to infer sensitive characteristics. It will be important that companies review advertising segments and consumer profiles to determine whether they process SDIs, and if so, how to address these new rules.
The draft regulations contain numerous other requirements, including prescriptive disclosures about bona fide loyalty programs, prohibitions on “dark patterns,” strict data minimization requirements, required assessments for secondary uses of data, and a general duty of care. Notably:
- DPIAs: The draft regulations list eighteen topics that DPIAs must address and enumerate the activities that would trigger a DPIA (e.g., “material” changes in processing activities). At a high level, DPIAs must document the risks of processing, the measures to mitigate the risks, the benefits of processing, and an analysis showing that the benefits outweigh the risks.
- Consent: Similar to the GDPR, consent must be “freely given, specific, informed, and unambiguous” and indicated by a “clear, affirmative act.” Moreover, consent cannot be “bundled,” meaning that consent must be given for a specific processing purpose, not for several purposes at the same time. Consent must be as easy to revoke as to give. While the consent standard is high, consent is only required for processing sensitive data or children’s data, for secondary uses of personal data, and when a previously opted-out consumer opts in to their personal data being sold, or used for targeted advertising or profiling.
The draft regulations may undergo revisions prior to being finalized, so we will closely watch the regulatory process and provide updates on significant developments.