Colorado, as the third U.S. state to adopt a comprehensive privacy law, is making significant strides in its rule-making activities. On April 12, 2022, the Colorado Attorney General’s Office issued prepared remarks from Colorado Attorney General (AG) Phil Weiser and published its pre-rulemaking considerations, opening for invitation comments on eight important pre-rulemaking topics. In his remarks, AG Weiser highlighted the guiding principles of the Colorado Privacy Act (CPA), as well key topics requiring feedback. Below are selected takeaways that businesses should consider and prepare for if subject to the CPA. The CPA will take effect July 1, 2023.
The Guiding Principles of the CPA.
The CPA and its rule-making activities (the “Rules”) are guided by five main principles:
- Promotion of consumer rights. The Rules must protect consumer rights;
- Clarification of ambiguities. The Rules should promote compliance and minimize disputes, as far as possible;
- Efficiency. The Rules should help controllers and processors effectively comply with the law;
- Harmony. The Rules should facilitate interoperability between competing protections laws created by other national and international frameworks; and
- Innovation. The Rules should not place an undue burden on creativity and innovation.
CPA Is Open for Public Comment.
Against the backdrop of these guiding principles, the Colorado Department of Law (the “Department”) released its pre-rulemaking considerations, opening for invitation comments on the following eight notable topics.
- Universal Opt-Out. Universal opt-out mechanisms (UOOMs) are technical measures which consumers may exercise to opt out of their personal data. During this pre-rulemaking process, the Department is soliciting feedback regarding strategies to develop protocols and/or tools that can address UOOMs. Feedback includes whether the tools should be tailored for different categories such as browsers or operating systems, and how the UOOM tool will address consumer authentication.
- Consent. Under the CPA, ‘consent’ means “a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action” (emphasis added). The Department is seeking input regarding the textual definition of a “clear affirmative act”, “freely given” and “specific”. Further the Department would like to know whether existing mechanisms to establish consent would appropriately serve consumer consent.
- Dark Patterns. The CPA defines dark patterns as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.” An example of a dark pattern is an inconspicuous “unsubscribe” link in a business’s home page. The Department is seeking guidance regarding principles, frameworks and tools available to mitigate dark patterns. It is also seeking information and research demonstrating the impact of dark patterns.
- Data Protection Assessments (DPAs). A DPA is a process that helps companies identify data protection risks of a project and mitigate such identified risks. Similar to the GDPR, under the CPA, activities that are likely to result in high risk would require companies to perform DPAs. The CPA includes targeted advertising, selling personal data, processing sensitive data, and processing for the purpose of profiling amongst such high risk activities. The Department is now seeking guidance regarding additional circumstances under which a DPA would be requested, and whether it should follow any existing model such as the EU (GDPR) model, enterprise risk management approaches, or environment impact statement models. The Department is also considering interoperability between DPAs and whether it should accept DPAs as appropriate when such DPAs have been conducted in other jurisdictions such as the EU.
- Profiling. Under the CPA, profiling consists of “any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, locations, or movements.” The CPA is considering what mechanisms would meaningfully allow consumers to understand the automated processing of their personal data such that they can make informed ‘opt out’ decisions and whether such mechanisms should vary according to the type of automated decision making. Further, the Department is seeking information from other jurisdictions regarding effective mitigation of profiling and automated decision making.
- Opinion Letters and Interpretive Guidance. The CPA authorizes the AG to adopt rules governing a process to issue opinion letters and interpretive guidance beginning on January 1, 2025. The Department is seeking comments regarding the type of interpretive guidance the rules should provide, and how the process of obtaining interpretive guidance should look like.
- Offline Collection of Data. Some businesses collect data through non-electronic means, such as signing a petition on a sidewalk. The Department is considering whether offline collection of data is also subject to the Rules and would warrant seeking consents and UOOMs.
- Protecting Coloradans in a National and Global Economy. The CPA and the Rules seek to protect Coloradans participating in national and global markets and networks. The Department is seeking feedback regarding the differences as well as overlap and interoperability between the CPA and laws in other jurisdictions.
From this list of topics, AG Weiser highlighted three in his remarks: UOOMs, dark patterns and DPAs, further underscoring the importance of these for businesses in Colorado. This fall, the Department will begin the formal notice-and-comment rulemaking phase by providing a notice of rulemaking and accompanying draft regulations. The notice-and-comment phase will include at least one formal hearing as well as the continued opportunity to submit comments.