On February 1, the Colorado Attorney General’s (AG) Office and the Colorado Department of Law (the “Department”) held a rulemaking hearing on the Proposed Draft Rules for the Colorado Privacy Act (CPA), which goes into effect on July 1, 2023. The purpose of the rulemaking hearing was to invite comments from the public on the Proposed Draft Rules and its most recent revisions.

At the rulemaking hearing, the Department discussed several significant changes made to the Proposed Draft Rules in the most recent draft published on January 27, 2023. Officials stated that this version attempts to address all input and feedback received through public comments and stakeholder sessions through January 18, 2023. The Department also noted that the recent revisions further attempt to make the CPA more interoperable with the requirements of other jurisdictions and international privacy laws.

The major takeaway for businesses is that, in addition to all of the activity happening in California around the California Privacy Rights Act (CPRA), they must also pay attention to the privacy developments in Colorado. The CPA has many overlapping requirements with the CPRA, but it also has a number of different obligations (such as in relation to privacy notices) and has proposed rulemaking on topics not yet addressed in the CPRA regulations (such as data protection assessments). On this latter point, it is possible that the California Privacy Protection Agency will look at what has already been proposed under the CPA when formulating new rules for these future topics. In the meantime, businesses should be sure to ensure the CPA as part of their overarching privacy compliance programs or potentially risk being in violation of the law when it goes into effect on July 1.

We have provided our key takeaways on the revisions to the Proposed Draft Rules below. We are happy to answer any compliance questions you may have about the CPA.

Key Takeaways from Revisions to Proposed Draft Rules:

Here are some of the most important updates to the Proposed Draft Rules that businesses should be aware of:

1. Definitions (Part 2 of the Proposed Draft Rules). The revised rules attempt to clarify certain definitions, including “Automated Processing,” “Publicly Available Information,” “Sensitive Data,” and “Bona Fide Loyalty Programs,” as well as address competing stakeholder feedback regarding biometric data processed for the purpose of uniquely identifying individuals and the scope of automated processing.
2. Consumer Rights (Parts 3 and 4 of Proposed Draft Rules). The CPA grants several consumer rights in regard to their personal data, including the right to opt out of the sale of their personal data, the right to opt-out of processing of certain types of sensitive data, and the right to access the personal data that a controller maintains about them. However, while former iterations stated that consumers may exercise these rights via the methods specified by a controller in the controller’s privacy notice, recent revisions seek to provide further guidance on how consumers may operationalize those rights and the methods that controllers may provide to consumers in order to exercise these rights. Other updates also address the timeline for acting on a consumer’s request to opt out, the methods for opting out of profiling, and a controller’s obligation with respect to notifying Processors.
3. Universal Opt-Out Mechanism (Part 5 of Proposed Draft Rules). Rather than requiring consumers to opt-out of processing on a case-by-case basis, the CPA gives consumer the ability to use a universal opt-out mechanism to communicate their choice to opt-out of the sale of personal data or processing of personal data for targeted advertising to multiple controllers using a single mechanism. While controllers may choose to accept the use of the Universal Opt-Out Mechanism beginning on July 1, 2023 (or before), controllers are required to accept consumers’ opt out requests communicated through a universal Opt-Out Mechanism beginning on July 1, 2024. The Department also stated that the Proposed Draft Rules have been updated to include technical specifications for Universal Opt-Out Mechanisms, but still aim to allow for as much flexibility as possible, as this new technology evolves. Lastly, while the rules still allow controllers to utilize a system of authentication of consumers’ requests, the Department clarified that the Proposed Draft Rules do not impose an affirmative obligation on controllers to employ such authentication before responding to consumers’ requests.
4. Controller Duties (Part 6 of Proposed Draft Rules). The CPA imposes several duties on controllers, including the duty of transparency with a clear and accessible privacy notice, a duty of purpose specification, a duty of data minimization, a duty to avoid secondary use, a duty of care, a duty to avoid unlawful discrimination, and a duty to obtain consent before processing sensitive data. In addition, the CPA allows controllers to offer benefits to consumers if those benefits are based on a consumer’s participation in a Bona Fide Loyalty Program. In response to stakeholder feedback, recent updates focus on the duty of transparency and bona fide loyalty programs. First, while a controller’s duty of transparency requires a clear and accessible privacy notice, recent revisions focus on the fact that such privacy notices must give consumers a meaningful understanding of how their personal data is used, which includes a meaningful understanding how each category of their personal data will be used when provided to controllers for a specific purpose. At the rulemaking hearing, the Department clarified that while the Proposed Draft Rules no longer controllers to organize their privacy notices by processing purpose, they do require a link between the two. In other words, while the rules offer controllers flexibility in creating their privacy notices, controllers must ensure that for each category, a purpose is disclosed, and a description is given of how that data will be used and shared with others.
5. Loyalty Programs (Part 6 of Proposed Draft Rules). As for Bona Fide Loyalty Programs, recent revisions to the Proposed Draft Rules focus on the retaliatory provision and to what extent controllers may deny membership in loyalty programs if consumers opt out of the sale of personal data or processing of personal data for targeted advertising. The current version of the Proposed Draft Rules clarifies that if consumer opts out of the sale of personal data or processing of personal data for targeted advertising, controllers may only discontinue such benefits for which the sale of personal data or processing of personal data for targeted advertising is necessary and provide guidance on what it means to be necessary.
6. Consent (Part 7 of Proposed Draft Rules). The CPA requires controllers to obtain valid consent prior to processing data under certain circumstances, including prior to processing sensitive data, processing personal data concerning a known child, selling personal data, processing personal data for targeted advertising, profiling, and processing personal data for purposes that are reasonably necessary to, or compatible with, the original specific purposes for which the personal data are processed. The new draft rules clarify when consent is required and clarify requirements for valid consent, including what it means for consent to be freely given, specific, and informed. Recent revisions also update the rules on how and when consent may be requested, including specifically prohibiting controllers from requesting consent through “schemes that cause consent fatigue”, such as dominating cookie banners and pop-ups. Finally, the revised draft rules address the use of dark patterns and clarify that consumers’ consent choice options should avoid the use of language that is emotionally manipulative or visuals that unfairly, fraudulently, or deceptively coerce consumer choice or consent.
7. Data Protection Assessments (Part 8 of the Proposed Draft Rules). The CPA imposes several requirements for Data Protection Assessments (DPAs), including that assessments must identify benefits that flow directly to controllers, consumers, and the public, and evaluate and mitigate any risk. Updates to the Proposed Draft Rules clarify the scope and timing of DPAs, noting that DPAs must include an analysis of any risks to the rights of consumers associated with their processing activities, and be conducted as often as appropriate when considering the type, amount, and sensitivity of the personal data bring processed.