On September 30, the Colorado Attorney General’s Office (“Colorado AG’s Office”) released proposed rules (the “Proposed Rules”) for the Colorado Privacy Act (CPA), which goes into effect on July 1, 2023. The Proposed Rules add significant details to the statutory requirements of the CPA, which is otherwise very similar to the privacy laws set to go into effect next year in Virginia, Utah, and Connecticut. The Proposed Rules are also released while the California Privacy Protection Agency (CPPA) is in the midst of finalizing its own rulemaking for the California Privacy Rights Act (CPRA). Businesses looking ahead to 2023 will have to assess the impact of the Proposed Rules on top of the steps they may have already been taking for US privacy compliance.
The Proposed Rules touch on many of the same topics addressed in the CPRA rulemaking, such as dark patterns, opt-out preference signals, privacy notice requirements, and individual rights requests. However, they also go beyond some of the topics addressed by the CPRA regulations (at least in their initial iteration). For example, the Proposed Rules lay out requirements for automated decision-making, profiling, and data protection assessments. Thus, while businesses will be able to leverage some of the work that they have done thus far for CPRA compliance, they will also have to look specifically at the Colorado rules to fully assess their compliance obligations. Additionally, businesses looking ahead to some of the topics that the CPPA has yet to issue regulations on but has statutory authority over (such as automated decision-making and data protection assessments) may be able to use the Proposed Rules to get a sense of what may be coming under the CPRA.
In terms of what’s next – the Proposed Rules become open for public comment on October 10, 2022. The Colorado AG’s Office also announced that it will hold three stakeholder meetings on November 10th, 15th, and 17th, 2022, and a public hearing on February 1st, 2023. According to their website, the Colorado AG’s Office still plans on finalizing the rules before the CPA’s effective date of July 1st, 2023.
We have provided our key takeaways regarding the Proposed Rules below and are happy to answer any questions that you may have about the CPA.
- Dark patterns. Like the CPRA draft regulations, the Proposed Rules define dark patterns as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.” Both drafts prohibit the use of dark patterns. Additionally, like the CPRA draft regulations, the Proposed Rules sets out clear principles of what businesses should consider when designing a user interface for consumer choices. Examples include: (a) consent choice options should be symmetrical (e.g., it should be equally easy to “accept all” or to “reject all”); (b) consent choice options should avoid the use of emotionally manipulative language aimed to steer consumer choice or autonomy (e.g., “I want to help endangered species” versus “No, I don’t care about animals”; the latter should not be used); (c) consumer silence should not be construed as consent or acceptance; (d) consent options should not include a preselected default choice; (e) a consumer should be able to select any consent option with the same number of clicks or steps; (f) a consumer’s interaction with the website should not be interrupted by, for example by multiple consents after a denied consent; and (g) consent choices should not include misleading statements, such as with the use of double negatives.
- Right to opt out. Like the CPRA, which includes provisions concerning opt-out preference signals, the Proposed Rules also address the right to out opt. Specifically, the Proposed Rules require that a controller must maintain a record of opt request and responses and that it must cease to process the personal data as soon as feasibly possible, but no less than 15 days from receipt of the request. Additionally, controllers must provide an opt-method either directly in such controller’s user interface, or through a clear, conspicuous, and accessible link that is located both in the privacy notice as well as outside of the privacy notice. The Proposed Rules also address the technical specifications of one or more universal opt-out signals (discussed below).
- Universal opt out. Under the Proposed Rules, consumers may exercise their right to opt out of processing with all the controllers they interact with, rather than having to make individualized requests with each controller. The universal opt-out under the Proposed Rules: (a) should clearly be disclosed to the consumer, including describing the mechanism’s limitations and whether opt-out is not possible through mobile applications; (b) may not be the default setting for a tool that comes pre-installed with a device; (c) use of the universal opt-out by the consumer shall not be disclosed to third parties; and (d) a controller may not require the collection of additional personal data except as necessary to confirm that the consumer is a resident of Colorado. The universal opt-out must automatically communicate to all the other multiple controllers, that the consumer has selected the opt out choice. By April 1, 2024, the Colorado Department of Law plans to maintain a public list of recognized universal opt-out mechanisms that businesses may use. The requirements here are similar to what is required under the CPRA draft regulations for “opt-out preference signals.”
- Consent (generally). Under the Proposed Rules, a controller must obtain valid consumer consent prior to: (a) processing sensitive data; (b) processing personal data concerning a child, in which case the child’s parent or lawful guardian must provide consent; (c) selling a consumer’s personal data, processing for targeted advertising, or profiling; and (d) processing personal data for purposes that are not aligned with, the original specified purposes.
To be valid, a consent must meet each of the following elements: (a) it must be obtained through the consumer’s clear, affirmative action; (b) it must be freely given by the consumer; (c) it must be specific; (d) it must be informed; and (e) it must reflect the consumer’s unambiguous agreement. This consent standard is similar to what is required under most privacy laws, including the CPRA.
Further, if a consumer has previously opted-out using either a universal opt-out mechanism or directly with a particular controller, such consumer will be required to consent to any additional processing. This is a similar requirement to the CPRA.
- Consent for processing children’s data. As businesses targeting children are under increased scrutiny, the Proposed Rules add a specific section for consent related to processing children’s data. In the event a controller operates a website or business directed to children or has actual knowledge that it is collecting or maintaining personal data from a child, the controller shall take commercially reasonable steps to verify a consumer’s age before processing personal data. A controller processing personal data of a child must take reasonable steps to obtain verifiable parental consent. Notably, a controller that has obtained consent from a consumer must refresh consent at regular intervals based on the context and scope of the original consent, sensitivity of the personal data collected, and reasonable expectations of the consumer. The specific requirements in this section go beyond what is required under the CPRA.
- Loyalty programs. Under the CPA, a controller may provide benefits to the consumer in the event the consumer voluntarily participates in the loyalty program. If the consumer deletes its personal data, the controller is not obligated to provide loyalty benefits unless such benefits do not require personal data. This provision notably differs from the CPRA that requires businesses to provide notice of the material terms of the financial incentive program to the consumer before they opt-in to the program.
- Duty of care. The CPA requires that personal data be processed “in a manner that ensures appropriate security and confidentiality of the personal data” and that reasonable technical or organizational measures are in place. This creates an affirmative duty of care for businesses and is similar to the data security standard under the CPRA.
- Data Protection Assessments (DPAs). While the CPPA did not address data protection assessments in its initial iteration of the CPRA regulations, the Proposed Rules did. The Proposed Rules list the minimum content requirements for a DPA and suggest risks that should be considered in the assessment process. Controllers are required to conduct a data protection assessment before initiating a data processing activity that presents a heightened risk of harm to a consumer, and they must periodically review and update the DPA throughout the processing activity’s life cycle. Notably, the Proposed Rules allow controllers conducting similar assessments pursuant to other privacy regimes to use those assessments for CPA compliance if the assessments are reasonably similar in scope and effect.
- Profiling. Profiling is another topic that the CPRA regulations have not yet addressed yet (but may in the future) but has already been addressed by the Proposed Rules. The CPA provides that controllers have an affirmative obligation to provide clear, understandable, and transparent information to consumers about how their personal data is used, including for profiling, and that consumers have the right to opt out of profiling when done in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. Controllers must also conduct and document DPAs prior to processing personal data for profiling. In particular, profiling is not limited to solely automated processing– it also includes human reviewed automated processing and human involved automated processing, in contrast with the CPRA’s focus on automated processing.
The Proposed Rules outline several requirements for profiling activities– including, for example, that privacy notices must address profiling (if applicable) including what decision is subject to profiling, a plain explanation of the logic used in the process, the categories of personal data used, whether the system has been evaluated for fairness/ bias, and opt-out information.
While consumers have a right to opt out, controllers are not required to take action on profiling opt out requests if the profiling used is based on human involved automated processing and if the controller provides the consumer with the appropriate notice.