On October 10, the Colorado Attorney General (“AG”) released its draft regulations outlining businesses’ obligations under the Colorado Privacy Act (“CPA”). The 38-page set of draft regulations flesh out several novel privacy expectations, not all of which explicitly appear in the CPA, which will go into effect on July 1, 2023. Likewise, the California Privacy Protection Agency (“the Agency”) followed suit on October 17, releasing their second set of draft regulations for the California Privacy Rights Act (“CPRA”), less than three months before CPRA amendments take effect in the new year.

California

The revised set of draft regulations retain much of the original draft regulations released earlier this summer. The bulk of the six pages of redline revisions address data minimization requirements of CPRA, which broadly mandates that businesses collect, use, and store data consistent with a consumer’s reasonable expectations. Helpfully, the revised regulations build on this standard by providing specific, guiding factors. For example, businesses are required to consider “the specificity, explicitness, and prominence of disclosures to the consumer” as well as the “degree to which the involvement of [vendors and third parties] is apparent to the consumer” when analyzing consumer expectations.

Importantly, the revised regulations clarify that the right to limit the processing of sensitive data only applies to the extent businesses are using sensitive data to “infer[] characteristics” about a consumer. This exception appears in the statutory text of CPRA, but the exception was not mentioned in the original draft regulations.

Another notable change under the new draft is that businesses are no longer required to list in their notices at collection the names of all third parties that collect data. However, the more basic requirement that third parties provide a notice at collection still stands. The revised regulations also include slight modifications to processes required to process requests to correct data.

The revised regulations still do not address data protection assessments or the right to opt out of certain profiling activities. The Agency meets on October 28 and 29 to consider “possible action regarding proposed regulations . . . including possible adoption or modification of the text.” Individuals may sign up to receive CPRA rulemaking updates from the Agency’s website.

Colorado

While there are some similarities between Colorado and California’s regulations, the differences merit special attention and signal that Colorado is committed to making its own mark on the developing U.S. privacy landscape.

Broadly, both sets of regulations dedicate significant time describing “dark patterns” or prohibited practices such as misleading or manipulative choice architecture or language that ultimately inhibits or undermines a consumer’s privacy choices. The Colorado regulations also detail loyalty programs and the corresponding required disclosures, as well as businesses’ obligations with respect to honoring universal opt-out mechanisms as a means of exercising consumer data requests.

In what may come as a relief for entities currently tackling compliance with California’s universal opt-out regulations, the Colorado regulations direct the Colorado Department of Law to maintain a publicly available list of universal opt-out technologies that businesses are expected to recognize. This list will be released in April 2024, a few months before the delayed effective date of CPA’s universal opt-out provision.

The universal opt-out list is not the only difference between the two sets of regulations. For example, both states address data minimization principles and require that businesses’ data collection and retention be reasonable and necessary for the specified collection purpose. However, Colorado goes a step further, stating that businesses “shall set specific time limits for erasure or to conduct a periodic review” to evaluate data deletion. By comparison, California requires that businesses disclose the length of time the organization intends to retain the data, but if a specific time is not possible, the criteria used to determine that period.

The Colorado regulations also focus extensively on expectations surrounding consent, a topic that did not receive as much attention in the California regulations. The Colorado regulations pointedly state that practices such as blanketed acceptance of terms and conditions or pre-checked boxes, methods that many businesses may use today, will not satisfy CPA’s consent requirements. Moreover, the regulations introduce an obligation that businesses “refresh” consent at regular intervals depending on certain factors like the context and scope of the original consent. The regulations state that consent must be refreshed at least annually for sensitive data, which aligns with CPA’s general requirement that consent be obtained prior to processing sensitive data.

The Colorado regulations detail robust expectations with respect to privacy policies, including an emphasis on the data processing purpose. Specifically, the regulations warn that businesses “should avoid identifying one broad purpose to justify numerous processing activities . . . .” Moreover, the privacy notice must detail an organization’s appeals process for consumer data rights, in addition to the familiar disclosures about those data rights, parties with whom the business shares information, and data fields collected. In another departure from existing privacy obligations, the regulations introduce a requirement that businesses notify consumers of material changes fifteen days before changes go into effect. Furthermore, the regulations detail several factors when assessing materiality.

Finally, the Colorado regulations mark the first U.S. privacy regulations to tackle the right to opt out of certain profiling activities and data protection assessments.

Under the regulations, businesses that engage in certain types of profiling must make detailed disclosures about the profiling activities in the privacy policy, conduct data protection assessments specific to profiling, and meet consent standards also specific to profiling. The regulations introduce two concepts, “Human Involved Automated Processing” and “Human Reviewed Automated Processing,” to guide businesses’ profiling obligations.

With respect to data protection assessments, the regulations outline eighteen items (not inclusive of subparts) that must be addressed in each assessment. Included in this lengthy list are: operational details for the processing, which entities will have access to the data, consumer expectations with respect to the data, alternative processing methods considered, and the possible application of several specific risk mitigation measures. The regulations also specify that such assessments should occur “periodically throughout the Processing activity’s lifecycle . . . .” and further expand on the circumstances that trigger the assessments.

Comments on the Colorado regulations may be submitted up until the day of the formal rulemaking hearing on February 1, 2023, however the AG’s website posts earlier deadlines if respondents would like comments to be considered for certain applications. Individuals may also sign up to receive CPA updates from the AG’s office.