On October 10, 2022, the Colorado Secretary of State published draft rules for the Colorado Privacy Act (ColoPA) in the Colorado Register, thus initiating a public comment period that will run through February 1, 2023.¹ The draft rules generally cover the topics that the Colorado Attorney General's Office identified in the April 2022 "Pre-Rulemaking Considerations for the Colorado Privacy Act" and add additional details to the ColoPA's statutory requirements.

Notable proposed requirements under the ColoPA draft rules include the following:

• Universal Opt-Out Mechanism. The ColoPA draft rules provide considerably more guidance on recognizing and honoring user-selected Universal Opt-out Mechanisms (UOOMs) than the California Privacy Rights Act (CPRA) draft regulations. For example, the draft rules provide greater certainty for controllers about the types of signals they should recognize as the Colorado Department of Law will maintain a list of approved UOOMs that meet the standards of the ColoPA and the draft rules. The first such approved UOOM list would be released by April 1, 2024. Additionally, the draft rules would permit the UOOM to operate through means other than an opt-out signal, for example, by maintaining a "do not sell list" so long as controllers are able to query the list in an automated manner.
• Opt-Out Link. Controllers must provide an opt-out method "either directly or through a link, clearly and conspicuously in its privacy notice as well as in a clear, conspicuous, and readily accessible location outside the privacy notice." The ColoPA draft rules provide some flexibility on how controllers name the link, so long as the "link text … provide[s] a clear understanding of its purpose" such as by calling the link: "Colorado Opt-Out Rights"; "Personal Data Use Opt-Out"; or "Your Opt-Out Rights." In light of the more prescriptive naming requirements under the CPRA, however, controllers that must also provide an opt-out link under the CPRA may need to provide separate, competing links unless the California Privacy Protection Agency updates the regulations to provide greater flexibility.
• Privacy Notices. The ColoPA draft rules would not require controllers to create separate, Colorado-specific privacy notices or sections of a privacy notice, provided all ColoPA requirements are met and that the notice makes clear the rights to which Colorado consumers are entitled. Nevertheless, the ColoPA draft rules contain privacy notice disclosure requirements that would be more prescriptive than those identified in the ColoPA statute. Specifically, the ColoPA draft rules are centered on disclosures of specific "processing purposes." In particular, controllers would have to list the categories of personal data processed for each of the controller's processing purposes, as well as the categories of third parties to whom the controller sells or shares personal data for each processing purpose.
• Data Minimization. To ensure personal data are not kept longer than necessary, adequate, or relevant, the ColoPA draft rules would require controllers to "set specific time limits for erasure or to conduct a periodic review." Additionally, controllers would be obligated to review Biometric Identifiers (a newly defined term) and personal data generated from a digital or physical photograph or an audio or video recording at least once a year to determine if storage is still necessary, adequate, or relevant to the express processing purposes. What's more, each year after the first year any such data is stored, a controller would have to obtain renewed consent to continue processing that data.
• Consent. Under the ColoPA statute, consent is required prior to processing a consumer's sensitive data, the personal data concerning a known child, and for processing personal data for purposes other than those reasonably necessary to or compatible with the specified purpose for which the data was processed. Consent under the ColoPA draft rules would need to meet five elements:
  1. Consent must be obtained through "clear, affirmative action," meaning, for example, a blanket acceptance of general terms and conditions or pre-ticked boxes will not suffice;
  2. Consent must be "freely given," meaning consent cannot be obtained, for example, when bundled with other terms and conditions, or when the processing of personal data is not required to provide the services;
  3. Consent must be "specific," meaning each processing purpose must be separately noticed and consented to. With respect to consent obtained for selling or sharing personal data, additional consent must be obtained for selling or sharing personal data with new third parties;
  4. Consent must be "informed," meaning the request for consent must include a number of specific elements, such as the processing purpose, the reason the consent is required, the categories of personal data to be processed, the parties that will have access to the personal data, and the consumer's right to withdraw consent; and
  5. Consent must reflect the consumer's unambiguous agreement.
  The ColoPA draft rules permit controllers to rely on consumers' consent obtained prior to July 1, 2023, if such consent complies with the ColoPA statutory requirements. Where a controller collected sensitive data prior to July 1, 2023, and the controller did not previously obtain valid consent to process such sensitive data, however, the controller must obtain consent as required by January 1, 2023,² to continue to process the sensitive data.
• Sensitive Data. As noted above, under the ColoPA statute, controllers must obtain consent to process a consumer's sensitive data. The ColoPA draft rules extend this consent requirement to "Sensitive Data Inferences," a newly defined term that generally refers to inferences drawn from personal data that indicate an individual's racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status. Controllers can process such inferences without consent if four conditions are met: 1) the purpose of the processing would be obvious to a reasonable consumer based on the context of the collection and use of the personal data, and the relationship between the controller and consumer; 2) the personal data and sensitive data inferences are permanently deleted within 12 hours of collection, or the completion of the processing activity, whichever comes first; 3) the personal data and sensitive data inferences are not transferred, sold, or shared with any processors, affiliates, or third parties; and 4) the personal data and sensitive data inferences are not processed for any purpose other than the express purpose disclosed to the consumer.
• Consent for Children. The ColoPA draft rules would require controllers that operate a website or business directed to children, or that have actual knowledge that they collect or maintain personal data of children, to take commercially reasonable steps to verify a consumer's age before they process the consumer's personal data. Controllers would also have to make reasonable efforts to obtain verifiable parental consent through reasonably calculated methods in light of available technology.
• Refreshing Consent. The ColoPA draft rules would require controllers to refresh previously obtained consent at regular intervals based on the context and scope of the original consent, the sensitivity of the personal data collected, and the reasonable expectations of the consumer. Significantly, consent for the processing of sensitive data would have to be refreshed at least annually.
• Data Protection Assessments. The ColoPA draft rules provide a number of specific requirements for conducting "data protection assessments." Nevertheless, the ColoPA draft rules clarify that a data protection assessment conducted by a controller for the purpose of complying with another jurisdiction's law or regulation will satisfy the requirements of the ColoPA if the data protection assessment is reasonably similar in scope and effect as required by the ColoPA. Data protection assessments would have to be reviewed and updated periodically, except that data protection assessments containing processing for profiling in furtherance of decisions that produce legal or similarly significant effects must be reviewed and updated annually. Data protection assessments are required for activities conducted after July 1, 2023, and they are not retroactive. Controllers must make data protection assessments available to the Attorney General within 30 days of a request.
• Profiling. The ColoPA draft rules provide a number of requirements that must be addressed in the controller's privacy policy if the controller uses consumers' personal data for profiling in furtherance of decisions that produce legal or other similarly significant effects concerning the consumers. Controllers would have to provide consumers with the right to opt out of such profiling, unless the profiling is based on human involved automated processing, in which case the controller would have to provide the consumer with additional information as provided in the ColoPA draft rules. The opt-out method would have to be clear and conspicuous, both in the privacy policy and in a location outside of the privacy policy.
• Methods for Submitting Requests. Similar to the CPRA draft regulations, the ColoPA draft rules provide that, unless a controller operates exclusively online and has a direct relationship with a consumer, the controller must provide two or more designated methods for submitting requests. The ColoPA draft rules state that the request method does not have to be specific to Colorado, however, so long as the method, among other things, clearly indicates which rights are available to Colorado consumers, provides all data rights to Colorado consumers, and provides Colorado consumers a clear understanding of how to exercise their rights. Therefore, companies may be able to leverage their existing consumer request processes, such as those used to accept California Consumer Privacy Act (CCPA) requests.

Next Steps

The draft rules are now available for public comment through February 1, 2023. Written comments can be submitted through the Colorado Attorney General's online comment portal.

On February 1, 2023, the Colorado Attorney General's office will hold a public hearing on the proposed regulations; however, there will also be three virtual stakeholder meetings to discuss the ColoPA draft rules on November 10, 15, and 17 on specific topics.

^[1] We previously covered the Colorado Attorney General’s roadmap for the rulemaking process and pre-rulemaking considerations in Wilson Sonsini Alerts, “Colorado Attorney General Announces Privacy Rulemaking” and “Colorado Attorney General Issues Pre-Rulemaking Considerations for the Colorado Privacy Act.” We also provided an overview of the ColoPA’s key requirements in another Wilson Sonsini Alert, “Colorado Becomes Third State to Pass New General Privacy Law.”

^[2]Although the draft rules suggest that controllers must obtain ColoPA-compliant consent for sensitive data collected prior to July 1, 2023, by January 1, 2023, we think that the draft rules intended to provide a forward-looking period by which consent needs to be obtained–i.e., by January 1, 2024.