Question 1: How does this set of rules differ from the rules released in late January?

Answer:

There are a few significant updates to this set of rules, and a large slate of important, yet likely less impactful, changes.

Perhaps the most impactful changes focus on the processing of sensitive personal data and data protection assessments (“DPAs”):

• Added a new obligation that requires controllers, when requesting consent to process sensitive data, to provide the names of all third parties receiving the sensitive data through a sale, if applicable.

  • This rule previously only required the provision of categories (not names) of third parties, but applied to transfers “through sale or sharing” and scoped in affiliates as well as third parties.

  • In addition to adding obligations for controllers to list names, this rule could result in the exposure of recipients (i.e., purchasers) of this information.

• Changed a rule governing data protection assessments to provide that: “Data protection assessments shall be required for activities conducted created or generated after July 1, 2023 and are. This requirement is not retroactive.”

  • While still unclear, this suggests that processing activities that were in process prior to July 1, 2023, may not require DPAs.

• Reintroduced a requirement from Version 2 of the draft rules that, in addition to Biometric Identifiers, a digital or physical photograph of a person, an audio or voice recording containing the voice of a person shall be reviewed at least once a year to determine if its storage is still necessary, adequate, or relevant to the express Processing purpose.

  • This could place a significant burden on controllers, as they are required to document such retention assessments.

• Updated the requirements for disclosures, notifications, and other communications to consumers to state that they must be provided in a readable format on all devices through which Consumers normally or regularly interact with the controller, including on smaller screens and through mobile applications, if applicable.

  • This new requirement may present a challenge for controllers that use a variety of devices (e.g., smart speakers or in-vehicle screens) to communicate with consumers.

There were also a number of relatively minor changes from the Version 3 set of rules. Among other changes, the rules:

• Removed a rule which previously stated that personal data provided in response to an access request must “[b]e understandable to the Controller’s target audiences, considering vulnerabilities or unique characteristics of the audience and paying particular attention to vulnerabilities of Children;”

• Clarified that controllers must not provide biometric identifiers or biometric data in response to an access request;

• Updated the ability to retain data in an archived or backup system regardless of a correction request only until that system is restored to an active system or is next accessed or used for any purpose;

• Deleted a rule which would have required a controller to provide a consumer with the categories of information that were not deleted (by virtue of being subject to an exception);

• Limited the burden on controllers to require only that data must be provided to consumers in a format that, to the extent technically feasible, allows consumers to transmit the data (as opposed to the requirement in Version 3 that the controller must enable the consumer to have complete access to and full enjoyment of the data, including the ability to save, edit, and transfer the data);

• Updated the requirement for privacy policies to include categories of third parties to whom the controller sells, or with whom the controller shares personal data to include that the notice must provide sufficient information for consumers to understand the “type of, business model of, or processing conducted by” the third party;

• Updated a rule to require that disclosures associated with Bona Fide Loyalty Programs now include a list of Bona Fide Loyalty Program partners, and benefits provided by each partner;

• Removed a requirement to document data minimization assessments in accordance with the rule governing documentation;

• Added a requirement to retain records of rights requests for 24 months; and

• Extended the period by which consents would need to be refreshed from 12 months to 24 months.

Question 2: Is it true that these rules are still subject to review, edits, and approval by the Attorney General (“AG”)?

Answer:

Yes. The AG must offer an opinion on the rules, but as discussed below, edits are unlikely.

Colorado administrative law provides that “no rule may be issued nor existing rule amended by any agency unless it is first submitted by the issuing agency to the attorney general for his or her opinion as to its constitutionality and legality. Any rule or amendment to an existing rule issued by any agency without being so submitted to the attorney general is void.” (Emphasis added).

Based on our experience, all such rules traditionally are submitted to the AG for an opinion as to the constitutionality and legality. However, because this rule is being promulgated by the AG in the first instance, it raises the question whether the provision still applies. Notably, on February 28, 2023, the AG’s website on the Colorado Privacy Act rulemaking sought to clear up this ambiguity by posting the following update:

“The Colorado Privacy Act rules were adopted on Feb. 23, 2023, but are subject to a review by the Colorado Attorney General and may require additional edits before they can be finalized and published in the Colorado Register per the standard Administrative Procedure Act process. The Department of Law will notify the public when the rules have been made final.” (Emphasis added).

Given the date of this posting on February 28, this item may be a new factual detail on the proceeding.

This is also consistent with the rulemakings for other AG-promulgated rules 4 CCR 904-1 and 4 CCR 904-2, which both still had AG opinions associated with them, here and here, respectively.

Question 3: Is the Colorado AG’s review a substantive one? Or do we generally expect that this will be “rubber stamp” process for rulemaking in Colorado?

Answer:

It’s a little of both. It’s substantive in that the AG reviews for “constitutionality and legality” pursuant to C.R.S. § 24-4-103(8)(b). However, this review is not for policy issues, and so it typically results in signoff without significant changes. 

For example, the two AG opinions referenced above for 4 CCR 904-1 and 4 CCR 904-2 both stated in relevant part: “This office has reviewed them and finds no apparent constitutional or legal deficiency in their form or substance.” This is also the case for every AG opinion from the February 25th issue of the Colorado Register.

Notably, however, the February 28, 2023 update mentioned above leaves open the possibility for “additional edits” before the rule is finalized and published in the Colorado Register.

Question 4: What is the typical timeframe for the AG’s review?

Answer:

The review period can vary, but it must be completed within 20 days.

Under C.R.S. § 24-4-103(11)(d)(II), “Each rule adopted, together with the attorney general’s opinion rendered in connection therewith, shall be filed pursuant to subsection (12) of this section within twenty days after adoption with the secretary of state for publication in the Colorado register.” (Emphasis added). Note that this time period begins after adoption rather than submission to the AG for an opinion. 

For example:

• The AG opinion in the rulemakingfor 4 CCR 904-1 was conducted in only one day (Sept. 18, 2007 to Sept. 19, 2007).
• The AG opinion in the rulemaking for 4 CCR 904-2 was conducted in 17 days (Oct. 8, 2021 to Oct. 25, 2021).
• In a recent rulemakingby the Colorado Air Quality Control Commission, the AG conducted the review in 19 days (Dec. 16, 2022 to Jan 3, 2023). However, the adopted rule was not submitted to the AG until the day after adoption, so the full 20-day statutory timeframe was used.

Here, the request for the AG’s opinion was submitted on February 23, 2023, so the AG’s opinion and filing with the Secretary of State will be due no later than March 15, 2023. If that were to happen, the adopted rule would likely be published in the March 25, 2023 Colorado Register.

Question 5: What are the next steps for the Rules?

Answer:

Once the AG’s opinion has been offered, then the next step in the rulemaking process is to file the adopted rule with the Secretary of State to publish it in the Colorado Register. 

After publication in the Colorado Register, the rule “shall become effective twenty days after publication of the rule as finally adopted, as provided in subsection (11) of this section, or on such later date as is stated in the rule. Once a rule becomes effective, the rule-making process shall be deemed to have become final agency action for judicial review purposes.” Pursuant to the Colorado Privacy Act, it will not become effective until July 1, 2023.

Under Colorado law, opponents to a final rule have 35 days after final agency action (i.e., a rule becoming effective) to challenge it if the district court has jurisdiction over the appeal. If the court of appeals has jurisdiction, then the timeframe is 49 days.