First in a series of articles on the Colorado Privacy Act draft rules.

Colorado has released draft rules to supplement the Colorado Privacy Act, which was enacted in July 2021.

Generally, the rules reflect the obligations that were expected from the use of language similar to that in the European Union’s General Data Protection Regulation (GDPR) and terminology in the CPA law itself, namely … GDPR-level transparency, consent (as predicted back in February), data protection impact assessments, data minimization, purpose limitation, etc.

Specifically, companies subject to the CPA have a lot to work to do, in a very short period of time.

The state is currently accepting comments on the rules and plans to hold a series of hearings with stakeholders throughout November.

Additional details on the hearing schedule and provisions for providing comments can be found here.

Data Minimization

• Controllers must assess and document the minimum types and amount of Personal Data needed for the stated processing purposes.
• To ensure that the Personal Data are not kept longer than is necessary, adequate or relevant, you must set specific time limits for erasure or to conduct a periodic review.
• Biometric identifiers or any Personal Data generated from a digital or physical photograph, or an audio or video recording held by a controller shall be reviewed at least once a year to determine if storage is still necessary, adequate or relevant to the express Processing purpose. You must obtain consent to process biometric identifiers or any Personal Data generated from a digital or physical photograph or an audio or video recording each year after the first year that it is stored.
• You must not collect Personal Data other than that disclosed in the required privacy notice. If you intend to collect additional Personal Data you must revise your privacy notice and notify consumers of the change to your privacy notice.

Purpose Specification

• You must disclose the express purposes of the processing in a unambiguous, specific and clear manner, understood by and predictable to the average consumer, the controller, third parties and enforcement authorities and detailed enough enable the implementation of necessary data security safeguards and allow for compliance with the law to be assessed.
• If Personal Data is collected and processed for more than one purpose, you must specify each unrelated purpose with enough detail to allow consumers to understand each individual, unrelated purpose.
• If the processing purpose has evolved beyond the original express purpose, the controller must review and update all related disclosures and documentation as necessary.
• Specified purpose may be disclosed in several places including a privacy notice and required consent disclosures.

Purpose Limitation

• Before processing Personal Data for purposes that are not reasonably necessary to or compatible with specified processing purpose(s), you must obtain consent.
• If a new processing purpose is unexpected, unnecessary, unconnected or would have an unjustified negative impact on the consumer, the new purpose is not likely to be considered reasonably necessary to or compatible with the original specified purpose.
• To determine whether a purpose is reasonably necessary or compatible with the original purpose consider the following and document your analysis:

1. The reasonable expectation of an average consumer
2. The link between the original specified purpose(s) for which the data was collected and the purpose(s) of further processing
3. The relationship between the consumer and you and the context in which the Personal Data was collected
4. The type, nature, and amount of the Personal Data subject to the new processing purpose
5. The possible consequence or impact to the consumer of the new processing purpose
6. The identity of the entity conducting the new processing purposes, e.g., the same or different controller, an affiliate, a processor, or a third party
7. The existence of additional safeguards for the Personal Data, such as encryption or pseudonymization

Information Security

Personal Data must be processed in a manner that ensures appropriate security and confidentiality of the Personal Data, including protection against unauthorized or unlawful access to or use of Personal Data and the equipment used for the processing and against accidental loss, destruction or damage, using reasonable technical or organizational measures.

Sensitive Data

• You must obtain consent to process Sensitive Data, including Sensitive Data inferences.
• You may process Sensitive Data inferences from consumers over the age of 13 without consent only if: (1) this would be obvious to the reasonable consumer; (2) you permanently delete them within 12 hours of collection or of the completion of the processing activity, whichever comes first; (3) the Personal Data and any Sensitive Data inferences are not transferred (including to processors), sold, or shared and; (4) the Personal Data and any Sensitive Data inferences are not processed for any purpose other than the express purpose disclosed to the consumer.
• Sensitive inferences: Inferences made by a controller that reveal an individual’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status.
• While geolocation information at a high level may not be considered Sensitive Data, geolocation data that shows an individual visited a mosque and is used to indicate that individual’s religious beliefs or geolocation data that shows an individual visited a reproductive health clinic and is used to indicate an individual’s health condition or sex life are considered Sensitive Data.
• While web browsing data at a high level may not be considered Sensitive Data, web browsing data that, alone or in combination with other Personal Data, creates a profile that indicates an individual’s sexual orientation and is considered Sensitive Data.
• A controller may forgo obtaining consent prior to processing Sensitive Data inferences from consumers over the age of 13 if the controller limits the use of such inferences as required by the rules and documents how the controller meets the requirements in its privacy notice and Data Protection Assessment.

Up Next: A detailed look at the consent provisions of the draft rules.

[View source.]