Keypoint: The CPA draft rules are a complex and lengthy set of regulations that, if adopted without substantial modification, will significantly expand the CPA’s requirements and require controllers to carefully consider their compliance obligations.

On Friday, September 30, the Colorado Attorney General’s office published proposed Colorado Privacy Act (CPA) rules. The Office also announced that it will hold three stakeholder meetings on November 10, 15, and 17, 2022, and a public hearing on February 1, 2023.

The draft rules are long – 38 pages of single-space text (omitting the 20 pages of rulemaking documents that appear at the end). In comparison, the Colorado Privacy Act is 31 pages. The length allows the office to provide clarity (e.g., around consumer requests) but also complexity, in particular around data protection assessments and profiling.

The complexity of the draft rules may come as a surprise to those who have not tracked the Office’s comments about engaging in robust rulemaking. The Office has devoted significant time and effort to drafting the rules, and it is clear that the Office intends to make its mark on U.S. privacy law moving forward.

In the below post, we first provide a list of high-level takeaways. We then provide a brief discussion of the rulemaking process and timeline. Finally, we provide a short summary of some of the more important substantive sections.

I. High-Level Takeaways

• The draft rules create a new definition of biometric data that is similar but not identical to definitions in other laws. This definition is important because the CPA requires controllers to obtain consent for the collection of biometric data but does not define that term.
• The draft rules provide clarity and direction on how controllers must receive and respond to consumer requests. Much of these requirements will be familiar to organizations dealing with the California Consumer Privacy Act (CCPA).
• The privacy notice requirements focus on processing purposes as contrasted with the CCPA’s focus on categories of personal information. For example, controllers must identify the processing purpose(s) and, for each purpose, provide information such as the personal data processed for that purpose. The CPA’s change in focus is likely to create interoperability challenges.
• Controllers must notify consumers of substantive and material changes to privacy notices 15 days before the change goes into effect.
• The draft rules create extensive disclosure requirements around bona fide loyalty programs.
• As required by the CPA, the draft rules flesh out the unified opt out mechanism (UOOM) requirements at substantial length. The Attorney General will be required to maintain a public list of recognized UOOMs.
• The draft rules suggest that controllers must create and enforce document retention schedules.
• The draft rules create a new category of sensitive data called sensitive data inferences and require, among other things, that such inferences from individuals over 13 years of age be deleted no later than 12 hours after collection if controllers collect them without consent.
• The draft rules provide a robust analysis of obtaining user consent that is reminiscent of EDPB guidance. Similar to the CPRA draft regulations, the draft rules also have a lengthy discussion of dark patterns.
• The draft rules contain extensive requirements on performing data protection assessments. Completing assessments will be a major undertaking for controllers.
• The right to opt of profiling is given significant consideration across four pages of text. Controllers engaging in such activities will have much to consider.

II. Timeframe for Completion

Last January, Colorado Attorney General Phil Weiser stated that he hoped to have final rules adopted around January-February 2023. However, the Office will now not hold its public hearing until February 1, 2023, signaling we are still months from final regulations.

Prior to the public hearing any member of the public may request that the Colorado Office of Policy, Research & Regulatory Reform conduct a cost-benefit analysis. Fifteen days prior to the hearing, a member of the public may request that the Office conduct a regulatory analysis. It seems all but certain that such requests will be made here.

Once the hearing ends, the public is no longer able to offer comments on the proposed rules unless the Office alters them in a manner that requires the process to begin again. Following the hearing on the proposed rules, the Office has 180 days to file adopted rules with the Secretary of State for publication in the Colorado Register. Adopted rules go into effect twenty days after publication or on such later date as is stated in the rules.

Under Colorado law, anyone affected or aggrieved by an agency action has the right to instigate an action for judicial review. The action must be started within 35 days from when the agency action becomes effective. Among other things, the district court can review the rules to determine whether the agency has exceeded its statutory jurisdiction, authority, purposes, or limitations.

For more information on the Colorado rulemaking process see here, here, and here.

III. Short Summary

The below summary does not attempt to summarize all provisions of the draft rules but rather identifies parts that are of particular note or significance.

Definitions

The draft rules provide clarity around terms not defined in the CPA and definitions for terms created in the rules themselves. Among other definitions, the draft rules define biometric data, bona fide loyalty program and bona fide loyalty program benefit, data broker, human involved automated processing, human reviewed automated processing, information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public, and sensitive data inference.

The definition of biometric data is particularly notable because the CPA requires controllers to obtain consent for the collection of such data but does not define the term.

The draft rules define “biometric data” to mean “Biometric Identifiers that are used or intended to be used, singly or in combination with each other or with other Personal Data, for identification purposes. Unless such data is used for identification purposes, “Biometric Data” does not include (a) a digital or physical photograph, (b) an audio or voice recording, or (c) any data generated from a digital or physical photograph or an audio or video recording.”

“Biometric Identifiers” is defined as “data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics.”

The draft definition is similar to definitions provided in other state privacy laws but does not directly track any of those definitions.

Consumer Personal Data Rights

Methods for Submitting Requests

The draft rules largely track the CCPA/CPRA’s requirements for submitting requests. For example, unless a controller operates exclusively online, it is required to provide two methods for submitting requests.

The methods do not have to be specific to Colorado as long as they (1) clearly indicate that the rights are available to Colorado consumers, (2) provide all data rights to Colorado consumers, (3) provide Colorado consumers with a clear understanding of how to exercise their rights, and (4) comply with the draft rule’s general notice requirements (e.g., are understandable to the intended target audience).

Opt-Out Requests (Including Opt-Out Link)

Upon receiving an opt-out request, controllers must cease processing the personal data for the opt-out purpose(s) within fifteen days. The fifteen-day time period does not appear in the CPA’s text.

A controller must provide an opt-out method “either directly or through a link, clearly and conspicuously in its privacy notice as well as in a clear, conspicuous, and readily accessible location outside the privacy notice.” If a controller uses a link, the link must take a consumer directly to the opt-out method and the link text must provide a clear understanding of its purpose, for example “Colorado Opt-Out Rights,” “Personal Data Use Opt-Out,” or “Your Opt-Out Rights.”

Notably, the “[t]he clear, conspicuous, and readily accessible location must be: a. Positioned in an obvious location of a website or application, such as the header or footer of a Controller’s internet homepage, or an application’s app store page or download page; and b. Available to the Consumer at or before the time the Personal Data is Processed for the Opt-Out Purposes.”

In comparison, the draft CPRA regulations require businesses to provide two links (if applicable): “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information.” However, in lieu of two separate links, businesses that must provide both links can provide a single link titled “Your Privacy Choices” or “Your California Privacy Choices” as well as a specified icon.

Right of Access

In responding to an access request, controllers must provide data “in a form that is concise, transparent and easily intelligible, and avoids incomprehensible or unexplained internal codes or identifiers.”

Consistent with the CCPA/CPRA’s approach, controllers are not required to turn over specific personal data that could create security breaches, that is, government-issued identification numbers, financial account numbers, health insurance or medical identification numbers, an account password, security questions and answers, or biometric data. Instead, controllers must inform the consumer with sufficient particularity that they have collected that type of information.

Right to Correction

Controllers must comply with a right to correction request by correcting the personal data across all data flows and repositories and implementing measures to ensure that the personal data remains corrected. Controllers also must instruct processors to correct the personal data in their systems. A controller does not have to act on the request unless it “determines that the contested Personal Data is more likely than not accurate based on the totality of the circumstances.”

Right to Deletion

Consistent with the CCPA/CPRA, controllers do not have to delete personal data stored on backup systems until that system is restored or is accessed for a sale, disclosure or commercial purpose.

Controllers that deny a request to delete based on an exception must (1) delete any personal data not subject to the exception, (2) provide the consumer with a list of the personal data that was not deleted along with the applicable exception, and (3) not use the personal data for any other purpose.

The draft rules also add on the data broker deletion exception that is found in the Virginia and Connecticut laws. Specifically, controllers that obtain data from sources other than directly from the consumer may comply with a deletion request by either (1) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the personal data remains deleted from the consumer’s records and not using such retained data for any other purpose, or (2) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of C.R.S. § 6-1-1304.

Right to Data Portability

In responding to a portability request, controllers will not be required to provide personal data that discloses a controller’s trade secrets.

Authentication

Contrary to the California approach, the draft rules do not have prescriptive requirements for authentication of requests. Rather, controllers must establish “reasonable methods” to authenticate requests taking into account the right exercised, the type, sensitivity, value and volume of the personal data and the level of possible harm that could come from improper use or access.

Responding to Requests

If a controller denies a request, it will need to provide a detailed explanation for its decision, including (as applicable): (1) any conflict with federal or state law, (2) the relevant exception to the CPA, (3) the controller’s inability to authenticate the consumer’s identity, (4) any factual basis for a controller’s good-faith claim that compliance is impossible, or (5) any good-faith, documented belief that the request is fraudulent or abusive.

Universal Opt-Out Mechanism

The draft rules set forth the technical specifications and other requirements for user-selected universal opt-out mechanisms (UOOMs). As explained in the draft rules, the purpose of UOOMs is to provide consumers with a simple and easy-to-use method by which they can automatically exercise their opt-out rights with all controllers they interact with without having to make individualized requests with each controller. The CPA requires controllers to recognize UOOMs effective July 1, 2024.

The draft rules explain the notice and choice provisions that UOOM developers must provide, how default settings must be addressed, and the technical specifications for UOOMs. The UOOM may operate through a means other than by sending an opt-out signal, for example by maintaining a “do not sell” list, so long as controllers are able to query such a list in an automated manner.

No later than April 1, 2024, the Office will be required to maintain a public list of UOOMs that it has recognized.

A controller is permitted, but not required, to display that it has recognized the opt-out signal such as by displaying on its website “Opt-Out Preference Signal Honored.”

Duties of Controllers

Privacy Notices

Controllers are not required to provide a separate Colorado-specific privacy notice or section of a privacy notice as long as the privacy notice contains all information required by the rules and “makes clear” that Colorado residents are entitled to the rights provided in section 1306 of the CPA. Notices must be posted online using the word “privacy.”

The draft rules make a marked departure from existing privacy policy requirements by centering disclosures around processing purposes. Controllers must describe each processing purpose “in a level of detail that gives Consumers a meaningful understanding of how their Personal Data is used and why their Personal Data is reasonably necessary for the Processing purpose.” For each processing purpose, the notice must provide (1) the categories of personal data processed, (2) the categories of personal data that the controllers sells to or shared with third parties, if any, and (3) the categories of third parties to whom the controller sells, or with whom the controller shares personal data, if any.

Colorado’s focus on processing purposes is to be contrasted with the California approach which focuses on the categories of personal information collected. For example, the draft CPRA regulations require businesses to identify the categories of personal information collected and, for each category of personal information, the categories of third parties to whom the personal information was sold or shared and the categories of third parties to whom it was disclosed, if any. Should the California and Colorado draft regulations retain these approaches, privacy professionals will need to determine whether they can reconcile these differences.

In addition, privacy notices must provide a list of the CPA’s privacy rights, instructions on submitting requests, an explanation of the controller’s authentication procedure, by July 1, 2024, an explanation of how the controller recognizes UOOMs, information regarding the treatment of sensitive data inferences, a controller’s contact information, instructions on the controller’s appeal process, and the date the privacy notice was last updated.

Changes to the Privacy Notice

Controllers must notify consumers of “substantive or material changes to a privacy notice” including changes to the (1) categories of personal data processed, (2) processing purposes, (3) a controller’s identity, or (4) methods by which consumers can exercise their rights.

Changes must be made fifteen days prior to when they will go into effect and shall be communicated to consumers in a manner by which the controller regularly interacts with them.

Loyalty Programs

Controllers that provide bona fide loyalty programs must provide a number of disclosures, including (1) the categories of personal data collected through the program that will be sold or processed for targeted advertising, if any, (2) the categories of third parties that will receive the consumer’s personal data, including whether personal data will be provided to data brokers, (3) the value of the bona fide loyalty program benefits available to the consumer if the consumer opts out of the sale of personal data or processing of personal data for targeted advertising and the value of the bona fide loyalty program benefits available to the consumer if they do not opt out, and (4) a list of program benefits that require the processing of personal data for sale or targeted advertising and the third party receiving the personal data and providing each such program benefit, if applicable.

“Bona fide loyalty program” is defined as “a loyalty, rewards, premium feature, discount, or club card program established for the genuine purpose of providing discounts, rewards, or other actual value to Consumers that voluntarily participate in that program.” “Bona fide loyalty program benefit” is defined as “an offer of superior price, rate, level, quality, or selection of goods or services provided to a Consumer through a Bona Fide Loyalty Program.”

Purpose Specification

Controllers are required to specify the “express purpose” for the processing of personal data in both external disclosures to consumers and internal documentation. If personal data is processed for multiple purposes, each purpose must be detailed.

Data Minimization

The rules suggest that controllers must create and enforce document retention schedules, stating that to ensure personal data “are not kept longer than necessary, adequate, or relevant, Controllers shall set specific time limits for erasure or to conduct a periodic review.” Further, any personal data “determined no longer to be necessary, adequate or relevant to the express Processing purpose(s) shall be deleted by the Controller and any Processors.” Controllers also must review the retention of biometric identifiers annually.

Secondary Use

Controllers must obtain consumer consent before processing personal data for a purpose that is not reasonably necessary or compatible with the purpose disclosed at the time of collection.

Duty Regarding Sensitive Data

The rules create a new category of sensitive data called “Sensitive Data Inferences” defined as “inferences made by a Controller based on Personal Data, alone or in combination with other data, which indicate an individual’s racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.”

Controllers can process such inferences without user consent under limited circumstances, including that the inferences be deleted within 12 hours of collection.

Consent

The CPA will require controllers to obtain consumer consent for, among other things, the processing of sensitive data. When the CPA goes into effect on July 1, 2023, controllers can rely upon previously obtained consent if it complies with certain statutory requirements. According to the draft rules “If a Controller has collected Sensitive Data prior to July 1, 2023 and has not also previously obtained valid consent to Process such Sensitive Data, the Controller shall obtain consent as required by January 1, 2023 to continue to Process the Sensitive Data.”

Consent must be (1) obtained through the consumer’s clear, affirmative action, (2) freely given, (3) specific, (4) informed, and (5) reflect the consumer’s unambiguous agreement. The rules provide guidance on each of these elements, which guidance is reminiscent of the European Data Protection Board’s Guidelines on consent.

The rules also clarify that consent can be withdrawn, which is not specifically stated in the CPA.

Similar to the CPRA draft regulations, the CPA draft rules provide a significant discussion of dark patterns. In general, the rules provide that controllers are prohibited from using “an interface design or choice architecture that has the substantial effect of subverting or impairing user autonomy, decision making or choice, or unfairly, fraudulently, or deceptively manipulating or coercing a Consumer into providing Consent.” The rules go on to specify the contours of what constitutes a dark pattern.

Data Protection Assessments

The draft rules contain extensive requirements on performing data protection assessments. For reference, the CPA requires that controllers perform data protection assessments for processing activities that create a heightened risk of harm to consumers, including selling data, processing sensitive data, and engaging in certain types of profiling activities.

Data protection assessments must be “a genuine, thoughtful analysis.” The assessment must involve “all relevant actors from across the Controller’s organizational structure, and where needed, relevant external parties.” The assessment must “at a minimum” describe eighteen different topics identified in the rule, including the processing activity, the purpose of the processing activity, the types of personal data processed, names and categories of third-party recipients, consumer expectations, and risks to consumers.

Assessments are required to be completed before initiating a processing activity, must be reviewed periodically, and must be turned over to the Attorney General within 30 days of request.

Profiling

Controllers that engage in profiling subject to the CPA’s opt-out right are required to provide additional information in their privacy notice regarding the profiling activity, including what decision is subject to profiling, a “plain language explanation of the logic used in the Profiling process” and why profiling is relevant to the ultimate decision.

The rules also distinguish between profiling based on (1) solely automated processing, (2) human reviewed automated profiling, and (3) human involved automated processing. The rules create additional data protection assessment requirements for profiling.

[View source.]