The Colorado Privacy Act (“CPA”) takes effect July 1, 2023, and will provide express consumer rights, as well as controller and processor obligations, relating to personally identifiable information of Colorado consumers. This month, the Office of the Colorado Attorney General (the “Office”) outlined the pre-rulemaking considerations for the CPA (“Pre-Rulemaking Considerations”), in an effort to educate regulated entities on the trajectory of this new law, and how such entities may address the upcoming requirements. The Pre-Rulemaking Considerations were also forecasted in Colorado AG Phil Weiser’s address to the International Association of Privacy Professionals 2022 Global Privacy Summit.
In the Pre-Rulemaking Considerations, the Office outlines five key principles to help implement the CPA:
- Promote Consumer Rights: The rules should protect consumers, understanding that consumers need to understand and exercise the rights granted to them under the law.
- Clarify Ambiguities: The rules should clarify the law where necessary to promote compliance and minimize unnecessary disputes.
- Facilitate Efficient and Expeditious Compliance: The rules should help controllers and processors comply with the law, by making processes simple and straightforward for consumers, entities, and enforcement agencies.
- Harmonize: The rules should facilitate interoperability and help situate the CPA alongside the competing protections and obligations created by other state, national, and international frameworks.
- Allow for Innovation: The rules should not unduly burden anybody from developing creative, adaptive solutions to address challenges presented by advances in technology.
With these principles in mind, and the Office set to begin the formal notice and comment rulemaking phase, the Office is seeking public comment relating to eight separate and independent topics:
- Universal Opt-Out: The CPA requires the Office to “adopt rules that detail the technical specification for” universal opt-out mechanisms (“UOOMs”). The Office is seeking feedback on how it should approach this task, including the extent to which the rules should point to specific protocols, discuss specific considerations tailored for different categories of tools that may serve as UOOMs (i.e., browsers, operating systems settings, etc.), and the types of mechanisms the rules should acknowledge to satisfy the requirement that controllers accurately authenticate consumers as Colorado residents.
- Consent: Because the CPA requires consent to process consumer data in certain instances, the Office is seeking guidance in clarifying typical questions surrounding consumer consent, such as defining “clear, affirmative act” of consent, identifying what constitutes “informed” consent,” and including what, if any, limits should be set on methods a controller may use when they request updated consumer consent after a consumer has opted out.
- Dark Patterns: Dark patterns are user interfaces designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice. Accordingly, any consumer consent obtained through dark patterns is prohibited. The Office is seeking guidance with respect to how the rules should outline specific types of prohibited dark patterns, as well as any research that best demonstrates the impact of specific dark patterns or design choices on consumers.
- Data Protection Assessments: The CPA requires controllers to conduct a data protection assessment (a “DPA”) of any conduct that presents a “heightened risk of harm to a consumer.” As such, the Office seeks public comment on what circumstances the Office should request DPAs, and how much guidance the rules should provide with respect to the form and content of DPAs.
- Profiling and “Legal or Similarly Significant Effects”: The CPA authorizes Colorado consumers to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. Decisions that produce legal or similarly significant effects concerning a consumer are those that “result in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.” The Office is seeking public comment relating to the type of transparency that would meaningfully allow consumers to understand the automated processing of their personal data, and whether any individual legal or civil rights concerns regarding automated profiling should be specifically addressed in the rules.
- Opinion Letters and Interpretive Guidance. The Office is seeking comment on the types of interpretive guidance the rules should provide, and what the process of obtaining interpretive guidance should look like.
- Offline and Off-web Collection of Data. Because many businesses and non-profits collect personal information through non-electronic methods such as filling out rental forms, signing petitions on a sidewalk, or buying magazine subscriptions, the Office is seeking comment on how to apply the CPA to these forms of “offline” data collection that may be later entered into a digital database, including the challenges in maintaining privacy preferences in offline interactions.
- Protecting Colorado Residents in a National and Global Economy: The Office acknowledges that the CPA and its rules coexist with similar laws in other local, state, national, foreign, and international jurisdictions. As a result, the Office seeks to identify means to harmonize the CPA with these other laws, and identify how the CPA overlaps with laws of other jurisdictions in ways that should be considered in the CPA rulemaking.
The public comment portion of rulemaking provides all relevant stakeholders (including regulated entities) an opportunity to weigh in on how this regulation should function. This also serves as an acknowledgment from the Office that the CPA is only one piece of a much larger privacy regulatory puzzle. For more information on the CPA or other privacy matters, stay tuned to Privacy and Data Security Insights or contact Taft’s Privacy and Data Security Team.