The Colorado Attorney General (AG) recently published proposed rules for the Colorado Privacy Act (CPA). These draft rules shed light and clarify how the Attorney General plans to carry out the CPA when it goes into effect on July 1, 2023. These proposed CPA rules are a draft that is not yet finalized and therefore are subject to change. In the upcoming months, the Colorado AG will engage with key stakeholders and the public on feedback regarding these proposed rules. While the draft CPA draft rules are months away from finalization, the proposed rules are intended to help entities understand the AG’s requirements for when the CPA becomes effective. Below are a few key highlights of the draft CPA rules as they currently stand, which supplement the AG’s prior guidance from April 2022.

Duties of Controllers:

The draft CPA rules provide clarity to controllers on the various rights they must follow regarding the personal data of Colorado consumers. Among these duties, the draft rules require controllers to provide consumers with information about the rights they have under the CPA. Although the draft rules do not require controllers to publish a separate Colorado privacy notice, privacy notices must comply with the CPA requirements and include information to provide consumers with accurate information on how their personal data is processed. The draft rules establish that privacy notices must be easily accessible by using the word “privacy” and should be posted using a conspicuous and visible link. Consumers must be able to clearly understand their rights under the CPA and the content of privacy notices must avoid any abstract or unclear terminology. Additionally, the draft rules require controllers to notify consumers of any changes made to privacy policies.

The draft rules outline additional duties that controllers must follow to protect the personal data of Colorado consumers. Among the duties, controllers have the duty to process personal data with a duty of care to ensure the protection and confidentiality of the personal data. Controllers also have a duty of data minimization by creating, enforcing, and reviewing data retention schedules to ensure personal data is not stored unnecessarily. Further, controllers have a duty to clearly and expressly explain to consumers the purpose for collecting personal data. In addition, the draft rules require controllers to obtain consent to process sensitive data and sensitive data inferences.

Consent:

The draft rules explain the consent requirements controllers must follow. Controllers must obtain valid consumer consent before: processing sensitive data; processing personal data regarding a child; selling, processing for targeted advertising, or profiling consumers based on personal data; or processing personal data for purposes unrelated or unnecessary to the specific purposes of processing.

Consent must be freely given and consumers may refuse or withdraw their consent at any time. Methods for requesting consent from consumers must be simple and controllers must refresh consent at regular intervals or if there are changes to the scope of the original consent. Consent is valid if it is obtained from the consumer in the following manner:

  1. Obtained through the consumer’s clear, affirmative action;
  2. Freely given by the consumer;
  3. Specific;
  4. Informed; and
  5. Reflective of the consumer’s unambiguous agreement.

Universal Opt-Out Mechanisms:

The draft rules require controllers to provide mechanisms for consumers to choose to opt out of “processing of personal data for purposes of targeted advertising or the sale of personal data.” The draft rules provide specifications controllers must meet to comply with the Universal Opt-Out Mechanisms including notice to the consumer, default settings, personal data use limitations, and the ability for consumers to communicate the choice of opting out. The draft rules state that the Colorado Department of Law will publish a public list containing Universal Opt-Out Mechanisms that meet the standards of the draft rules. The public list is intended to be released on or before April 1, 2024, and will be regularly updated.

Data Protection Assessments:

The CPA draft rules highlight the requirements controllers must follow for data protection assessments. Controllers must conduct and document data protection assessments prior to processing any data that may present a heightened risk of harm to a consumer. Controllers must ensure their data processing agreements reflect processing activities and must review and update their data protection assessments periodically. When controllers are making decisions regarding new processing decisions, the data protection assessments must also be considered and modified accordingly.

The draft rules establish 18 elements that data protection assessments must include. Examples of some of the elements required in these assessments include: the processing activity; the specific purpose of the processing activity; information on the specific types of data processed; the relationship between the controller and consumers; procedural safeguards in place for if personal data is obtained; controller safeguards to protect the personal data; and other requirements pertaining to the way controllers are using, storing, processing, and protecting consumer personal and sensitive data.

Profiling:

The draft CPA rules provide guidance on the requirements for controllers engaging in profiling. Controllers engaging in profiling must produce data protection assessments specifically for the profiling activities. The draft rules particularly focus on ensuring consumers understand the ways their personal data may be used for “profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.” Controllers must provide consumers with clear information about the profiling including:

  • What decisions are subject to profiling;
  • The types of personal data used to process profiling;
  • The logic behind the profiling process and the relevance of the decisions in profiling;
  • Whether the profiling is used for advertising of housing, employment, financial services, or lending services;
  • Whether the systems are assessed for accuracy, fairness, and bias;
  • Any benefits and possible consequences; and
  • Information on how to opt-out of the profiling.

Taft’s Privacy and Data Security attorneys will continue to monitor the draft CPA rules and other developments relating to the CPA. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.